A dedication to security efforts is the only way to keep patient data safe from outside threats
Physicians at small practices often think they are not attractive to hackers, because they don’t have troves of patient information or financial data. But this attitude is what makes them a target in the first place. Lax security, a lack of resources and general indifference make the perfect combination for an easy hack.
“It’s more of a mindset problem,” says Anirudh Duggal, a cybersecurity expert and Black Hat USA 2016 security conference speaker whose work includes protecting medical devices from hackers. “Most small practices use home-based level security, such as routers or access points like you would use at home. The other problem is, they have the kind of data that bigger hospitals have, but they don’t have the security.”
Physicians need to remember that even though they may not have as many health records as a large health system, they probably aren’t the only target, experts say.
“If the hackers hit 10, 100 or 1,000 small offices and aggregate the records, then it becomes a substantial amount of data to sell,” says John Riggi, a member of consulting firm BDO’s Center for Healthcare Excellence & Innovation and a former chief of the FBI’s Cyber Division Outreach Section.
“These small practices have data sets that are attractive because they can be monetized,” Riggi adds. “The providers maintain data on protected health information, personally identifiable information and payment information-each one of these sets is valuable because they can be stolen and monetized on the internet black market.”
Once hackers have the records, they might be sold for identity theft, false billing for services or false prescriptions. And because larger organizations continue to improve security, smaller practices are becoming even more attractive targets, says Riggi.
But by taking some basic precautions and training staff to be vigilant about security, the majority of hackers can be thwarted, experts say.
Who the hackers are and how they break in
Hackers can be anyone and have different levels of sophistication. “If you look at the demographics of those caught, it could be someone in your own country or abroad; it could be someone sitting next door or a thousand miles away,” says Billy Rios, MBA, CISSP, a regular speaker at Black Hat and the founder of Whitescope LLC, a startup focused on embedded device security.
Further reading: 7 tips to protect patient data from visual hacking
The stereotype of a hacker might be someone working for the Russian mob. In some cases this may be accurate, but they can also be rogue employees, disgruntled consultants or even a kid living next door who thinks breaking into networks is cool, says Lee Kim, JD, CISSP, director of privacy and security at the Healthcare Information and Management Systems Society. It could also be a cyber vigilante attacking a practice because of ideological reasons or some sociological motivation.
Hackers have different methods of gaining unauthorized entry, but the phishing attack is the most common, says Deral Heiland, CISSP, research lead at internet security company Rapid7. This is usually a legitimate-looking email with an attachment that, if opened, will place malware on the network that gives the hacker access.
Phishing attacks can also occur via texts or phone calls. “Small organizations can also be very trusting, and if someone picks up the phone and calls, they are more likely to believe the person and carry out some action on their behalf,” says Heiland.
Next: how to stop the hackers
As an example, Heiland was hired to test the security of a small law firm with solid, two-factor authentication on its network. He sent the firm a flurry of emails until one bounced back with a vacation message, then called and pretended to be that person and asked for help getting access to the network. It worked because no one challenged who he was. Another common scheme, he says is pretending to be a service desk employee looking for a password to fix a software issue.
And don’t assume phishing emails will be readily identifiable by incorrect grammar, missing words or other clues that the message was written by a non-native English speaker.
“Today, these phishing schemes are often well-formed and convincing, with the email appearing to come from a vendor you do business with or a colleague,” says Rios. “It may even reference an activity you did in the past.”
This information could be obtained either from looking at social media accounts or from the hack of someone else’s system. Experts say that stolen information often is used in attacks on other systems. As the amount of information in cybercriminals’ possession grows, so too does the likelihood of future successful attacks as they refine and further personalize their phishing emails.
While specific strategies to thwart hacking attacks can vary, experts agree that employee training and prioritizing security are the first-and often most effective-steps in protecting a network and the valuable data residing there. Emphasize that security is important and to always be wary of clicking on an attachment unless the recipient knows the sender and was expecting the attachment.
Other strategies include:
Making sure all operating systems on all devices are regularly patched. “The longer the lead time between when the patch is released and when you install it, the bigger the window of opportunity for the hackers,” says Kim.
Being careful about use of social media. “Do not underestimate the dangers of social media through a mobile device,” says Kim. “Your mobile device could have access to patient data with an EHR mobile app, so don’t open links or videos from people you don’t know. You can also unknowingly divulge personal information that’s used for password reset questions.” Also, be careful when using your mobile devices on unsecured public networks, like at airports or restaurants.
Next: Signs of a breach-and what to do about it
Using anti-virus software. Every computer on your network should have this because while not 100% effective, it can often catch some malware being used in hacking attempts, says Heiland.
Paying attention to any open wi-fi networks in the office, such as in a waiting room. Make sure your open network in no way connects to your secure network, and require a patient to use a password to use the open network and change it every 30 days.
”Whitelisting” applications. This means setting up a network so that only authorized applications can execute files, thus preventing any unknown programs from running. This is very effective when paired with an anti-virus program, Riggi says.
Further reading: With hacking on the rise, physician records at risk
Limiting levels of access. Not every computer and employee needs full administrative access. Limiting access to only the highest administrative level needed to complete a task prevents hackers from accessing many files, says Kim.
Backing up all data. Ransomware attacks, wherein a hacker encrypts data so it can’t be accessed until a ransom is paid, can be defended with all of the strategies above, but it also requires protecting data. “Always have an updated off-network backup of your data,” says Riggi. “There is no way to decrypt the files once encrypted and the only way to restore them is by using a non-contaminated backup.” All computers will have to be wiped to eliminate the malware, but at least the data will be recoverable.
In the case of a ransomware attack a practice will receive a message demanding payment to unencrypt its data, but for other attacks, the signs aren’t always obvious. Hackers can hide on a network for some time, with the usual period between intrusion and detection being 200 days, according to Riggi.
Once hackers get in, they may be there for months, continually stealing data. And while a hacked network might exhibit a visible slowdown, that’s not always the case. Often, the only way to tell whether a network has been hacked is for a trained security professional to look at the access logs.
If a practice knows it’s been hacked, Riggi says, it should isolate the breach if its location is known. Disconnect the machine from the network, call in a professional to mitigate the damage and contact police and FBI.
Funny Bone Comic: Fancy cybersecurity is a joke, who needs it anyway?
Once experts determine whether any data was stolen, that may trigger additional notifications to patients or vendors. If health records containing protected health information were stolen, it constitutes a HIPAA violation and the individuals whose records were stolen must be notified.
The more people and devices that regularly log into the system, the more complicated-and costly-the eradication process can be. “The average cost can run from a few thousand dollars to many thousands of dollars,” says Riggi. “And that’s just for the hard costs to clean and restore the network.” Those costs don’t take into account lost time seeing patients, fines, liability or a loss of public confidence in the practice, he adds.
For small practices, resources are always an issue, but taking basic preventative steps is cheaper than fixing a breach. “Training of employees is critical, as is testing the network for security flaws,” says Riggi. “Security has to be ingrained as part of the culture of the practice. The threat is not going away and can never be eliminated-only mitigated.”