‘Nobody is safe from this’: Cybercrime in health care

Excerpted from page 28 of the Sept/Oct 2019 edition of AOA Focus.

Flip on the lights, hang the "open" sign and boot up the computers: This is the ordinary, day-to-day of optometry practices in Anywhere, USA. It was such an ordinary day, in fact, when an unfamiliar, blinking message scrawled into view at one of the Kentucky practices of Joe Ellis, O.D., that it almost could've gone unnoticed.

Almost.

Reality came crashing down on every blue-screened computer ... along with any peace of mind. One by one screens ­flickered to life with a stark message: You've been hacked. The managing partner wasted no time getting Dr. Ellis on the phone.

"What the hell is a bitcoin?" Dr. Ellis recalls his colleague asking. "And where do you get one?"

Ransomware. It had locked users out of the practice's computers, and hackers were now requesting two bitcoins—cryptocurrency that's exchanged digitally, peer-to-peer—to regain access and control of their terminals. For a day and a half, the practice debated whether to pay the ransom before ultimately contacting experts as far away as New York.

They agreed to pay the ransom: two bitcoins at $750 apiece. The arduous and cryptic process of sending the bitcoins held everyone in suspense that perhaps it wouldn't work, or worse, they'd be gouged for more. They finalized the transaction.

"We got an immediate response with a code to break the encryption that was about two feet long," Dr. Ellis recalls.

That's when the real work began: IT dove into every nook and cranny of the network, searching for any trace of latent malware or a secret backdoor. Passwords and logins were changed. Records were pored over for signs of breach—there weren't, fortunately. And a sonic wall was installed to monitor how many times hackers tried to crack the system: over a thousand times a day.

So, too, IT sleuthed out the breach vector. An employee downloaded items off the internet and onto their work terminal, one of which covertly gifted ransomware access to the computer. All told, the fiasco cost more than just two bitcoins; it all but shuttered the office for nearly two days.

Beyond sobering, the experience opened Dr. Ellis' eyes to the omnipresent cybersecurity threat that's increasingly plaguing health care. By one report's estimate, the health care industry is expected to suffer 2 to 3 times more cyberattacks this year alone than other industries. Moreover, ransomware attacks on health care are predicted to quadruple between 2017 and 2020, and quintuple by 2021.

"I don't think Americans truly understand this threat and how commonplace it's really become," Dr. Ellis says. "Nobody is safe from this."

Health care needs a security booster

Health care spending in the U.S. accounts for 18% of the nation's gross domestic product, or about $3.5 trillion, the Centers for Medicare & Medicaid Services estimate. By and large, the tantalizing target on health care's back is attributable to outdated IT systems, fewer cybersecurity protocols and IT staff, valuable data, and the pressing need for practices or hospitals to pay ransoms quickly to regain data, per cybercrime magazine Cybersecurity Ventures.

It's a simple formula: low effort, high reward. Stolen protected health information (PHI) can be a dozen times more valuable on the black market than credit card information. While the latter goes for less than $5-followed by institutional login credentials ($1) and Social Security numbers ($1)—the former reportedly fetches upward of $60 per record or more, CNBC reports. However, Shaji Khan, Ph.D., director of the cybersecurity institute at the University of Missouri-St. Louis, a National Security Administration/Department of Homeland Security Center of Academic Excellence in Cyber Defense Education, says it's even more basic than that.

"As I always say, attackers are target-agnostic," Dr. Khan quips. "They'll take anything that can be taken from anyone who can be attacked; there are some 'hacktivist' and political attacks, but the vast majority is simply motivated by money. Indeed, the term cybercrime is apt."

Far smaller than headline breaches—such as Yahoo's 3 billion accounts or Equifax's 143 million-attacks against health insurers, hospitals, medical practices and their business associations are far more common and on the rise.

As threats go, ransomware remains popular if only for its ease and effectiveness as a cyberthreat. In fact, the tools used in these attacks have "morphed," becoming ever more sophisticated to the point that "ransomware as a service" is a new, maturing model, Dr. Khan says. Less technically adept attackers can employ advanced ransomware for a thieves' agreement share in the take.

"However, it's important for small and large companies to take seriously the not-so-glamorous side of security, too," Dr. Khan says. "Sure, ransomware is the coolest threat, but it's the simple things that often land organizations in trouble. For instance, poor con­figuration of systems, password re-use, poor management of paper records, not understanding how vendors of all types of products and services may pose a risk to the clinic.

"Additionally, [Internet of Things (IoT)] devices in the clinic connected to local networks and the internet must be carefully con­figured and managed. This goes for any device, be it clinical to the cool new thermostat or coffee maker."

This last point is particularly prescient. In an IoT world that tracks users' online habits with devices that make behavior-based decisions and actively listen for cues, medical practices have exponentially more IT to consider.

In April, Amazon announced six new HIPAA-compliant Alexa skills designed to allow PHI transmission without violating the HIPAA Privacy Rule. While Alexa's still far from being able to handle anything expressly clinical inside the practice, these new features do allow patients to schedule appointments, find urgent care centers, receive provider updates, access blood-sugar readings and check the status of their prescriptions. Only time will tell what's next.

In the cat-and-mouse of cybersecurity, IoT, like the threats that could come to plague it, is always in flux. There's no staying ahead of it; rather it's about ensuring a good faith effort.

"We are still catching up, and I cannot foresee a time when we are ahead of the threats, and more importantly, ahead of vulnerabilities in our systems and people," Dr. Khan says.

"Clinics should really think about basic security hygiene as their best defense."

Back to basics

The ­ first line of defense includes strong passwords or passphrases; restricting unnecessary access or user privileges (not all staff need admin privileges); keeping anti-malware or anti-viral software up to date; ­ filtering spam and attachments (.exe, .zip), and showing ­ file extensions (consider a .exe ­file could be masked as a .PDF); running the latest version of Windows and being mindful of Microsoft's end-of-support schedule; discussing safe email and online use protocols with staff; planning and enacting a foolproof backup plan for speedy recovery; and, last but not least, ensuring you're HIPAA compliant. It's a list that Marc Haskelson, CEO of Compliancy Group, an AOAExcel^® Endorsed Business Partner, reinforces with every AOA member exploring HIPAA compliance.

"You don't have to be an advanced IT person to do this," Haskelson says. "Most people have encountered this on their computer before."

That said, there's a slight but important distinction to be made when it comes to good data security and HIPAA compliance. The two run parallel, Haskelson says. HIPAA compliance goes beyond commonsense security and involves providers analyzing, assessing and demonstrating their adherence to security every year. Succinctly, it involves action.

HIPAA requires yearly policy and procedures training for all employees. They must acknowledge their understanding and compliance. Moreover, providers must demonstrate they've done their good faith effort to protect PHI. And, should an incident still occur, providers must investigate, remediate and report. Haskelson says providers' biggest mistake is often performing only one component of HIPAA compliance: a Security Risk Assessment. In addition, providers must collect business associate agreements as part of their technical due diligence and follow through on those privacy and security measures.

"The two big defense strategies that everyone should be doing are encryption and backup," Haskelson says. "If your data was encrypted correctly and ransomware did hit it, those actors can't use it anyway so it's not a breach and your patient records are safe. Now, if you didn't back it up correctly, you can't serve the patient who walks in Monday morning.

"If you were encrypted and backed up correctly, then there was no breach—it didn't happen."

Still, providers' greatest failing when it comes to cybersecurity?

"This belief that what providers have is good enough is a very risky proposition."