Weathering Cyber Threats in Healthcare
While your medical practice continues to focus on treating patients during the pandemic, cyber criminals are trying to take advantage of this hectic time to access your computers. But there are many ways to keep these criminals at bay. The following information will help your medical practice prevent and respond to cyber threats.
What Should I Look Out For?
Cyber criminals use a range of scams to gain access to a facility’s computers: the end goal being to gain access to sensitive information to sell on the black market, to extort money, or simply to cause havoc by destroying data. The most common schemes use malware, ransomware, and phishing, but there are many more. Criminals will try social engineering (psychological manipulation) to gain access to a facility through employees instead of computer systems. It is usually easier to gain access to a facility’s computers through a human than a machine. Hacks may come via phone call, email, or even theft or hacking of employees’ personal electronic devices.
Watch for emails claiming to be from the CDC or WHO. Use sites like coronavirus.gov and usa.gov/coronavirus to get the latest information. And don’t click on links from sources you don’t know. The Federal Trade Commission (FTC) has lots of information to help you recognize and avoid phishing scams.
Physicians working from home are also under attack since they are working from personal computers or other electronic devices. The AMA has provided this helpful guide to working from home during the COVID-19 pandemic.
Beware of the following COVID-19 scams that may affect your patients. Providing some education and guidance when patients ask about these cons can help keep people desperate for solutions from purchasing fraudulent products.
Offers for vaccinations and home test kits: Scammers are selling products to treat or prevent COVID-19 without proof that they work.
Ads for test kits: Most test kits being advertised have not been approved by the FDA and aren’t necessarily accurate.
Robocalls: Scammers are using illegal robocalls to pitch everything from low-priced health insurance to work-at-home schemes.
My Medical Practice is Too Small to Be of Interest to Hackers, Right?
Nothing could be farther from the truth. Cyber criminals don’t discriminate against size. In fact, smaller practices are very attractive to hackers since they often don’t have a dedicated IT team to put securities in place, or worse; have lax security since they don’t think they have enough patient information or financial data to be of interest to hackers. And if a small practice is part of a larger hospital, connecting to the hospital from the practice can provide an easier way in the hospital door for hackers.
What Can My Practice Do to Stay Safe from Hackers?
Professional ethical hacker Kevin Johnson notes the biggest dangers to security he finds again and again in medical practices:
- Social engineering breaches: responding to emails from seemingly legitimate entities
- Inadequate security
- Weak computer passwords
- Sharing passwords; writing passwords on notes and affixing them to a monitor
- Unlocked computers in doctors’ offices
- Lack of two-factor authentication for logging in
- Keeping data years after it is needed
Johnson suggests that computer security be evaluated to look for obvious weaknesses and to address the human element with employees. It may not convenient for everyone to have their own password or to log in with two-factor authentication, but it is necessary to keep records secure. Purging records or information that is years old is also recommended. The more information a medical practice has stored, the easier it is for hackers to steal patient identities.
The FBI recommends taking the following steps to stop dangerous viruses from infecting your entity’s computers. Take what steps you can personally and coordinate with your IT team for steps that require administrative permissions.
- Be wary of unsolicited attachments, even from people you know. Cyber actors can “spoof” the return address, making it look like the message came from a trusted associate.
- Keep software up to date. Install software patches so that attackers can’t take advantage of known problems or vulnerabilities.
- If an email or email attachment seems suspicious, don’t open it, even if your antivirus software indicates that the message is clean. Attackers are constantly releasing new viruses, and the antivirus software might not have the signature.
- Save and scan any attachments before opening them.
- Turn off the option to automatically download attachments. To simplify the process of reading email, many email programs offer the feature to automatically download attachments. Check your settings to see if your software offers the option and disable it.
- Consider creating separate accounts on your computer. Most operating systems give you the option of creating multiple user accounts with different privileges. Consider reading your email on an account with restricted privileges. Some viruses need administrator privileges to infect a computer.
- Apply additional security practices. You may be able to filter certain types of attachments through your email software or a firewall.
What Do I Do If I My Practice is Hacked?
Sometimes you can take all the recommended preventive steps, but your security is still breached. Take action by following this quick-response checklist from the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR).
Breaches affecting 500 or more individuals must be reported to the secretary of the HHS, according to HIPAA law. The OCR provides a breach portal that lists all breaches of unsecured protected health information affecting 500 or more individuals reported within the last 24 months that are currently under investigation, including the type of breach, the location of the breached information, and the number of individuals affected.