Here’s how to fight back.
Most of us are concerned about being personally attacked by cybercriminals, and we must have that same increased awareness within our medical practices. Cybercriminals consider medical practices ripe for the picking. Security policies and continuous education work like pesticides. Are you protected from a HIPAA breach?
The Name of the Game
The sophistication of these cyberattacks is increasing, with major cities, payers, and hospital systems being cyberattacked using a variety of malicious scams. Cybercriminals often use malware, ransomware, or pfishing to do their dirty work.
Malware
Malware, or malicious software, uses messaging that is designed to fool the receiver into thinking it is a valid link to get the end user to clink on the link. This results in the malware program or file installing on the computer and wreaking havoc. Types of malware include computer viruses, worms, Trojan horses, and spyware.
Ransomware
Ransomware is a form of malware. All it takes is for someone to click on a rogue link in an email and the company can lose control of their system or data until a ransom is paid to the attacker. Because the organization cannot handle an interruption in their operations in caring for patients, they tend to pay the ransoms to the cyberattackers. And since the ransoms are successfully received, more ransomware attacks are pursued.
Phishing
Phishing is where the hacker contacts you via email, phone, or text message pretending to be someone you know and trust such as the doctors or billing staff, as well as people who are in your contacts, including coworkers, friends, and family. The goal is to get you to release sensitive data, such as personal health information (PHI), that will aid these bad actors in accomplishing their dastardly deed.
The cybercriminals’ messages have become more sophisticated and utilize information they get from the target’s web presence, from websites and social media, to make the communications and links look realistic and credible. If the practice has a social media presence, as well as a website, the hacker can appear to have information from colleagues, superiors, and others within your organization. This aids in tricking employees into revealing information about patients’ health or financial records.
Beat Hackers at Their Own Game
The hackers are not going after the practice, in particular; they are using the technique to hack everyone. Because they are using computers, they don’t need to apply much effort to attack millions of targets because the attacks are all automated. Cybercriminals are very sophisticated, mid- to large-size businesses, with full-time staff, their own development teams, and are just another section of tech industry.
One of the biggest areas of vulnerability a practice can have is to assume they are not be a target because they are too small or have nothing of value. Cybercriminals look to take the path of least resistance, which means if they try to hack a practice and are not successful relatively quickly, they will likely move on to another practice, figuring that a less disciplined practice will be found around the corner. The goal is to keep your practice as disciplined as possible so that the cybercriminals will move on, looking for easier prey.
Healthcare organizations and other business associates should:
- Continually educate employees about the dangers of clicking on links and opening attachments.
- Stay on top of the potential threats.
- Invest in a few key security policies. For example:
- Make sure that employees use a different password for work email from their personal email and employees should be required to change their email passwords every 90 days.
- Make sure that the laptops and desktops are secured at the system level and run antivirus or endpoint detection of threats.
- The log-in for every computer and device should have a different password, and common words should not be used. Acknowledging that passwords are difficult to manage, your practice might consider using a password management tool like Roboform, LastPass, or 1Password.
- Use “thin clients,” or devices that have little functionality and run few applications, such as Chromebooks, to make it more difficult for hackers to exploit the practice’s system. Because these devices are not complex with many applications, it is harder for hackers to get in the “door.”
- Use cloud services for storage and file transfers.
Every employee who touches a computer linked to the internet must be part of this initiative.
It is daunting to try and protect an entire organization. After all, if the city of Atlanta and Blue Cross of Tennessee could not adequately protect themselves, what can a small practice with little resources do to protect themselves? But remember that these larger organizations have many more employees on their systems, all of whom are potential targets for cybercriminals. A medical practice has less employees and, with education, policies and procedures, and continued reminders to staff, it is possible to stay on top of what may be coming in the “door” to try and compromise your practice’s sensitive data.
Barbara Cobuzzi