Preventing cyber threats: What every doctor should know

Congress established the Health Care Industry Cybersecurity (HCIC) Task Force with the intention of addressing cybersecurity issues threatening the healthcare system, as part of the Cybersecurity Act of 2015.

According to a 2017 report published by the task force:

“The healthcare industry in the United States is a mosaic, including very large health systems, single physician practices, public and private payers, research institutions, medical device developers and software companies, and a diverse and widespread patient population. Layered on top of this is a matrix of well-intentioned federal and state laws and regulations that can impede addressing issues across jurisdictions. This creates the potential to develop barriers to innovation and ease of use. Within this complex network, patients must be protected from harms that may stem from cybersecurity vulnerabilities and exploits.”

Let’s take a closer look at the healthcare cybersecurity problem in medicine and what you, as a physician, can do to protect sensitive data.

The threat to patient data

Threats can come in many forms, including identity theft, targeted hacking, and ransomware. Targeted hackings, for example, focus on specific individuals, companies, or systems. Ransomware, on the other hand, is a type of malicious software (malware), that can block access to a computer system or data pending a ransom payment.

Moreover, patient data from clinical trials can be stolen and used for financial gain and unethical research practices. Hacking sensitive clinical trial data can also be used for insider training.

According to the HCIC Task Force, there are five high-level reasons why healthcare cybersecurity is in “critical condition”:

• Paucity of qualified security personnel
• Equipment running on outdated, vulnerable operating systems
• Rush for access led to overconnectivity without secure design
• Potential for an attack to shut down an entire hospital
• Rampant medical technology vulnerabilities

How big is the problem?

According to the results of a survey conducted by the American Medical Association (AMA) and Accenture, 83% of the 1,300 physician respondents claimed that they had been victim of a cybersecurity attack.

Here are some of the most common types of attacks experienced, in order of decreasing frequency:

Phishing. In this type of cybercrime, an attacker will contact an individual via email, telephone, or text by posing as someone from a trustworthy entity to lure individuals into providing sensitive data, such as passwords, banking or credit card details, and social security numbers.

In the healthcare setting, phishing usually occurs in the form of a fraudulent email, which will appear to come from a sender in the recipient’s organization or personal network, thereby attempting to trick the recipient into clicking on a fraudulent link. In the AMA/Accenture survey, phishing was reported as the number one type of cyberattack among respondents (55%).

Computer contaminants. According to the HIPAA Journal, “computer contaminant” is an umbrella term used in legalese that extends to computer viruses, various types of malware (eg, adware, spyware, ransomware, trojans), and worms. These computer contaminants are typically disguised as, or embedded in, non-malicious software, whereupon clicking or downloading the deceptive link or software can infect the electronic device. Computers infected with viruses or malware via download was the second most common type of healthcare cyberattack (48%) reported in the AMA/Accenture survey.

Computer viruses and malware have the potential to impede access to important life-saving electronic equipment in clinical practice or tamper with patient data, including diagnostic scans. For instance, researchers in Israel recently announced the development of a computer virus capable of injecting false tumors into CT and MRI scans. They created the software to show clinicians how an attacker with access to medical data could do more than just hold the data hostage for ransom or sell it on the black market.

“[W]e show how an attacker can use deep-learning to add or remove evidence of medical conditions from volumetric (3D) medical scans. An attacker may perform this act in order to stop a political candidate, sabotage research, commit insurance fraud, perform an act of terrorism, or even commit murder,” the authors wrote.

Compromised electronic protected health information (ePHI). In the AMA/Accenture survey, 37% of respondents reported than an employee or insider inappropriately accessed or attempted to access ePHI. The reasoning for such may be simple curiosity, particularly in a scenario involving a relative or high-profile figure. But, consider that nearly one in five health employees said that they would be willing to sell confidential medical data to unauthorized parties, according to a 2018 survey from Accenture.

In the survey, which included over 900 employees of providers and payer organizations in the United States and Canada, 18% of respondents said that they’d be willing to sell ePHI and other confidential medical data for as little as $500 to $1,000, and respondents from provider organizations were much more likely than those in payer organizations to sell confidential data (21% vs 12%). More concerning: Nearly 25% of respondents said they know of someone in their organization who has sold their credentials or access to an unauthorized outsider. These unethical and illegal practices could lead to a more serious breach of ePHI by an external entity—the fourth most common type of healthcare cyberattack.

Among physicians who have suffered cybersecurity attacks, 64% of respondents in the AMA/Accenture Survey reported that attacks may result in up to 4 hours of downtime. Interestingly, only 12% of attacks lasted between 1 and 2 days. However, it seems that only a minority of surveyed physicians are concerned about future attacks. Specifically, 20% of respondents reported being “extremely concerned,” while 35% said they are “very concerned.” Conversely, around 74% of the respondents felt that such attacks might interrupt their business or put their patients’ data at risk. Other concerns stemming from cybersecurity threats include civil/criminal liability, damage to reputation, costs associated including ransoms, loss of billing, government fines, and lack of back-up records.

Protecting yourself and your patients

Fortunately, certain measures can be taken to help ensure that private data are protected. Keep in mind that most attacks—up to 85%—are preventable.

• Make sure that you and your employees use strong passwords, including those that use combinations of letters, numbers, and symbols.
• Create two different Wi-Fi networks: one for your practice and one for your patients. Use different passwords for each. Keep in mind that unauthorized access was the number one cause of security incidents in 2015.
• Install and update antivirus software to battle the ~1 million new pieces of malware coded each day.
• Smartphones, tablets, and cell phones should be encrypted and password protected.
• Make sure that your operating systems are updated, which can provide critical security patches.
• Avoid surfing on low-quality websites that could infect your device with malware.
• Always elect two-factor authentication.
• Don’t leave passwords in a Word document or spreadsheet on your desktop.
• Avoid using public Wi-Fi that isn’t encrypted.
• Never share your passwords in person or in email. Remember: email accounts can be hacked.
• Don’t click on suspicious links found in spam or elsewhere.

Hospitals often operate on thin margins (< 1%). Before ransomware attacks and large privacy breaches became big news, it was hard to convince hospital executives to invest in important cybersecurity measures. Even today, when cybersecurity attacks can lead to grave financial losses and damaged reputations, most hospitals lack the technological and infrastructure wherewithal to identify and act on potential cybersecurity threats. Nevertheless, as an individual physician, you can help cultivate a culture of cybersecurity in your work place by being cybersecure in your everyday practice of medicine.