Protecting Your Practice
You only have to go back about ten years to the “good old days” of being able to surf the internet without fear of your data being breached or corrupted in some manner as to make you take extra safeguards to protect it. Since 2010, when the first major ransomware threat was noted, we’ve steadily seen an increase of attacks on nearly every industry that regularly utilizes electronic data in their daily operations. In 2018, the rate of ransomware attacks totaled in excess of 850 million as reported by PhishMe, Inc and even more startling is the fact that 75% of the companies infected with ransomware were utilizing current malware software.
While ransom demands may range from hundreds to thousands (even tens of thousands from companies such as Under Armor, TSMC, or the City of Atlanta), the real cost of ransomware attacks is often the loss of data and the loss of trust by customers who, once aware of the breach, fear divulging their private or financial information in the future.
The healthcare industry is no stranger to attack from malware. Nearly half of all incidents in 2018 involved healthcare companies according to numerous technology sources second only to financial institutions. Industry experts predict that healthcare-related malware attacks will quadruple by next year (2020.)
Why are healthcare organizations particularly susceptible?
- Patient information is worth money.
Whether the hacker manages to breach your patient data and sell it later or merely holds it for ransom, compromising confidential patient information is a big business. Healthcare records are valuable because they tend to amass lots of information in one place. Things like driver’s licenses and social security numbers can be sold for use in obtaining fraudulent government documents and other records or benefits.
- Staff access data remotely.
With many healthcare staff working from remote locations or requiring access to patient medical records or reports during after hours, remote access has become an essential work tool. As necessary as it is for physicians and other healthcare workers to provide convenient care, it also creates a challenge for those who manage or watch over the security of the networks, systems and other technology that house all that confidential patient data.
These remote access points are like having that “back door” to your house that you leave unlocked while you run errands. You might think that because the obvious front door is locked is providing adequate protection, thieves are skipping that and have already looking for the easy, unprotected entrance to your property. Such is the case with remote access points.
- Healthcare workers aren’t educated about online risks.
Now don’t be offended when you read this! Healthcare workers tend to be well educated as a whole, and they’re trained to deal with everything from life or death type situations to managing inventory. But the fact remains that with so much to learn (HIPAA to latest medical gadget) there is a lack of time to keep up to speed on the cybersecurity and best practices to prevent hackers from using phishing or tricks to infiltrate your practice.
- Smaller practices are especially vulnerable.
While larger healthcare organizations represent big targets in the form of large volumes of data and deep pockets for ransom, they also typically mean tougher security measures for the hackers to infiltrate. Unfortunately, smaller practices have become common prey due to their less complex and up-to-date cybersecurity measures, less training, and often smaller budgets. They are far more susceptible to paying ransoms for their data rather than relying on a lengthy back-up process to restore their systems and information.
So where are you vulnerable?
The short answer is everywhere. In the past year, attacks on healthcare organizations have originated in nearly every form. Malware, ransomware, phishing and even emails that plainly spoof trusted domains are all techniques that hackers are using to get information or steal from your practice.
What can you watch? A common practice occurring is social engineering. Hackers target those employees with the most visible email addresses – usually those with public-facing contact information or long-tenured staff. They then send out emails with subject lines like “payment,” “request,” “urgent,” or similar terms. Granted, this can be confusing and difficult to sort through, especially if these are subjects that your practice would commonly deal with receiving from patients. But training staff to take that extra step to recognize that the email has not been sent from a trusted source, but rather from someone trying to pose as a vendor or someone from within the organization can prevent a hacker from gaining access.
Sometimes it can be very difficult to tell when the email you’re receiving has been spoofed, but always be suspicious if the subject line or preview content just doesn’t sound typical from the person sending. For instance, if your supervisor suddenly sends you an oddly worded message or the grammar is off when they normally are quite proficient in wording, that should make you question the legitimacy of the email. When in doubt, notify IT and whatever you do, don’t open any attachments or respond to any requests associated with the email.
Finally, training is important. Taking the time to show your medical team what to watch for is vitally important to preventing the various phishing and spoofing schemes that occur. In addition, implementing a schedule of simulated attacks to test and train your staff is also a great way to see how effective your training program is working. Of course, no training is fool-proof, and its best to assume that, eventually, someone is going to open a malicious attachment, email or get caught on a bad website. It’s just the cyber-world we live in. But you can help reduce the threat to your practice and the risk to the patient data that you are responsible for safeguarding. Cyber-security is everyone’s responsibility and becoming educated about it doesn’t have to be difficult if you take some time to put the right training and policies in place.