Physician practices are prime targets for cybercriminal attacks
Last year’s Colonial Pipeline cyberattack that crippled gas delivery on the East Coast was a wakeup call to many Americans. Colonial paid the DarkSide cybercriminal hacker group about $5 million in bitcoin to get the gas flowing again.
But a lesser known ransomware attack was just two months before Colonial when Eskenazi Health in Indianapolis was struck — one of hundreds of such attacks on health care providers in recent years.
But while medical practices of all sizes have experienced ransomware attacks, cybercriminals usually just cast a wide digital net simply to find the easiest hack, frequently smaller practices. According to the U.S. Department of Health and Human Services, more than 550 healthcare ransomware attacks were reported by the end of 2021. And further, more than 40 million individuals may have had their protected health information exposed to bad guys.
This has created devastating consequences for some small practices, including putting some out of business.
Michigan-based Brookside ENT and Hearing Center, a two-physician practice, was hacked by criminals who locked their computer system and demanded a $6,500 ransom. The doctors followed law enforcement advice and refused to pay. The attackers wiped the computer systems, destroying all patient records and financial information. The physicians took early retirement. Another small primary practice, Wood Ranch Medical, in Simi, California, closed after not paying a ransom to cybercriminals.
These small practices are particularly vulnerable because they cannot afford an IT staff. But large practices are also hacked. Imperial Health in Louisiana was hit, compromising more than 110,000 records. The practice didn't pay the ransom but had access to their backup files and the resources to rebuild their computer systems and stay in business. However, the cybercriminals may have copied all the records.
On top of all these expenses and damages, federal and state authorities will sometimes go after physicians for allowing records to fall into the hands of cybercriminals, a violation of HIPAA rules. The HHS recently announced a $1.5 million settlement with Athens Orthopedic Clinic in Georgia for not complying with the HIPAA rules due to a cyber attack.
It takes so little to allow a hacker in. One employee clicking on an email link while at work can launch a ransomware attack, encrypting records and wrenching the practice to a stop.
According to Medscape, here are five actions physician practices can take for significantly protection:
Back-up files to the cloud or off-site services and test that the restoration works. These backups must not be part of the practice’s existing internal network or they could be compromised also.
Implement user-training with simulated phishing attacks so the staff will avoid suspicious emails and links.
Enact strong password controls and make sure that systems are regularly patched.
Require multi-factor authentication for remote access to IT networks.
Set anti-virus/anti-malware programs to conduct regular scans of IT network assets using up-to-date signatures.
Prevention is key. It may save a practice to proactively protect your records through multiple layers.
The United States Medical Association is a group of physicians and others who have seen firsthand the shifting medical landscape and the lack of any real representation — often time even representation working against our interests by major organizations that are supposed to be watching out for us — such as the AMA. Those organizations are not watching out for physicians, but the USMA will.
To get involved with and support the USMA, visit us at www.usmedicalassociation.org, sign up for our emails and newsletters, or contact us at info@usmedicalassociation.org or by calling (941) 441-0310.
Remember, the USMA will be the House that Doctors Built, and it will not become a reality without your help. Please visit the United States Medical Association website and consider making a contribution $500, $1,000, or $5,000 to help build this sorely needed organization.
With your help, the USMA has no choice but to succeed. All we need to do is share in carrying the load. Please consider contributing. We look forward to quickly becoming your go-to organization in support of your profession.