Fort Worth, Texas—While the digital era has ushered in levels of convenience and interconnectedness previously unimaginable, it has also exposed physicians and their institutions to increasing vulnerability.
Health care organizations of every size—from large hospital systems to solo practitioners—are increasingly at risk for cyberattacks, and nearly everyone involved in these organizations needs to take precautions to reduce the chance of data breaches.
“Cyberattacks are increasing. There were 63% more cyberattacks on health care organizations in 2016 than in 2015, partly because it’s become easier as the software has become more accessible, and partly because hospitals paying ransom show that this is a viable way to get money,” said Kayla Feld, an associate in the office of Sidley Austin, a corporate law firm in Singapore. Ms. Feld addressed the topic at the 2017 GI Roundtable, an annual meeting dedicated to exploring issues and concerns in GI practice management.
In February 2016, hackers used ransomware to encrypt the files of the Hollywood Presbyterian Medical Center, in California, demanding a ransom in bitcoins, which are difficult to trace and a preferred unit of currency for cyberattacks.
“The hospital’s president and CEO considered it an internal emergency. They were locked out of several critical platforms they needed,” Ms. Feld said. Ultimately, the hospital system paid about $17,000 to the hackers.
A month later, 10 hospitals and 250 outpatient clinics of MedStar Health in Washington, D.C., experienced a similar attack when hackers shut down their entire IT system, threatening to remove their private key and make it impossible for them to recover their files if demands were not met.
“They did eventually regain access to their systems, but this is a good example of how much of an impact this can have on a hospital’s systems, and also on their reputation,” Ms. Feld said, noting that health care organizations must notify the media of large-scale data breaches. Any breach of more than 500 electronic health records has to be reported.
Large hospitals and health care systems are not the only targets for hackers. Health care organizations of all sizes, even solo practitioners, have a lot of information that hackers want.
“Health care data is worth a lot of money,” said Rod Piechowski, senior director of Health Information Systems, a division of the Healthcare Information and Management Systems Society. “It includes your credit information, where you do your banking, who your insurance is, your health records. There is a lot of information that can be used to blackmail people or do other kinds of nefarious things.”
Furthermore, hackers who seize information with ransomware perceive health care organizations as having a good reason to meet their demands and with the deep pockets to do so. “They think hospitals and physicians’ offices are more likely [than other institutions] to pay the ransom because they can’t risk losing all the information they have,” Mr. Piechowski said. “The smaller practices are perfect targets. Hackers get less money out of them, but they’ll pay quickly to have the problem resolved.”
Smaller practices also are ideal targets because they might consider themselves below hackers’ radar, and often they don’t have the infrastructure to support a large IT staff. “Physicians don’t go into medicine to become information technology security professionals, so on one hand, it’s a matter of lacking security resources of all types. But mostly it’s a lack of awareness that they are vulnerable, too,” Mr. Piechowski said.
When a data breach occurs, the repercussions run wide and deep. “Your patients may be responsible for fraud that can take years to tease out. Really, it’s like identity theft on steroids,” said Robert Lord, CEO and co-founder of Protenus, developers of a software platform that uses artificial intelligence to detect data breaches in electronic health records (www.protenus.com).
The health care organization itself also will suffer, not just from the blow to its reputation, but from the potential legal fallout. “They will go through an investigation and may have to pay a fine to the Department of Health and Human Services [HHS] Office for Civil Rights—the organization that enforces HIPAA—that may be millions of dollars, and they will have to pay for years’ worth of credit monitoring for the records that were breached,” Mr. Lord said.
Even more, there is growing concern that hackers will be able to tamper with medical devices. “There’s already been proof of concept that they could shut down an infusion pump or change a dosage remotely and kill a patient,” Mr. Piechowski said.
The good news is there is a lot that health care organizations can do to protect themselves. First, just be aware that your organization faces risks, both cyber and physical; a data breach can occur from an unencrypted laptop or a forgotten thumb drive.
Educate your entire workforce on training and security. Safeguarding your organization is not the sole responsibility of IT; anyone who comes in contact with information about patients or the organization plays a role. “Tell your physicians and staff what to look for: What’s a phishing email? Why would people want our information? How will they manipulate us to get it? Think of security in depth in your organization,” Mr. Piechowski said.
In addition, make sure your staff is regularly trained on HIPAA protocols and knowledgeable about general protocols, such as password management and how to use electronic systems. “This is all part of an awareness of the importance of this data they’re stewards of,” Mr. Lord said.
Install and continually patch antimalware and antivirus software, and make sure your operating systems are patched. “Windows and Apple systems are continuously offering updates as new vulnerabilities are discovered and patched, so don’t delay implementing those. That gets you a long way,” Mr. Piechowski said.
Finally, have a plan for what to do if a data breach does occur. “You can hire consultancies to help you with this type of things. There are a lot of ways you can protect yourself without hiring an entire security team,” Mr. Lord said.