You’re having lunch at your desk. It’s been a really busy day, so you decide to multitask and catch up on your personal emails. You open your Gmail account and see a notification from Facebook requesting a password reset “for security purposes.” You don’t want some weirdo hacking your account and posting fake messages, so you click on the link provided. When you open your browser, an alert pops up: your browser is outdated. Your lunch break is almost up, so you hurriedly download the update file. Instantly, your screen turns red and is emblazoned with the message “Hi there! Your files have been encrypted!” It’s followed by instructions to send 400 Bitcoin (what even is that?) to a strange-looking web address—that is, if you want your files back.
Sound like the plot to the latest Hollywood blockbuster? Unfortunately, this scenario is anything but make-believe. It’s a ransomware attack, and it can wreak havoc on your practice, your patients, and your pocketbook. Luckily, there are steps you can take to lower your risk of being attacked. Keep reading to find out how and why cybercriminals are targeting practices just like yours.
What is Ransomware?
Cybercriminals don’t use masks and guns to intimidate their victims—their weapon of choice is ransomware—a type of malicious software, a.k.a malware. Hackers specifically design it to block users from accessing their files and systems until they pay a ransom, often in decentralized digital currencies like Bitcoin, Litecoin, Zcash, and others. The ransom demand includes a deadline, after which the price increases. If the payment doesn’t occur, the victim loses their files forever. If those files contain valuable information (i.e. social security numbers, bank account information, etc.), they may be sold to other criminals on the dark web–an anonymous, untraceable part of the internet that is often a hub of illegal activity.
Why Healthcare is a Target
The healthcare industry is a top target for ransomware attacks, reports Renee Bouvelle, MD, who spoke about cybersecurity at the 2018 ASCRS·ASOA Annual Meeting in Washington, DC. In fact, healthcare organizations are the target of a whopping 88 percent of all ransomware attacks in the U.S., according to NTTSecurity, a cybersecurity technology and services vendor.
Why? Because “we’re not getting on it” compared to other industries, says Bouvelle. Healthcare is far behind other industries when it comes to protecting its infrastructure and electronically protected health information (ePHI). It doesn’t help that cybercriminals find healthcare data enticing. “The information we create is of value,” Bouvelle notes. It contains information like patient names, addresses, social security numbers, credit card information, prescribing credentials, and more. And it’s not just your patients’ privacy that’s at risk. It’s the record’s availability during treatment, Bouvelle notes. If certain patient information isn’t available, like medical history, current medications, or mental health conditions, that could lead to a serious breakdown in patient care. Research from Vanderbilt University suggests that mortality rates at hospitals rise after a data breach.
It’s a People Problem.
Think you’re safe because your network has a firewall and your computers have anti-virus software? Think again. “The human factor is the biggest source of trouble,” emphasizes Bouvelle. Consider this: only a very small percentage of ransomware attacks enter your IT system through a technical vulnerability. The vast majority of them rely on social engineering—exploiting a vulnerability in a person. The reasoning is simple—it’s a lot easier to get one person to open an attachment or download a file than it is to hack into a system, look for technical weaknesses, and figure out how to exploit them.
Ransomware attacks often result from phishing scams—fraudulent emails that seem real. They use a variety of techniques to trick the user into responding by clicking a link, downloading a file, or giving up private information like login credentials. Along with the “password reset” scam described earlier, here are a few of the most common phishing techniques:
- A message from the “IRS” regarding refunds or balances due.
- A fake “Notice to Appear” in court due to some minor infraction.
- Links to “spoofed” websites—sites that look real (like bank sites) but are actually run by cybercriminals.
- Email alerting of a “new fax received,” that a user can view by downloading an attachment.
- Free downloads, like games, screensavers, or apps
You’re a Small Practice, not an Invisible Practice
Although the victims of many publicized ransomware attacks are larger health systems, don’t let media coverage fool you into thinking that your independent or smaller practice is immune. Small or rural practices are taking a big risk if they think that large, urban hospitals are hackers’ only targets. One attendee at Bouvelle’s ASCRS session described how her own Helena, Montana practice was hacked. “It doesn’t get any more rural than us,” she said. When they discovered the breach, her practice contacted a healthcare cybersecurity specialist, and they were back up and running within a few hours. Her practice never determined with certainty the source of the attack, but they believe an employee accessing private email on the practice’s server made their system more vulnerable to attack.
Up Next…How to protect your practice from ransomware attacks.