Go to AAD Home

Cyber hacking in health care

What do you need to know to keep your practice safe?

Dermatology World abstract illustration of hacker

Cyber hacking in health care

What do you need to know to keep your practice safe?

Dermatology World abstract illustration of hacker

By Emily Margosian, content specialist

Target, Anthem, Equifax, and...your practice? As headlines continue to report on the next email leak, data breach, and ransomware attack, public awareness of cybercrime has never been higher. And while it may be tempting to assume hackers are primarily preoccupied with lofty targets such as financial institutions and major political parties, health care has emerged as the industry that is most commonly targeted by cybertheft.

The Office for Civil Rights reports that the number of data breaches occurring between 2016 and 2017 rose by 12.7%, with health care disproportionately bearing the brunt. A CynergisTek report found that in 2016 there was a dizzying 320% increase in health care providers who were victimized by hackers, and unsurprisingly, some of the most widely reported ransomware attacks of the past year have involved health care institutions. Atlanta-based Emory Healthcare had over 200,000 patient records compromised in January 2017, and in July 2017 Anthem reported the theft of 18,000 Medicare members’ personal data — the insurer’s second major data breach in two years, having already reached a $115 million settlement over a 2015 cyber-attack that compromised data of 78.8 million plan holders. Likewise, the “WannaCry” ransomware attack that paralyzed much of the world in May of 2017, compromised health records globally, impacting hospitals and health systems throughout the United States, United Kingdom, India, and China.

Why are cyber criminals so interested in medical records? Part of the answer has to do with the wealth of personal information that can be found within them, says Eric Deister, Chief Information Officer at Forefront Dermatology. “They don’t want to know that you have acne, they want to know your phone number, birth date, Social Security number, and insurance company. Providers have to be prepared, and having a response plan is almost the new reality. It’s a new world.”

Given this precarious new world, what should dermatologists know to keep their practices and their patients’ data secure? Dermatology World outlines the basics on:

  • Ransomware 101

  • How you can protect your practice

  • Avoiding HIPAA violations 

Ransomware 101

Generally classified as any attack by a cybercriminal who withholds the data of a targeted individual or group until they receive payment, Robert Frazier, MD, of Norfolk, Virginia, can attest that ransomware is a sight that no physician wants to see. “I work at a dermatopathology laboratory, and recently ransomware corrupted our server,” he explains. “One day we came into work and could not access our laboratory information and billing software. Some of our employees had been given the option to work outside the lab, and the ransomware entered our network through one of our employees’ computers. Our passwords were also fairly simple and we never changed them.”

The situation went from bad to worse when it was discovered that daily server backups had not been completed as assumed. “Our information technology support company determined all we had to do was wipe the hard drive clean and restore the server from our daily backups,” says Dr. Frazier. “However, six months prior, we exchanged an old server with a new one, and unbeknownst to everyone involved, the daily backups were not properly set.”

Fortunately, in the end, only a handful of records were permanently lost. The hard drive was sent to a company specializing in data recovery, which was able to unlock the encryption codes — no ransom required. “Needless to say, it was a difficult and stressful week,” says Dr. Frazier. “We were not sure if we would be able to restore the encrypted data. Not having access to any of our pathology reports and billing information conceivably could have shut us down. We take information technology security very seriously now.”

hacking-quote1.pngThe rise of ransomware over the past few years is due in part to the commoditization and ease of access to encryption software, says Brian Musci, director at AdRem Systems, an information technology services provider. “It used to be more ‘hey, we just want to mess with you by denying access to your information.’ Then it became a business,” he says. “I hate to say that, but there are literally sites set up where you can order a custom-made ransomware package. In the beginning they were just a bunch of text on the screen, but now these sites have become sophisticated enough to rival your best online retailers. Except instead of buying goods, you’re buying ransomware.”

For victims of ransomware who haven’t properly backed up their files, is there a case to be made for giving the hackers what they want? The experts are split. “The real risk is that even if you pay them — which the FBI suggests you don’t — are they really going to give you your information back?” asks Deister. However, others suggest there may be a case for biting the bullet, especially if the bounty is relatively low. “For some companies, sometimes ransomware demands aren’t even worth the time it takes to call IT to try to find out if there’s a backup,” says Moty Cristal, a professional negotiator at Nest Negotiation Strategies in Tel Aviv, Israel, in a May 2017 Guardian article. Even the recent WannaCry ransomware attack ultimately only generated a grand total $50,000 in Bitcoin — a seemingly paltry payout for such a massive international cyber-attack. (See sidebar for more on Bitcoin and cryptocurrency.)

“So I will say this: for all of our customers, given the way that we back up data and the way that our continuity plans work, I would not recommend paying a ransom because of the way that we do our systems,” says Musci. “However, if you have no back-ups, you really don’t have a choice. Not paying the ransom means no longer having any of your data, which likely means your practice is going to completely shut down. If you don’t have your data, you’re done. My best advice to a practice is to spend the money on a qualified IT company that’s doing the right things. It’s a cheap insurance policy at the end of the day.”

Regardless of whether or not they decide to pay a ransom, there are still three main follow-up actions physicians should take following a confirmed cyber-attack, according to David Goldberg, MD, JD, a dermatologist and lawyer from New York. “One, is you immediately have to change everybody’s password in the office. Two, you have to notify patients that there has been a hack and that you’ll do everything reasonable to make sure that no damage is done to them personally. And then three, you do have to notify the authorities,” he says.

The time frame in which physicians are required to report a data breach to the authorities depends on the number of patients impacted. “When there’s a true instance of a data breach or ransomware, then we have to look at the protocol that HHS puts out there,” says Musci. “In the event of a breach where you have 500 or more individuals affected, then you have 60 days to report the violation. If less than 500 people were impacted, then you have until the end of the year to submit formal notice that a breach occurred.”

What is cryptocurrency?

hacking-sidebar-bitcoin.png

A hacker has seized your patient’s medical records and demands you pay in Bitcoin to get them back. But what’s a Bitcoin?

Over the past decade, cryptocurrencies — or digital assets designed to work as a medium of exchange — have continued to gain mainstream momentum beyond their niche beginnings. While initially the preferred currency of geeks, aspiring entrepreneurs, and online black markets for its anonymity and lack of regulation, cryptocurrency has since attracted mainstream interest in recent years as its value has continued to rise.

As of December 2017 there were an estimated 1,324 digital currencies in existence according to cryptocurrency ranking site CoinMarketCap. However among these, Bitcoin has become the de-facto poster child for the phenomena. Introduced in 2009 by founder ‘Satoshi Nakamoto’ (Nakamoto being the alias for the still-unknown person or people behind Bitcoin’s design), Bitcoin stands out as one of the first and most widely accepted forms of cryptocurrency. While favored by cyber criminals for its ability to complete near-anonymous transactions, Bitcoin is also accepted as legitimate payment by major businesses such as Microsoft, PayPal, Wikipedia, and more.

While Bitcoin has traditionally been derided by economists as an elaborate Ponzi scheme as well as a speculative bubble primed to burst, thus far its value has continued to increase, hitting an all-time high of $11,000 per Bitcoin in late November 2017 — and immediately smashing its own record by early December, rising to nearly $16,000 per Bitcoin. As Bitcoin and other cryptocurrencies continue to maintain — and grow — in value, they will likely continue to remain a popular option among those looking to net a potential windfall — or cash in an untraceable transaction.

HOW DO YOU PROTECT YOUR PRACTICE FROM HACKERS?

As with most things in life, an ounce of prevention is worth a pound of cure. Physicians looking to take preventative steps to protect their practices from cybertheft should make a point to:

Have a firewall.

A firewall is a network security system that monitors and controls incoming and outgoing traffic from a practice’s network. Not having one — or not having a good one — is one of the biggest mistakes Musci says he sees practices frequently make. “If it’s something that they bought at Best Buy, then any middle schooler or high schooler can do some Google searches, download some free tools, and hack their system,” he says. “They’ve got to make sure they’ve got an enterprise-grade system put in place, even if it’s a small office. A good firewall is going to be something that’s considered a ‘next-generation’ firewall — that’s actively doing antivirus, intrusion detection, and intrusion prevention. You can do basically content filtering in there that won’t accept any connections from the outside world that you didn’t initiate yourself unless it comes from pre-specified places.”

Train staff to recognize phishing attempts.

As a rule of thumb, staff should be trained to never click on attachments or links from unknown sources, and to double check with the practice’s IT support or vendor if something doesn’t look right. Additionally, a robust spam filter can help weed out the number of potentially hazardous emails coming through. “The most common way that hackers either get into the EHR or the Outlook communication system of a practice, is that someone in the office gets an email, or downloads an attachment, and then bingo! People get into the system,” says Dr. Goldberg. “They can then easily go from their Outlook or whatever system they have for communication, and then get into the EHR.”

Limiting staff’s access to certain sites or their ability to download programs can also help reduce their risk of accidentally encountering and engaging with malware. “We’ve hardened our computing environment and our desktops to protect the doctors and staff; you can only install items that are safe,” says Deister. “That way we don’t have to worry about notifying people not to install an at risk program; we shield our team from the start, once again, offering the protection our doctors expect and need. We seek to thwart having even an honest, well-intentioned, error doing something that would have an impact on the wider network.”

Don’t share passwords.

“The easiest thing is to make sure you’re changing your passwords. There’s just no reason not to do that,” says Dr. Goldberg. Strong passwords generally contain 12 characters, including a mix of uppercase and lowercase letters, as well as numbers and symbols. Passwords should also not be written down and displayed near a workstation, and most importantly, staff should be actively discouraged from sharing them. The practice of health care employees using shared passwords is pervasive, according to a survey published in Healthcare Informatics Research, which found that out of 299 surveyed medical and paramedical personnel, 73.6% said they had obtained the password of another medical staff member (2017 July;23(3):176-182). This workaround can potentially leave patient data vulnerable and result in HIPAA fines, as the law requires that a person only access the portion of a medical record “minimally necessary” to fulfill their role. If a staff member temporarily uses the password or login credentials of another provider with wider access, they are potentially enabled more access to information than their role requires, putting the practice at risk for a HIPAA violation.

“We’ve gone into so many places where we ask them how they log on to the system, and they say ‘We log on as an administrator; here’s the password; it’s the same on every machine, and it’s been that same password for years.’ You just kind of shake your head and go, well starting tomorrow, that’s got to change,” says Musci.

The issue of passwords becomes even thornier concerning employees who have left the practice or have been terminated. In order to minimize the risk of a disgruntled former employee retaining access to a practice’s system, frequent password changes should be part of a long-term digital strategy, and executed any time there is an employee departure. “As a member of our group, you have access rights within our system,” says Deister. “So if you leave our group, a process is in place to disable your account so you can no longer log-in. The second step is to fully remove your access from the system, so even if you did get past the first control, there’s a second control in place.”

Enable multi-factor authentication.

Multi-factor authentication may be inconvenient, but there’s a reason that most major email and social media platforms, such as Gmail and Facebook, have begun to aggressively promote it to users. Most multi-step authentication involves a user entering a username and password, and then being sent an authentication code to a specified mobile device, often a cell phone. If the user fails to enter the code within an allotted amount of time, the code expires. While the security measure requires some additional effort, expending the 20 or so extra seconds of time is worth thwarting a potential hacker, says Deister. “Two-factor authentication is the big buzzword now. Your bank offers it; Apple offers it for your iTunes account. One of the biggest things for small practices is: take it seriously. It doesn’t mean it has to consume your day, but this important safety check should be utilized.”

Back up your data regularly.

As Dr. Frazier can attest, if your data is available in more than one place, you can potentially avoid disaster if it’s compromised or stolen. “We have recently instituted multiple changes following the incident, which include more difficult and frequently changed passwords,” he says. “However, we also now do daily monitoring of back-ups, reviewing exactly what was backed up, and backing up the data to multiple sources both on and off-site.”

Dr. Goldberg has implemented a similar strategy at his own practice. “We have six offices in three states, and everything is backed up into the cloud every day,” he says. “But to have a system that doesn’t have an organized time sequence for backup is not reasonable. If you’re going to have EHR, you have to have IT on board. You just do.”

Make sure you get the right vendor.

Finding the right IT vendor depends on the size and scope of a practice, however there are some key guidelines that dermatologists should look for. “First and foremost, are they certified HIPAA specialists? And more importantly, are they HIPAA-compliant themselves?” suggests Musci. “We spent a long time going through our particular company making sure that we could say yes, we are HIPAA-compliant, we do assessments in our own environment.” Musci also recommends that practices make sure they have a Business Associate Agreement (BAA) in place with their chosen email provider. A BAA is a contract between a HIPAA-covered entity and a HIPAA business associate, which protects personal health information (PHI) in accordance with HIPAA guidelines — essentially, both satisfying HIPAA regulatory requirements and creating liability between both parties. Practices sharing PHI through a messaging or document-sharing application without executing a BAA first should beware, as they can be subjected to potentially hefty fines from Health and Human Services (HHS).

As a large, national dermatology group, Forefront’s IT focuses on protecting its dermatologists and staff using standardized processes across its network of practices. “We best defend ourselves when everyone logs into a common system that is vetted and secured,” says Deister. “We also have external parties come in and do what they call ‘attack and penetration’ tests where they try to break in and give us feedback on what they saw. We try to do an annual A&P test with some of the big name cyber security companies. These are important services that we provide our dermatologists, a benefit from being part of a group focused on not only the ethical practice of dermatology, but the safety of our dermatologists and patients.”

For dermatologists not affiliated with a large practice, or for whom in-house IT is out of the budget, there are still options, says Deister. “If you’re a small practice, you probably use Google Apps or Microsoft 365 for email, for example. They have security options and I would take advantage of them. Talk to whatever vendor is setting up for you. There are a lot of small boutique IT companies out there. Maybe they come in for a day and take a look at things and kick the tires and make sure everything is ok.”

Overall, dermatologists should refrain from thinking they can do it all themselves. “One point I always like to drive home is that you’re a dermatologist; you are a specialist in dermatology,” says Musci. “You’re not trained in IT, and so just like you wouldn’t expect to go to a podiatrist to be treated for your skin conditions, you’re not going to go to just anybody to do your IT. You really want someone who’s a trained professional, who’s doing continuing education, who’s staying up to date with the latest trends to make sure that they are managing your network just like you manage your patients.”

CONCERNING HIPAA

When hackers seize a practice’s medical records, it not only creates an economic and ethical quandary for physicians, but a legal one as well. “The consequences of the theft of PHI are twofold,” explains Deister. “It’s our responsibility to patients to protect their data, so there’s the economic compensation to those patients — even if it’s just the cost of the stamps to notify them of a breach. The second part of it is the governmental impact. They’re looking to fine people more, and not just the big players. I’ve read about three or four doctors getting fined a couple hundred grand, so from a HIPAA perspective, what we’re really concerned about is protecting our patients, safeguarding the reputation of our dermatologists, maintaining the trust with our patients, and staying out of trouble with the government.”

HIPAA specifies 18 points of information by which a reasonable person could identify someone. It is thus the responsibility of physicians and their staff to keep any “identifiable” patient information secure. “This is becoming a very complicated problem, and it really needs to be addressed because the violations are starting to increase and the law is not always clear,” says Dr. Goldberg. “The government can go after any physician to impose compliance. Most of which don’t involve civil monetary penalties, but they could.”

One way practices can reduce potential HIPAA violations is to be cognizant of conversations and interactions with patients that occur through the use of electronic means, making sure that they are properly encrypted. “Are they emailing and texting patients? If they are, is that data encrypted? If it’s not, then they’re putting themselves out to a huge liability,” says Musci. “Patients can say, I don’t care, just send me my information; it doesn’t have to be encrypted; I just want it to be easy for me to read. At that point, they’ve waived their rights to privacy. But if they haven’t explicitly said that, and gotten it documented, and you send them something that’s sensitive information over an unencrypted text or an unencrypted email, now you’re considered in data breach.”

Overall, digital security is a mindset, according to Deister. “It’s rigorous; it’s boring in a way. You want to use the words ‘always’ and ‘never’ a lot. We never want to do this; we always want to do that. There’s a level of discipline to make sure you’re always doing things right, because the reality is hackers only have to be right once, and you only need to be wrong once.”