Top tips for protecting a practice from hackers
Physicians at small practices often think they are not attractive to hackers, because they don’t have troves of patient information or financial data. But this attitude is what makes them a target in the first place. Lax security, a lack of resources and general indifference make the perfect combination for an easy hack.
“It’s more of a mindset problem,” says Anirudh Duggal, a cybersecurity expert and Black Hat USA 2016 security conference speaker whose work includes protecting medical devices from hackers. “Most small practices use home-based level security, such as routers or access points like you would use at home. The other problem is, they have the kind of data that bigger hospitals have, but they don’t have the security.”
Physicians need to remember that even though they may not have as many health records as a large health system, they probably aren’t the only target, experts say.
“If the hackers hit 10, 100 or 1,000 small offices and aggregate the records, then it becomes a substantial amount of data to sell,” says John Riggi, a member of consulting firm BDO’s Center for Healthcare Excellence & Innovation and a former chief of the FBI’s Cyber Division Outreach Section.
“These small practices have data sets that are attractive because they can be monetized,” Riggi adds. “The providers maintain data on protected health information, personally identifiable information and payment information—each one of these sets is valuable because they can be stolen and monetized on the internet black market.”
Once hackers have the records, they might be sold for identity theft, false billing for services or false prescriptions. And because larger organizations continue to improve security, smaller practices are becoming even more attractive targets, says Riggi.
But by taking some basic precautions and training staff to be vigilant about security, the majority of hackers can be thwarted, experts say.
Who the hackers are and how they break in
Hackers can be anyone and have different levels of sophistication. “If you look at the demographics of those caught, it could be someone in your own country or abroad; it could be someone sitting next door or a thousand miles away,” says Billy Rios, MBA, CISSP, a regular speaker at Black Hat and the founder of Whitescope LLC, a startup focused on embedded device security.
Further reading: 7 tips to protect patient data from visual hacking
The stereotype of a hacker might be someone working for the Russian mob. In some cases this may be accurate, but they can also be rogue employees, disgruntled consultants or even a kid living next door who thinks breaking into networks is cool, says Lee Kim, JD, CISSP, director of privacy and security at the Healthcare Information and Management Systems Society. It could also be a cyber vigilante attacking a practice because of ideological reasons or some sociological motivation.
Hackers have different methods of gaining unauthorized entry, but the phishing attack is the most common, says Deral Heiland, CISSP, research lead at internet security company Rapid7. This is usually a legitimate-looking email with an attachment that, if opened, will place malware on the network that gives the hacker access.
Phishing attacks can also occur via texts or phone calls. “Small organizations can also be very trusting, and if someone picks up the phone and calls, they are more likely to believe the person and carry out some action on their behalf,” says Heiland.