Don’t assume your practice is too small to target
As if 2020 wasn’t challenging enough for health care providers, cyber crimes increased at an worrisome rate. While health care data breaches have doubled since 2014, there was a 25 percent year-over-year increase in 2020, according to HIPAA Journal. The journal reported, “Ransomware was by far the most popular attack method in 2020, making up 46 percent of the breaches.”
Ransomware, according to an AP News article on attacks targeting U.S. hospitals, “scrambles data into gibberish that can only be unlocked with software keys provided once targets pay up.”
Health care data breaches increased 25% in 2020. Ransomware was the culprit in 46% of those cyberattacks.
“The success that cybercriminals had in 2020 extorting sizable payouts from medical practices of all sizes ensures that ransomware will indeed remain the top cybersecurity threat in 2021,” industry expert Dave Martin told Medical Economics.
Is there anything medical practices can do to protect against these threats? And what should you do if you get hacked? We’ve compiled some expert tips and resources below.
Smaller practices are often the most vulnerable
Since many of the high-profile cyber attacks have targeted large hospitals and health systems, solo practitioners and smaller practices may have a false sense of security that they are too small to be a target. “In fact, 71% of ransomware attacks targeted small-to-medium-sized practices,” according to HealthITSecurity.
A 2019 article gives the heartbreaking example of a Michigan ENT practice whose physician owners decided to retire early and close the practice after hackers breached and encrypted their computer system, demanded $6,500 to decrypt the files, and wiped out all patient data and financial records when the owners refused.
Smaller businesses are often the most vulnerable to hacks. Practices of all sizes need up-to-date training and cybersecurity measures in place.
“Unfortunately, it’s often smaller businesses that are most vulnerable to attack by cybercriminals as they frequently lack the resources and protocols of larger firms,” said Beazley Breach Response Services Head Katherine Keefe in HealthITSecurity. Businesses of all sizes need up-to-date training and to have cybersecurity measures in place.
How to avoid phishing scams
Phishing attacks are among the top cybersecurity threats cited by doctors, according to the American Medical Association (AMA). This technique involves hackers sending emails claiming to be from reputable sources to try to get recipients to reveal personal information, such as passwords and credit card numbers, or to click on links that trigger malware, including ransomware.
Train your staff to keep computer and phone software updated, and to identify suspicious emails that might be phishing scams.
Train your employees on how to identify suspicious emails that might be phishing scams. This article from the Federal Trade Commission can help. Phishing emails often include:
- A story to trick you into clicking on a link or opening an attachment, such as claiming there’s a problem with your account or your payment information or asking you to confirm some personal information.
- Generic greetings, rather than addressing you by name.
- Generic email addresses. A legitimate company likely would not send an invoice from a Gmail address, for example.
Advise your staff to keep their software up to date on their computers and phones to protect against security threats. It’s also wise to protect your accounts by using multi-factor authentication. That means it requires two or more credentials to log in to your account. This could include an automatically generated code, like the Google Authenticator app uses, or a fingerprint scan.
What to do if your practice is hacked
If your practice experiences a ransomware attack, there are two actions to take immediately: Contact the FBI and your IT vendor, said AMA health IT consultant Matt Reid in Medical Economics.
It’s important to try to separate out the part of the network that has ransomware as fast as possible. Disconnect all potentially compromised devices from the network—including desktop computers, laptops, and smartphones—by unplugging ethernet cables, disabling Wi-Fi networks, and switching to airplane mode.
Next, if your practice has a cyber insurance policy, contact the provider to ensure all requirements are met (e.g., assessments, documentation).
In most cases, ransom must be paid to release data from hackers. In some cases, your insurance policies might cover it.
While some experts advise never paying a ransom to hackers because doing so just encourages more attacks, that is often not practical. In the case of the Michigan hack mentioned above, the hackers wiped out the data when the ransom wasn’t paid. According to Medical Economics, “In most cases, paying the ransom results in the data being released because if the hackers don’t turn over the data, victims won’t pay any more.”
A ransomware attack in Austin, Texas, cost the practice $12,000 in the ransom paid in bitcoin to the hackers and $10,000 for consultations with the practice’s lawyers, reported the American Academy of PAs (AAPA). Fortunately, one of the practice owner’s insurance policies covered theft, which included the ransom because the practice’s server was in the office, rather than being cloud-based.
The practice was also lucky because patient data was not compromised. A post-breach forensics investigation found that the hackers had temporarily locked the medical records rather than stolen them, reported the AAPA.
Resources to protect your practice
Experiencing a ransomware hack is a scary, disruptive, and often expensive situation. It’s crucial to do your homework and set up systems in advance to prevent it and respond to it if necessary. Here are some helpful resources, all PDFs you can download or print to have handy in your practice:
- The National Institute of Standards and Technology (NIST) has published an infographic offering a series of simple tips and tactics related to ransomware.
- The U.S. Department of Health and Human Services (HHS) offers a fact sheet on ransomware and HIPAA.
The American Medical Association provides information on how to protect your practice and patients from cybersecurity threats.