Todd Shryock, contributing author
Fend off hackers with a thorough cyberdefense plan
Jeff Kagan, MD, found out that hackers don’t discriminate when it comes to a practice’s size.
Kagan’s two-physician practice in Newington, Conn., was alerted to something strange on one of his office computers and immediately shut down the system. The quick action stopped the malware from harming his computers and the data for his practice was safe, but the close call changed his attitude about cybersecurity.
“I thought all the talk about cybersecurity was all a joke and a waste of time and didn’t think I had to worry about it,” says Kagan, an internist, who is a member of the Medical Economics Editorial Advisory Board. “I got knocked into reality. It took me from, ‘It will never happen to me,’ to, ‘I’m a believer.’”
While large, high-profile health systems and hospitals have suffered well-publicized hacks of patient data in recent years, smaller practices had less to worry about until last year, when the threat shifted dramatically, says Mac McMillan, CEO of CynergisTek, a Mission Viejo, Calif.-based healthcare cybersecurity consulting firm. “What changed for the small practice was the ransomware threat,” he says. “Before, when a person was behind it directing the attack, they were typically going after bigger targets with bigger payouts. When these attacks shifted to more automated threats through botnets and malware, anyone connected to the internet became a potential target.”
Ransomware attacks-when a hacker takes control of a server and locks out the owner-are now targeting small practices with ransoms of $5,000 and $10,000, and several successful hacks against smaller offices yield the same amount of patient data as an attack on a larger health system, but takes less effort, experts say.
Smaller practices must take the cyber threat seriously, says Robert Tennant, MA, director, health information technology for the Medical Group Management Association. “Don’t think because you are a small practice you are immune to attack,” he says. “You have to run on the assumption that an attack is not an ‘if’ but a ‘when.’”
Kevin Johnson, CEO of SecureIdeas, a Jacksonville, Fla.-based cybersecurity consulting firm, says he knows of 20 smaller practices recently hit with ransomware attacks and that the threat is increasing. “Hackers know smaller offices have [their own] data and access to more data through a cloud-based EHR,” he says. “They may attack the physician’s office to try to get to the bigger source, and they know a smaller office will not have the same security controls a larger hospital will have.”
Understanding the risks
When it comes to protecting patient data, the only standards for practices are set forth in the HIPAA security rule and the security assessment it requires. Each practice must develop its own plan on how to comply with the law’s requirements and secure patient data, experts say.
To mitigate their cybersecurity risks, physicians need to understand why their practices are vulnerable. McMillan says there are four main areas where smaller practices lag behind:
Lack of data backup
“A lot of small organizations don’t back up their data as often as they should or as complete as they should,’ says McMillan. “They get hit, need to recover their system, and all of a sudden realize they don’t have everything backed up and now their information is lost.”
How practices are being targeted
The stereotype of a hacker might be a young adult sitting in front of a bank of computer screens manipulating code to gain access to a practice’s system, but the reality is often much simpler: a doctor or member of the staff opens an email attachment that launched malware that gives the intruder electronic access.
Johnson says these phishing attacks are getting more sophisticated and believable-doctors probably won’t fall for the well-known prince from Nigeria that needs a cash advance, but they might fall for an official looking email regarding their EHR.
“One of the big ones is going after doctors with a story of urgency, that there is a problem with their EHR or it has a vulnerability and they need to click on the link to fix the problem,” says Johnson. “Staff members fall for the ruse, not because they are stupid, but because they are trying to do the right thing and fix something they need for their job.” Staff members are often targeted directly, because hackers know they will often not want to bother the physician and will try to solve the problem themselves.
Another type of attack that’s on the rise is social engineering, Johnson says. This type of attack uses specific information gathered about the practice from its website or from an insurance provider to try to trick the practice staff. For example, an attacker could obtain physician names from the website and find out they work with a particular payer from the insurance company’s online doctor finder.
Using this information, they can craft a more detailed ruse that might take the form of an email that appears to be from the head physician telling the office manager to transfer money for a legitimate-sounding insurance reason, or may appear to be from the insurance company to get someone to click on a link to download malware.
“This is cybercriminal activity that is paying well, and hackers are doing more of it and being more creative,” says McMillan. “If you break-and-enter houses to steal things, you have a good chance over time of getting caught. But you can break into houses all day long through a computer and have a much slimmer chance of being caught, and what you end up with is more people engaging in cybercrime than ever before.”
Protecting a practice
Tennant says a good place to start on a cybersecurity plan is by conducting the security risk assessment that’s required by HIPAA and the advancing care information portion of the Merit-based Incentive Payment System. “This will help you identify particular problems,” says Tennant, adding practices can then make a list of priorities to tackle as money allows.
“The two most important words in practice management are ‘What if?’” Tennant says. “What if the server is hacked and you could no longer access patient information? What if you had to tell your patients you lost all their records? You have to run on the assumption that something bad is going to happen and prepare for it.”
Stopping the majority of these attacks takes a combination of basic computer maintenance and a commitment to education and awareness, experts say.
Most smaller practices already work with an IT support company, and experts say the first step is making sure this vendor understands security and is keeping computers patched and updated against the latest threats. This includes making sure all data are backed up and that practice computers are protected by anti-virus software.
“Windows Defender for Microsoft computers is free,” says Johnson. “You don’t need to go spend thousands of dollars on anti-virus software.”
John Kulin, DO, an emergency medicine physician who oversees four urgent care centers in the Philadelphia area, and had a close call similar to Kagan’s, spends about $56,000 on hardware and software security across his four sites last year. And while security has become a major line item, he says it can’t be ignored. “The cost of a breach is too much,” Kulin says. “Could any of us stand up against a major data breach and the loss of trust that goes with it? The cost of rebuilding that might sink the practice.”
To reduce his risks, Kulin keeps all his computers isolated from the internet so there is no remote access allowed into the system. “It’s inconvenient, but it helps prevent intrusions from coming through,” he says.
Kulin and others agree that education and training are among the most effective tools in the fight against hackers. “We have a lot of internal communication ranging from emails we send out about awareness of threats to annual training sessions,” he says. “No one thing gets through to every employee, but you have to maintain a constant vigilance.”
Johnson says staff members need to understand that the office is a target and that there are risks to clicking on links. Training can reduce that risk, and it doesn’t have to be expensive. “There are plenty of services out there that provide what you need,” he says. Video training sessions from security consultants cost as little as $5 per user per year, and the FBI offers some videos for free. “You’ll always find someone can make a mistake, but by educating everyone, the likelihood of a successful attack goes way down,” he adds.
And while cybersecurity has costs, it’s essential. McMillan points out that a small practice might get hit with ransomware demanding $10,000 to release its data, and that a physician might think that paying the money is cheaper than trying to rebuild the practices database. While 70 percent of organizations that get hit with ransomware pay it, only 50 percent of those that pay actually get their data back.
“The moral of the story is, don’t count on paying the ransom and getting your information back,” says McMillan. “Make sure you back your data up and put it in a safe place so that if you get hit with a ransom attack, you can restore your data.”
Creating a response plan
No matter how vigilant a practice is with cybersecurity, there is always the chance that a hacker gets through and compromises its computer system. Mac McMillan, CEO of CynergisTek, a healthcare security consulting firm, says that it’s important for practices to have a response plan to minimize the damage. “A response plan should be kept simple so that anyone can execute it, and it is simply a list of steps to take when something goes wrong,” says McMillan.
A practice should start by finding out who at its IT vendor should be contacted in the event of a breach and what support can be expected. Numbers for local law enforcement and the FBI should also be included in the plan for quick reference.
“The checklist should include critical equipment and applications and who the vendor contact is that can provide support,” says McMillan. “It should also identify where the data backups are.”
Someone should be designated as a point person for all communications about the breach, and it should be clear which systems or equipment should be brought back online first.
What a business partner’s breach could mean to your practice
By Hoala Greevy
When a security breach occurs, reporting it is essential. But what happens when that breach occurs within your business partner’s system rather than your own?
In March 2016, Allscripts Healthcare Solutions and the 2,700 hospitals that use its products were shut down by SamSam ransomware, according to media reports. In January 2018, the company’s partners proposed a class-action lawsuit against Allscripts for failing to monitor and audit its systems. The company’s failure exposed all of its partners’ patients’ data to the ransomware, according to the suit.
To be clear, not every attempted attack against a system needs to be reported. According to the Cisco “2017 Annual Cybersecurity Report,” such attacks will continue growing by approximately 350 percent each year. Given the sheer volume of attacks on healthcare systems, reporting every single attempt would be unmanageable.
However, every successful breach constitutes a HIPAA violation, which covered entities must document and report every time. Therefore, keeping an eye on business partners that might be compromised is also vital. It’s the only way to avoid being blindsided by an attack that threatens your organization through one of your partners’ systems.
Before, During, and After a Partner’s Breach
Knowing about a business partner’s data breach early is vital to responding to it. If a business partner’s breach affects your practice or makes the Department of Health and Human Services’ “Wall of Shame,” you should be notified automatically.
To be absolutely sure, you should also review the HHS breach portal (bit.ly/OCR_breach_portal) at least once a month as a precaution. To receive notifications about attacks that are trending or particularly dangerous, you can join email lists for the National Institute of Standards and Technology, HHS, and the FBI. You can cast your net further by setting up Google Alerts for keywords such as “breach + [your city].”
Knowing is only half the battle, though. To protect yourself against a business partner’s breach (or the potential for one), follow these steps before, during, and after a cyberattack:
Prioritize business agreements right away
Emphasizing business associate agreements (BAAs) as integral to your partnership isn’t just about breaches; it’s about adhering to HIPAA standards in general. For Illinois’ Center for Children’s Digestive Health (CCDH), not having one turned out to be a $31,000 mistake. After a review by the HHS Office for Civil Rights in 2015, CCDH was fined that amount for potentially violating HIPAA rules when it couldn’t produce a BAA for its 12-year partnership with FileFax.
To avoid the same mistake, begin every partnership with every vendor with an official BAA. The agreement will lay out your and the vendor’s reporting rules and obligations in case of a breach on either side. If you don’t have a BAA with a vendor that handles protected health information (PHI), have one signed immediately or find another vendor that’s willing to sign one.
Join forces with vendors during the attack
If more proactive, collaborative policies were in place in 2017, the infamous WannaCry attack might not have been able to sweep across more than 150 countries. The exploit that WannaCry used, called EternalBlue, allowed one remote computer to shut down an entire company and spread the attack through files shared with that organization’s business partners. But that exploit was patched before the attack even occurred.
The problem was that countless organizations were using older systems that couldn’t be automatically updated. However, by closely collaborating with vendors and affected entities, many organizations were able to recover and implement better security measures quickly. For instance, Windows rolled out a free patch for older systems, and IT vendors helped clients revamp their data systems to address the new (and evolving) threat as soon as possible.
Immediately report breaches that affect you
Whether a partner’s breach affects your organization or vice versa, you must report the breach as soon as possible. Even if you aren’t sure whether you’re in breach of HIPAA, your organization must report any PHI that was involved and the extent of the breach. If more than 500 people were affected, you only have 10 days to provide thorough details to HHS.
If you’ve been compromised, consult with your compliance officer or HHS for detailed instructions on what to report and how. Your existing BAAs will guide your organization in reporting to all associates, and collaborating with vendors will help everyone involved resolve the security breach as soon as possible.
Cyberattacks are too successful for hackers to give up any time soon, and healthcare will always be a prime target for information thieves. Comprehensive security standards and close collaboration with business partners can be a formidable barrier, but the most essential protective measures against ransomware and other data breaches are immediate notification and action.
Hoala Greevy is the founder and CEO of Paubox, a provider of HIPAA-compliant email services.