Small does not equal safe from cyber danger.
Cyber criminals target healthcare organizations because their data contain patient names, birthdates, addresses, social security numbers, credit card numbers, and health insurance information. Whether the hackers use the information themselves or sell it to others on the black market, that’s all that’s needed to steal identities and commit fraud. That’s why healthcare data is more valuable even than credit card records.
Physicians in small primary care practices who think they would not be a worthwhile target for hackers should look at the U.S. Department of Health and Human Services (HHS) list of reported breaches of healthcare information.
There, among the giant health insurers, government agencies, and large hospital systems, are medical practices that found out the hard way that they, too, can be targeted: an 11-doctor cardiology practice in Knoxville, Tenn.; a solo family physician in Weston, Fla.; a solo internist in Scottsdale, Ariz.; and many more.
In fact, a practice might be targeted specifically because it is small, says Christine Marciano, a certified information privacy professional (CIPP-US) and president of Cyber Data Risk Managers, a cyber insurance broker in the United States and Australia.
“I think it’s the smaller offices that are much more vulnerable,” she says. “They’re focused on treating patients, not on (encrypting) their laptops, and making sure they have the latest security measures.”
Lee Kim, JD, CIPP-US, director of privacy and security at the Healthcare Information and Management Systems Society, says attacks on small practices were uncommon five years ago, but no longer. In fact, some hackers will test and refine their methods on small practices before going on to attack larger targets, such as healthcare systems.
She is seeing more of a new kind of attack, which isn’t after a practice’s data or patient information, but its computing power to earn digital currency. Attackers have hijacked practice servers to mine for pseudocurrencies, like Bitcoin. Users might be unaware that the reason their computers are operating so slowly is that they’re running the complex calculations to reap the currency.
“Even though you’re a small practice, the motivation to attack is still there. People who say they haven’t been targeted simply haven’t been targeted yet,” Kim says.
Here are best practices to follow, according to the AMA and cyber security experts: