Cyber Risk: Why You Are a Target and How to Avoid Being the Next Victim

  • March 1, 2016

A Special to CAPsules

A data breach happened to Anthem Blue Cross. Then, St. Joseph Health System. Sutherland Healthcare Solutions. And Hurley Medical Center.

On-Demand Webinar: Key Strategies for Ensuring a Profitable Independent Practice
During this one-hour program, practice management expert Debra Phairas discusses how various business models and operational enhancements can increase revenue to help your practice remain successful in today’s competitive marketplace.
Watch Now

And on February 5, Hollywood Presbyterian Medical Center’s network was hit with ransomware. Everything at the hospital had to happen with pens, paper, and telephones for 10 days. The hospital had no real choice but to pay the $17,000 the hackers demanded.

If this can happen at a medium-sized institution with good IT – and they could not defuse this kind of attack – you can be sure it can happen anywhere. As Elliott Frantz, CEO of Virtue Security noted, “This incident really sheds light on how weak the cores of many providers’ internal infrastructure are. It is very common for hospitals to have a large number of outdated and vulnerable systems on the network.”

There is an undeniable pattern. Hackers are targeting the healthcare industry with a vengeance, and no target is too big or too small. This trend will affect everyone from Anthem Blue Cross to the smallest offices. Is your practice ready?

There is nearly a one-in-five chance you’ll be hit

According to the most recent data, 15 to 20 percent of the breaches and loss of HIPAA personal health information have hit smaller practices. Why? Smaller practices are data-rich targets that are typically poorly defended.

At small practices, security is “important but not urgent.” It is rarely in the budget. Small practices rarely have dedicated IT staff, which means systems are not fully patched and up to date. Furthermore, everybody is multitasking. Hackers know all it takes is one distracted click to crash an entire practice for days or even weeks.

It is worth 10 to 20 times more to hack your practice than to hack a bank

Healthcare records are wonderfully complete: credit card information, insurance data, full names, addresses, and even social security numbers. Hackers can sell a single healthcare record for 10 to 20 times more than what they might be able to get for other financial data.

And once someone has that information, there’s a lot they can do with it. Someone who does not have health insurance can get a needed surgery done and the real patient will not even realize it until they see a surgery he or she never had mysteriously appear in the Explanation of Benefits mail.

Russian ransomware: 90,000 infections a day

A recent variety of ransomware called “Locky” is not very sophisticated, but it is spreading fast. British analyst Kevin Beaumont, during a recent interview with Forbes magazine, said more than 100,000 PCs were infected the day before the interview, while his contact at Fujitsu suggests as many as 90,000 infections were taking place per day. Beaumont said at one point, connections to his domain peaked at five requests per second.

Small practices are an easy target for ransomware “spearphishing.” It is easy to get a list of doctors online, and send emails with malware attachments to every practitioner in the area. If a hacker asked each physician for $15,000, it would be possible to make a lot of money very quickly. If your data is not backed up, you really have no choice but to pay what the crooks demand.

The health of your healthcare practice depends on security. No small practice can afford to be out of business for days or weeks at a time. Make sure you take the proper precautions.

 

10 WAYS TO PROTECT YOUR PRACTICE
  1. Install end-point security software, including antivirus, antispyware, and antimalware, which updates regularly.
  2. Keep your operating system fully up to date. Ideally you should aim to use the very latest version of software, especially if you are using Microsoft. If that’s not at minimum use versions that Microsoft still supports (XP is not one of them), and make sure you regularly install important updates. Remember that investing in good security is always cheaper than cleaning up after a breach. Consider having your system audited and penetration tested by an external vendor once a year.
  3. Use encryption with passwords on all computers, laptops, and smartphone devices. Change those passwords every 30 to 60 days – and forbid sharing them or leaving a post-it note with the password on the keyboard.
  4. Make sure you have Business Associate Agreements with any vendor who has access to your data. If a data breach happens through a vendor, it is your responsibility.
  5. Implement workplace policies to control data and implement a consistent approach to data security (again, you should absolutely forbid sharing passwords and login information).
  6. Establish clear rules and regulations regarding the use of personal devices brought to the workplace.
  7. All correspondence with patients should be done through a secure email system. Note that if it is free – for example, Gmail – it is not secure.
  8. Make sure all files are securely backed up on a daily basis. But be careful not to store more data than is required. In some cases, firms unthinkingly pile up years worth of data. Ask your lawyer about data retention requirements.
  9. Create a to-do data recovery and disaster plan. Make one person in charge of this plan: If it is everybody’s responsibility, it will become no one’s responsibility.
  10. Provide training to staff on guidelines and HIPAA, HITECH, and email phishing techniques.