How hackers plan to attack your practice—and what you can do about it.
While physicians worked to keep their practices financially afloat and dealt with the coronavirus disease 2019 (COVID-19) pandemic, hackers kept busy too.
From January 2020 to October 2020, there were 730 publicly disclosed security breaches with more than 22 billion records exposed.1 Health care made up 25% of those breaches with nearly 8 million records exposed. Ransomware was by far the most popular attack method in 2020, making up 46% of the breaches.1
“The success that cybercriminals had in 2020 extorting sizable payouts from medical practices of all sizes ensures that ransomware will indeed remain the top cybersecurity threat in 2021,” says Dave Martin, vice president of extended detection and response at cybersecurity firm Open Systems. “Ransoms like the $670,000 paid by University Hospital [in] New Jersey last September only encourage further attacks. And while larger institutions can clearly pay bigger ransoms, cybercriminals do not overlook smaller practices, which can be tempting targets of opportunity—particularly those with lax security.”
With health care workers focused on the pandemic response, experts say hackers are taking advantage and ramping up their attacks, so it is vital that practices of all sizes be more vigilant than ever about cybersecurity. Ransomware—malware that encrypts a practice’s data and demands a fee to unlock the encryption—is entering a new phase that makes a security breach even more costly, says Gary Salman, CEO of Black Talon Security, LLC, a cyber defense firm for medical professionals.
“Now doctors are seeing 2 ransom notes,” Salman says. “The first ransom note says, ‘I’ve locked all your data; if you want [them] back, pay me $50,000.’ The second note says, ‘And by the way, maybe you have a good backup, but guess what. I have all your data and if you don’t pay me an additional $50,000, I’m going to publish all your data.’” Salman says sites on the dark web are run by these threat groups, and data from doctors’ offices show patient information, including photographs, health history forms, and other private details.
Many of these hacker groups operate as businesses and can be very sophisticated, says Matt Ferrante, market leader of Cyber and Information Security Services at the advisory and accounting firm Withum. “They sometimes know exactly what your cyber insurance policy is, and they know what’s going to potentially be covered under the policy,” Ferrante says. “And if they don’t know, they’ve often already done the intelligence on your business, and they know what it’s worth.”
What to Do if Hit With Ransomware
If a practice experiences a ransomware attack, Matt Reid, senior health information technology (IT) consultant with the American Medical Association, says to take 2 actions immediately: Contact the FBI and the practice’s IT vendor. “Federal agencies have resources that can support medical practices during a ransomware attack—and that’s clearly an important component—but also work with your health IT vendor or internal IT support staff to try to partition off the segment of the network that has ransomware as fast as possible,” Reid advises.
Martin says that all compromised devices, including desktop PCs, laptops, and smartphones should be disconnected from the network by unplugging ethernet cables, disabling Wi-Fi networks, and switching to airplane mode.
If a practice has cyber insurance, Ferrante recommends contacting the provider and ensuring all requirements are met. This may involve an assessment of the attack. “If it’s not independently assessed, it may not be covered under the cyber insurance policy,” he says.
Although some experts advise never paying a ransom to regain access to data because doing so just encourages more attacks, that is often more idealistic than practical. “What we find in almost 100% of the cases is that the doctor has to pay because the threat actors are very sophisticated nowadays, and they will find all the backups,” Salman says. “Many of these doctors have their data being backed up [in] the cloud, and with a majority of the attacks that we’re dealing with right now, the hackers have figured out how to get into the doctor’s cloud backup and destroyed [it].”
Physicians often have a false sense of security when it comes to cloud storage. “We see that a lot of people are either in the cloud or they’re moving to the cloud,” Ferrante says. “Cloud simply means somebody else’s computer. Just because Amazon and Microsoft are secure doesn’t automatically translate to you being secure or your organization being secure. It has to be secured appropriately within those environments.”
During a ransomware attack, hackers will also encrypt the server and all workstations, so when the doctors attempt to recover their data from their backups, the data are not there. “So as a practitioner, you’re basically put into a situation where you have no choice; you have to pay the ransom, because under the HIPAA [Health Insurance Portability and Accountability Act] laws, the patients’ data [have] to be available,” Salman says.
In most cases, paying the ransom results in the data being released because if the hackers don’t turn over the data, victims won’t pay any more. The more sophisticated players have customer support lines and will offer to fix any data corrupted from their software, Salman says. “They literally have testimonials on their website encouraging you to pay because these people were victims and they got their data back, so ‘You should pay me too because you’ll get your data back,’” he says.
Following a breach, practices will often go on a cybersecurity shopping spree, buying all kinds of software to prevent it from happening again, but Ferrante says that’s usually not effective. “It has to be applied the right way, and you really need the expertise to make sure that it’s scalable and set up correctly,” he explains. “Otherwise, it’s not going to function properly.”
New threats to defend against ransomware may constitute the biggest threat to most practices, but it is far from the only one. As regulators require more patient access to data, payers interchange more data with providers and services like telehealth grow in popularity.
What Is a Cybersecurity Assessment?
Experts in the cybersecurity field often recommend a practice conduct a cybersecurity assessment. This will look at all the organization’s digital entry points, and then the cybersecurity firm will do a penetration test, “simulating” hackers and looking for weak points.
“It’s not just about data loss. It’s about also potentially being able, like a hacker would do, to cripple an organization,” Ferrante says. “Data shows that about 70% to 75% of backups fail during a critical incident.”
He says that many practices don’t do an assessment because they think they are cost prohibitive for smaller organizations. “This sounds like kind of an expensive prospect to have all this done, but it’s not because it’s scalable and really depends on the size of your footprint.”
A small practice might have an assessment done for $1000, which is far less than the cost of the average breach. Ferrante says assessments should be done by true cybersecurity experts, not just a general IT firm. Just like in medicine, there are general practitioners and specialists, and cybersecurity requires specialization to be done right. In most cases, experts say an assessment can be done remotely, and when complete, the practice is provided a list of vulnerabilities it can address as money allows.
“What medical practices should be doing is asking their IT companies who’s protecting them,” Salman advises. “If hackers break into the IT company and attack the practice, there’s probably nothing that practice can do to defend themselves against that. Ask them if they are being independently audited on a monthly basis by a dedicated cybersecurity firm. If the answer is no, they need to understand why.”
IT vendors also have many employees working from home, and practices need to know how they are being protected as well. “These are the people who have credentials to your environment,” Ferrante says. If their security is lax, hackers can gain access to a physician’s network by breaching an IT worker’s home computer.
Ferrante adds that a cybersecurity expert should conduct a full assessment of a practice’s vulnerabilities, particularly because of the number of devices utilizing the network during the COVID-19 pandemic.
For practices working with local hospital systems, Reid recommends checking with them about receiving donated cybersecurity services. Thanks to changes in the Physician Self-Referral Law, also known as Stark Law, hospitals and health systems can now legally offer expertise and assistance to medical practices to help protect patient data.
As practices start to transition back to the office, Reid says it is important to remember to change network access. To support home workers, extra access may have been granted to IT vendors, electronic health record providers, consultants, or support staff who no longer need it. Also, office computers that have sat dormant for months need checked to make sure they have been patched with the most current operating system and security updates.
One of the best things a practice can do is budget for cybersecurity, Salman says. “This isn’t 2017, when the risks were a lot lower than they are now,” he says. “[Practices] have to implement cybersecurity solutions from a specialty company, not just their IT vendor.” Preventing a breach in the first place with proper security is far cheaper than dealing with the business disruption and ransom payment, he adds.
Practices also shouldn’t rely solely on cyber insurance. Ferrante says that after a major data breach, a policy may not provide enough money to cover all the expenses and can’t do anything to repair the practice’s reputation.
But above all, a practice always should make sure it has the basics in place, such as antivirus software and firewalls. “There are a lot of simple things that can be done to improve your protection, minimize the severity of an attack, and ensure a speedy recovery,” Martin says. “First off, you need to routinely back up your files to a device that is not connected to the network. This is important because the latest ransomware tools, such as Ryuk, actively seek and delete backups on devices attached to the network. These secure backups will be key to your restoration efforts.”
Avoiding common password mistakes is another way to dramatically improve your practice’s security posture. They should be at least 8 characters long and consist of a mix of letters, numbers, and symbols; be changed regularly; and not reused. Also, be sure to change any default passwords on any devices, Martin says.
“Lastly,” Martin advises, “be sure to continually remind yourself and your employees to never click on an even remotely questionable link, regardless of who the sender is.”
1. Quinlan R. Healthcare security: ransomware plays a prominent role in COVID-19 era breaches. Tenable. March 10, 2021. Accessed March 11, 2021. https://www.tenable.com/blog/healthcare-security-ransomware-plays-a-prominent-role-in-covid-19-era-breaches