Nearly every industry relies on the internet to conduct business. For this reason, network security and cybersecurity breaches will continue to be in the news. Healthcare is one of these internet-reliant industries. Because of the confidential and valuable information that healthcare providers collect about their patients, healthcare has become a popular target of cyber attackers. Following HIPAA standards is not enough to keep data safe. Knowing that their practices have valuable data, medical and dental providers must take the proper steps to make sure that their networks and information are secure.
Do you know what to look for in a managed IT service provider?
Download our checklist to learn if you’re making the best choice for your practice.
Recent Cyber Attacks on Medical Practices
It is very common for medical practices to experience a cyber attack. Studies indicate that around 83% of physicians have been victims of cyber criminals. In May 2017 a major ransomware outbreak called WannaCry occurred. WannaCry spread across the globe to at least 74 countries. It affected many types of businesses including telecommunications, shipping, car manufacturers, universities and health care. Britain’s National Health Services was among the hardest hit by WannaCry. This type of malware works by encrypting user files, then demands a fee of either $300 or $600 worth of bitcoins to release the encrypted data back to the owner. WannaCry was able to exploit systems with unpatched Windows operating systems and is said to have originated in North Korea.
Ransomware isn’t the only type of attack on medical practices. There are also data breaches, distributed denial-of-service (DDoS) attacks, insider threats, and email fraud scams.
There are three main avenues used for a cyber attack: a supplier’s domain, software, and hosting servers. And your healthcare or medical practice’s computers are not the only technology at risk. The devices attached to your network can be hacked too.
The U.S. Food and Drug Administration (FDA) recently published new guidance aimed at helping medical device manufacturers manage cybersecurity risks. Some threats to medical devices include but are not limited to:
-
malware infections of network-connected medical devices
-
malware infections of computers, smartphones, and tablets used to access patient data
-
unsecured or uncontrolled distribution of passwords
-
failure to provide timely security software updates and patches to medical devices and networks
-
security vulnerabilities in off-the-shelf software designed to prevent unauthorized access to the device or network
It is scary to think of hackers taking control of medical devices or impacting their functionality. Malware infections from software installed on these devices could lead to inappropriate treatments being delivered to patients.
In addition to compromising patient safety, malware on medical devices can result in interruptions of care delivery, additional infections to the rest of the network or other issues that could seriously impact the business of care delivery.
Why Medical & Healthcare Practices Are At Such a High Risk
Why is healthcare such a desirable target? Quite simply, protected health information, or PHI, is more valuable to thieves than personally identifiable information (PII). The average cost of a data breach incurred by a non-healthcare related agency, per stolen record, is $158. For healthcare agencies the cost is an average of $355. Credit card information and PII sell for $1-$2 on the black market, but PHI can sell for as much as $363 according to the Infosec Institute. This is because one’s personal health history can’t be changed, unlike credit card information.
The Ponemon Institute, which conducts independent research on privacy, data protection and information security policy, has stated, “The most lucrative information for hackers can be found in patients’ medical records”, as electronic health records contain personally identifiable information (PII) such as social security numbers, health care provider details, credit card information, addresses, treatment history, and, for select facilities, valuable research information.” PHI is valuable because criminals can use it to target victims with scams that take advantage of the victim’s medical conditions or victim settlements. It can be used to create fake insurance claims, or to illegally gain access to prescriptions for use or resale.
Because a ransomware-type cyber attack could compromise patient safety and care, health care organizations are more likely to pay the ransom. After installing new technology to handle electronic health records (EHR), many smaller practices may lack the finances to stay ahead of hackers in terms of cybersecurity.
What Is at Stake if Your Practice Is Hit With a Cyber Attack
In addition to the obvious potential for disrupting treatments, surgeries, and other operations, a security breach could cause other damage to a practice or facility. A cyber attack which compromises patient data could devastate the provider’s reputation with the community and with future potential patients. Hospitals and private practices contain a great deal of sensitive patient information.
By law, all healthcare professionals and facilities must protect patient PHI. According to HIPAA privacy standards, any healthcare security breach must be publicly reported. Violation of HIPAA could cost a practice thousands of dollars in fines and settlements. It could even force a practice to close. Maintaining patient safety and security is critical in the business of healthcare. Practices need to view cyber security as a business risk rather than just a technical challenge. Not sure if you're following HIPAA best practices? This assessment can help.
What To Do To Prevent Cyber Attacks
So, how do you protect your practice from cyber attacks? Encryption is the best way to protect your patients’ data from being accessed by an unauthorized outside source. It is important that encryption is implemented both at rest and in transit and that third parties and vendors that have access to your healthcare network or databases are also properly handling patient data. Work with your IT partner in order to ensure that your practice is keeping up to date with security, software, and what is happening in the industry. Routinely perform audits of your network and devices. Ensure that all software is completely up-to-date and that all technology is performing properly.
Education is a big part of keeping safe. Educate employees across the organization to be cyber aware and provide training according to their roles and responsibilities. Training on proper usage and handling of PHI is recommended to reduce data breaches caused by employee error, such as a lost device or accidental disclosure.
A healthcare cyber attack can also come from someone inside your organization. The best way to detect an inside threat is often other insiders. Training your users and employees on how to recognize and report an insider threat, or prevent them from inadvertently becoming one, is the best way to protect your organization. There are many open source resources on insider threats with training programs and educational materials for organizations and their employees. These include explanations on what suspicious activity and behavioral changes employees should be looking for in colleagues, and when and who to report it to. The Carnegie Mellon CERT tracks insiders and is a great place to start. There are several options you may want to employ to check your network for areas of risk. Consult with your IT partner for guidance.
The FDA guide entitled "Content of Premarket Submissions for Management of Cybersecurity in Medical Devices" suggests that any medical device security protocol should include the following protections (among others):
-
limit access through user authentication
-
use automatic timed methods to terminate sessions
-
differentiate privileges based on the user role
-
strengthen password protection by avoiding hard-coded passwords
-
provide physical locks on devices
-
require user authentication before permitting software or firmware updates
Conclusion
Network and cybersecurity needs to be a focus for all medical and dental practices, as it can present a critical issue if they are attacked. Becoming educated in what the vulnerabilities are and seeking help from an IT service provider can take a lot of stress off of the practice.
