Data-for-Ransom: Is Your Medical Practice at Risk of Cyber-Abduction?

Posted on 8 Mar, 2018 |comments_icon 0|By Elizabeth

Given the current level of criminal cyber activity, the chances are almost guaranteed that your system is attempting to fend off a penetration of your network as you read this.

More than 94% of healthcare providers have faced off against a form of data breach, and over 50% have suffered five data breaches with 112 million medical records compromised in a twelve-month period, as reported in a 2017 Ponemon study sponsored by Barkly.

To up the ante, we now have 57.6 million new malware weapons to contend with, according to The McAfee Labs Threat Report: December 2017.

You can’t assume your practice will never experience a data security incident. In fact, you’re not only held accountable for experiencing a breach but also for your risk of breach. In other words, simply failing to update safeguards could lead to an OCR HIPAA settlement, which could be paired with a monetary penalty and a lengthy recovery process.

How do your HIPAA compliance and security programs measure up? Are your risk analysis and risk management processes in place? Is your staff equipped to recognize new threats and avoid falling prey?

You Are the Target

A survey conducted by HIMSS Analytics reports that three-quarters of providers suffered a ransomware or malware attack in the past 12 months. Most experienced at least 16 malware attacks, making healthcare the most targeted industry on the cybercriminal’s radar—and by wide margin.

In a sample study looking at the second quarter of 2016, NTT Security reported that 88% of all ransomware attacks in the U.S. zeroed in on healthcare. Next in line were education and finance, receiving the brunt of 6% and 4% respectively. If that gap doesn’t put you on alert, consider that all other industries combined didn’t even incur 2% of the nation’s ransomware attacks.

Why is healthcare the bullseyes of this prolific and debilitating activity? Because it pays big. For starters, your practice’s patient health information (PHI) is ten times more valuable than credit card numbers. Think about what these files contain—patient names, birth dates, social security numbers, insurance policy numbers, billing info, and, yes, medical records. PHI is the hacker’s gold standard and can pull in $50 per record on the black market.

Adding to the lure is your need to access to your electronic medical records (EMRs) and PHI to treat your patients. Cybercriminals know all too well what’s at stake—that the well-being of persons under your care hangs in the balance. These criminals are banking on your humanity, wagering on the likelihood that you’ll pay their ransom if they scramble your files and lock you out of your system.

Should you waver to pay, however, hackers have contingencies. They’ll turn up the screws with threats to destroy the ransomware’s antidote, or encryption key, which means—unless your files are backed up in a secure location—you’ll never see them again.

Taking on the Ransomware Threat

Remember WannaCry? In 2017, this ransomware worm spread faster than fire, wreaking global havoc, which included shutting down several U.K. hospitals and medical practices because their staffs couldn’t access patient files that had been hijacked and held for ransom.

The threat was so frightening to the U.S. that Senator Ben Sasse spoke out: “Around the world, doctors and nurses are scrambling to treat patients without their digital records or prescription dosages, ambulances are being rerouted, and millions of people’s data is potentially exposed. Cybersecurity isn’t a hypothetical problem—today shows it can be life or death.”

Sasse continued, “We’ll likely look back at this as a watershed moment.” But do we look back and see this event as our turning point in the battle for cybersecurity? That’s the question.

WannaCry was just nine months ago, and yet it seems to have fallen off our radar. Was WannaCry a turning point for your medical practice? Did this incident launch offensive efforts to protect your practice’s PHI and EMRs?

Know How Ransomware Works

Ransomware, or malicious software, can infiltrate one of your computers or devices through a variety of entry points from which it will then travel across your network, encrypting all sensitive data and even equipment in its path.

The best medicine, as with any pandemic, is preventive medicine. Prevention starts with understanding your exposure to infection. The entry points of malware include:

  • Phishing emails: Don’t bite. Train your staff to question every item in their inbox and to refrain from opening emails from unknown senders. Infected emails look legitimate but install malicious software when clicked or opened. Caution should also be taken with urls sent in the body of an email, as they could link to a compromised website. It’s always safer to cut and paste the url in your browser, which has security settings that will block and inform you of the threat.
  • Unpatched programs: An outdated browser, software missing a plug-in, or an unpatched app all lead to vulnerabilities and heightened risk of infection. A recent ransomware invasion, for instance, was attributed to staff browsing from a computer that lacked Flash player patches, according to the Cisco 2016 Midyear Cybersecurity Report. Keep your hardware and software up-to-date.
  • Compromised websites: Ramp up your browser security. Even legitimate website become compromised by malicious scripts.
  • Free software downloads: Be wary of free, as little in life is without a price tag. Free software typically carries piggyback scripts. While many of these scripts aren’t viruses or malware, they serve a third party at the expense of your computer’s performance. Because volitional downloads bypass your firewall, there’s no protection in the event that the download is infected. It’s best to implement a policy prohibiting staff from downloading free software on company equipment.

Learn More

Get equipped with an understanding of cyberattacks and learn how to prevent them with the Cybersecurity for Physician Practices: A Practical, Step-by-Step Guide to Protect Patient & Practice Information 2018.

Need help nailing down risk assessments, tightening up your EHR privacy and security, reassessing your risk analysis plan, and training your staff to become a “human firewall”? Pick up TCI’s HIPAA Handbook 2018—and save your practice from unintentional breaches and penalties.



Elizabeth works on an array of projects at TCI, researching and writing about modern reimbursement challenges. Since joining TCI in 2017, she has also covered the nuts and bolts of cybersecurity, compliance with federal laws, and how to tap into the advantages of telehealth services.

More from this author

View More

Leave a Reply

Newsletter Signup