The cyberwar against health care practices

March 5, 2021
Todd Shryock

Todd Shryock, contributing author

Medical Economics Journal, Medical Economics March 2021, Volume 98, Issue 3

How hackers plan to attack your practice — and what you can do about it

While physicians worked to keep their practices financially afloat and dealt with COVID-19, hackers kept busy, too. From January through October of last year, there were 730 publicly disclosed security breaches with more than 22 billion records exposed, according to the cybersecurity firm Tenable. Health care made up 25% of those breaches with nearly 8 million records exposed. Ransomware was by far the most popular attack method in 2020, making up 46% of the breaches.

“The success that cybercriminals had in 2020 extorting sizable payouts from medical practices of all sizes ensures that ransomware will indeed remain the top cybersecurity threat in 2021,” says Dave Martin, senior director, product management, threat response, at cybersecurity firm Open Systems. “Ransoms like the $670,000 paid by University Hospital (in) New Jersey last September only encourage further attacks. And while larger institutions can clearly pay bigger ransoms, cybercriminals do not overlook smaller practices, which can be tempting targets of opportunity — particularly those with lax security.”

With health care workers focused on the pandemic response, experts say hackers are taking advantage and ramping up their attacks, meaning it is vital that practices of all sizes be more vigilant than ever about cybersecurity.

Ransomware — malware that encrypts a practice’s data and demands a fee to unlock the encryption — is entering a new phase that makes a security breach even more costly, says Gary Salman, CEO of Black Talon Security, a cyber defense firm.

“Now doctors are seeing two ransom notes,” says Salman. “The first ransom note says, ‘I’ve locked all your data; if you want (them) back, pay me $50,000.’ The second note says, ‘And by the way, maybe you have a good backup, but guess what. I have all your data and if you don’t pay me an additional $50,000, I’m going to publish all your data.’ ”

Salman says sites on the dark web are run by these threat groups, and data from doctors’ offices show patient information, including photographs, health history forms and other private details.

Many of these hacker groups operate as businesses and can be very sophisticated, says Matt Ferrante, market leader, cyber and information security services, for Withum. “They sometimes know exactly what your cyber insurance policy is, and they know what’s going to potentially be covered under the policy,” says Ferrante. “And if they don’t know, they’ve often already done the intelligence on your business and they know what it’s worth.”

What to do if hit with ransomware

If a practice experiences a ransomware attack, Matt Reid, senior health IT consultant with the American Medical Association, says there are two actions to take immediately: Contact the FBI and the practice’s IT vendor. “Federal agencies have resources that can support medical practices during a ransomware attack — and that’s clearly an important component — but also work with your health IT vendor or internal IT support staff to try to partition off the segment of the network that has ransomware as fast as possible,” says Reid.

Martin says that all compromised devices, including desktop PCs, laptops and smartphones, should be disconnected from the network by unplugging ethernet cables, disabling Wi-Fi networks and switching to airplane mode.

If a practice has cyber insurance, Ferrante recommends contacting the provider and ensuring all requirements are met. This may involve an assessment of the attack. “If it’s not independently assessed, it may not be covered under the cyber insurance policy,” he says.

Although some experts advise never paying a ransom to regain access to data because doing so just encourages more attacks, that is often more idealistic than practical.

“What we find in almost 100% of the cases is that the doctor has to pay because the threat actors are very sophisticated nowadays, and they will find all the backups,” says Salman. “And many of these doctors have their data being backed up into the cloud, and with a majority of the attacks that we’re dealing with right now, the hackers have figured out how to get into the doctor’s cloud backup and destroyed them.”

Physicians often have a false sense of security when it comes to cloud storage. “We see that a lot of people are either in the cloud, or they’re moving to the cloud,” says Ferrante. “Cloud simply means somebody else’s computer. Just because Amazon and Microsoft are secure doesn’t automatically translate to you being secure or your organization being secure. It has to be secured appropriately within those environments.”

During a ransomware attack hackers will also encrypt the server and all workstations, so when the doctors attempt to recover their data from their backups, the data are not there. “So as a practitioner, you’re basically put into a situation where you have no choice; you have to pay the ransom, because under the HIPAA (Health Insurance Portability and Accountability Act of 1996) laws, the patients’ data (have) to be available,” says Salman.

In most cases, paying the ransom results in the data being released because if the hackers don’t turn over the data, victims won’t pay any more. The more sophisticated players have customer support lines and will offer to fix any data corrupted from their software, Salman says. “They literally have testimonials on their website encouraging you to pay because these people were victims, and they got their data back, so you should pay me too because you’ll get your data back,” he adds.

Following a breach, practices will often go on a cybersecurity shopping spree, buying all kinds of software to prevent it from happening again, but Ferrante says that’s usually not effective. “It has to be applied the right way, and you really need the expertise to make sure that it’s scalable and set up correctly. Otherwise, it’s not going to function properly.”

New threats to defend against

Ransomware may constitute the biggest threat to most practices, but it is far from the only one. As regulators require more patient access to data, payers interchange more data with providers, and services like telehealth grow in popularity, increases in the number of connected devices will make practices more vulnerable to hackers.

Experts say that the pandemic has created many new threats to a practice because people are working from home. Hackers may use COVID-19 information as the lure for office staffers to click on links that install malware. Emails are made to look like they are from health departments offering the latest on vaccine distribution or other vital information. In other cases, hackers exploit a weak point of the worker’s computer.

An employee’s home computer might be connected to a secure virtual private network, but if it isn’t being monitored, patched and protected with antivirus software, it could put the main network at risk, says Salman. “The network considers that remote computer part of the main network, and information flows freely back and forth,” he says. “Let’s just say your practice manager is working from home and she’s on the same network as her kids’ computers and one of her kids downloads a malicious game. Now that spreads from the child’s computer to the practice manager’s and then from there into the network at the office.”

Reid says cyber hygiene practices used at the office should be replicated for home workers as much as possible, and physicians should not overlook devices like smartphones and tablets as possible entry points. Multifactor authentication — where a user gets a code via text to input along with a password — should be used whenever possible. “Also, using a home network that is not secure, where the password is easily guessed, or you don’t have a password at all, could be potentially problematic,” he adds.

Boost your cyber protection

Hackers are opportunists and will often target the practice or facility with the lowest level of security.

“I can spend a couple hours trying to hit this small health care provider, or I could spend weeks or months trying to get into the hospital,” says Salman of hacker mindsets. “And in the end, if I hit a whole bunch of smaller practices, I’ll probably walk away with more money. If you take down a big hospital system, you’re going to have every government agency coming after you, but if you take out some smaller businesses, you might fly under the radar if you’re a criminal.”

He says another issue is that practices often put too much faith in their IT vendor, who may not have a depth of security expertise. Physicians are told their practice is protected and assume that’s true.

In one case, an IT vendor’s system was hacked and then was used to attack every health care practice on its customer list because it had access to every network. All the practices had to pay the ransom to get their data back, and the hackers walked away with $1 million.

“What medical practices should be doing is asking their IT companies who’s protecting them,” says Salman. “If hackers break into the IT company and attack the practice, there’s probably nothing that practice can do to defend themselves against that. Ask them if they are being independently audited on a monthly basis by a dedicated cybersecurity firm. If the answer is no, they need to understand why.”

IT vendors also have many employees working from home, and practices need to know how they are being protected, as well. “These are the people who have credentials to your environment,” says Ferrante. If their security is lax, hackers can gain access to a physician’s network by breaching an IT worker’s home computer.

Ferrante adds that a cybersecurity expert should conduct a full assessment of a practice’s vulnerabilities, particularly because of the number of devices utilizing the network during COVID-19.

For practices working with local hospital systems, Reid recommends checking with them about receiving donated cybersecurity services. Thanks to changes in the Stark Laws, hospitals and health systems can now legally offer expertise and assistance to medical practices to help protect patient data.

As practices start to transition back to the office, Reid says, it is important to remember to change network access. To support home workers, extra access may have been granted to IT vendors, electronic health record providers, consultants or support staff who no longer need it. Also, office computers that have sat dormant for months need to be checked to make sure they have been patched with the most current operating system and security updates.

One of the best things a practice can do is budget for cybersecurity, says Salman. “This isn’t 2017, when the risks were a lot lower than they are now,” he says. “They have to implement cybersecurity solutions from a specialty company, not just their IT vendor.”

Preventing a breach in the first place with proper security is far cheaper than dealing with the business disruption and ransom payment, he adds.

Practices also shouldn’t rely solely on cyber insurance. Ferrante says that after a major data breach, a policy may not provide enough money to cover all the expenses and can’t do anything to repair the practice’s reputation.

But above all, a practice always should make sure it has the basics in place, such as antivirus software and firewalls.

“There are a lot of simple things that can be done to improve your protection, minimize the severity of an attack and ensure a speedy recovery,” says Martin. “First off, you need to routinely back up your files to a device that is not connected to the network. This is important because the latest ransomware tools, such as Ryuk, actively seek and delete backups on devices attached to the network. These secure backups will be key to your restoration efforts.”

Avoiding common password mistakes is another way to dramatically improve your practice’s security posture. They should be at least eight characters long and consist of a mix of letters, numbers and symbols, be changed regularly and not reused. Also, be sure to change any default passwords on any devices, says Martin.

“Lastly, be sure to continually remind yourself and your employees to never click on an even remotely questionable link, regardless of who the sender is,” says Martin. “When in doubt, check with the person.”

***

What is a cybersecurity assessment?

Experts in the cybersecurity field often recommend a practice conduct a cybersecurity assessment. This will look at all the organization’s digital entry points, and then the cybersecurity firm will do a penetration test, where it acts like hackers would and looks for weak points.

“It’s not just about data loss, it’s about also potentially being able, like a hacker would do, to be able to cripple an organization,” says Matt Ferrante, market leader for cyber and information security services at Withum. “Data shows that about 70% to 75% of backups fail during a critical incident.”

He says many practices don’t do an assessment because they think they are cost prohibitive for smaller organizations. “This sounds like kind of an expensive prospect to have all this done, but it’s not because it’s scalable, and it really depends on the size of your footprint.”

A small practice might have an assessment done for $1,000, which is far less than the cost of the average breach.

Ferrante says assessments should be done by true cybersecurity experts, not just a general IT firm, because just like in medicine, there are general practitioners and specialists, and cybersecurity requires specialization to be done right.

In most cases, experts say an assessment can be done remotely and when complete, the practice is provided a list of vulnerabilities it can address as money allows.

download issueDownload Issue : Medical Economics March 2021