How to ensure your practice is secure from data breaches and cyber threats.
As technology becomes even more entrenched in the healthcare ecosystem, we collect and aggregate more data than ever – and the more interconnected we become, the more at risk we are.
Security is of paramount importance to protect data from cyber theft. The goal is to minimise the impact to your patients and your reputation and to protect you from financial harm. It’s not so much about preventing intrusions as it is about managing intrusions.
Hacking and data breaches have become an ongoing epidemic in the healthcare industry – from malware and hacking to ransomware and crypto-ransomware, the industry is facing a current pervasive threat. The most recent Trend Micro security report found that throughout 2015 the healthcare industry was the most affected sector in data breaches across the world, with almost 30 percent of all data breaches. Indeed, the healthcare sector accounted for more than one quarter of all breaches (26.9%) this past decade.
In February 2015, US health insurer Anthem made history when 78.8 million of its customers were hacked. It was the largest health care breach ever and it certainly hasn’t been the last. In 2015 alone IBM reported that close to 100 million US records were compromised in the healthcare industry.
In February 2016, Hollywood Presbyterian Medical Center became one of the latest high-profile victims of ransomware. In this instance it came from a tainted email. The medical centre was struck by Locky crypto-ransomware, which arrives in an inbox as a Word document in an email attachment. This brand of attack is known as phishing, where hackers mask malicious code within a legitimate-looking email or webpage. Hackers held the hospital’s data and normal operations hostage until the hospital ultimately paid the hackers 40 bitcoins (about US $17,000).
Think you wouldn’t fall for such a trick? The sophistication of cybercriminals might make you think again. Phishing emails can be highly targeted, tailored to look like they are from a legitimate source, and all from intelligence cybercriminals gather from your social media and online footprint, including Facebook and LinkedIn and your practice website.
The Australian reality of cyber threats
Australia is not immune to cyber threats and data breaches across the world wide web. This year’s Telstra Cyber Security Report revealed 23.7 percent of Australian organisations surveyed detected a business-interrupting security breach during an average month – more than twice as often as in 2014. That survey was mostly of large and medium businesses, but small businesses are also targets, particularly from ransomware.
In 2012, Russian cyber criminals hacked into the patient records of the Miami Family Medical Centre on the Gold Coast and locked up patient files, demanding a payment of $4,000 for a decryption code. The medical centre retrieved its data from backups, but it had to operate for several days without patient files and suffered a lot of negative publicity.
In January 2016, Australian healthcare providers paid serious attention when Melbourne Health was hit by a malware (virus), which infected Windows XP computers through Royal Melbourne Hospital’s pathology department.
The Telstra Cyber Security report says incidents of ransomware and the phishing emails that often introduce the malicious programs into organisations increased by 29 per cent in 2015, which reinforces the need for staff training to help mitigate these threats.
Why do hackers want medical records?
“Electronic health records are 100 times more valuable than stolen credit cards,” says James Scott, co-founder and senior fellow at the Institute for Critical Infrastructure Technology (ICIT) in Washington DC. “Malicious actors want as much intelligence as they can get, and health care is the easiest attack surface for seasoned and non-seasoned hackers.”
Personal health information has more lasting value than other types of information. Unlike the ability to cancel a stolen credit card, medical records consist of a raft of information that cannot be easily changed. This information can be used for identity theft, for example birth date, home address and medical history. In other words, health records have become currency.
Not only can some medical records be used to buy and sell addictive prescriptions, but hackers can also use sensitive medical information to create
emails designed to induce the receipt to open a link or download a file that, unbeknownst to the recipient, installs malware potentially allowing hackers accessing to the target’s computer.
The continued rise of cybercrime targeted at the healthcare industry can be attributed to the fact that revenue potential for cybercriminals is extremely high. Furthermore since healthcare organisations hold extremely valuable data and have critical systems, any downtime can lead to serious repercussions. If systems become inoperable due to malware or encryption, it can cause major issues.
What you can do to mitigate your risk
1. Educate yourself on cyber security
Do you know the difference between spear phishing and whale phishing? It is essential for doctors to understand the basics of cyber security and the potential consequences of a breach. This may include creating an action plan to deal with potential attacks – and having a system in place so you can quickly and effectively mitigate damage. Remember that size does not make a difference – everyone is a target.
2. Educate employees
Employee training and awareness is essential when covering information security. Educate your employees on identifying suspicious emails and spoofed browsers. The majority of these attacks start with a socially engineered email to employees. They will contain attachments or embedded links and entice the user to open or click based on compelling language within the email. Review your shared drive policy and require authentication to access.
3. Assign responsibility
Consider assigning someone within your practice to be responsible for cyber security, including staying abreast of the latest government recommendations.
4. Backup systems
Organisations that perform regular backups and can rapidly restore systems will enable a quicker recovery.
5. Recovery plan
If you have a data breach, what do you do? How quickly must you notify your patients? What can you do to mitigate the damage? Having a plan in place, and trusted advisers to consult with, before a breach can make your post-breach response much more effective.
There is no sign of healthcare cyber attacks and data breaches slowing down, so having the correct measures in line will help ensure threats can be quickly and effectively targeted and blocked.