Expand

While cybercrime is no longer new and awareness of it has become widespread, attacks continue to be successful due to the unpredictability of their presentation. According to the U.S. Department of Health and Human Services (HHS), ransomware and hacking are the primary cyberthreats in health care today.¹ However, the nefarious use of artificial intelligence (AI) could rapidly change that, enabling an ever-evolving sophistication of attacks yet unknown to the average information technology officer.

Amid the chaos and confusion that defines cybercrime, one certainty remains: All health-care providers, practices and facilities can expect to have a criminal cyber encounter — regardless of whether they have already endured any. 

“It’s not if, it’s when,” says Christian Dameff, MD, co-founder of CyberMed Summit, an organization that seeks to advance cybersecurity culture in health care by facilitating collaboration among stakeholders in patient care delivery. “The trajectory and the money involved in this [industry] means that you will suffer an attack. And there’s this terrifying reality that these types of attacks truly impact our ability to care for patients in a timely and safe manner.”

Statistics support this sentiment. In a 2023 report, the HHS Office for Civil Rights (OCR), which tracks large health-care data breaches (defined as affecting 500 people or more), shared that between 2018 and 2022 there was a 278% increase in reports of large breaches involving ransomware alone, and a 93% increase in large breaches overall.²

From the largest of hospital networks to the smallest of ophthalmology practices, health care is an attractive target for cybercrime due to the sensitivity of data being managed, a growing dependence on technology to collect that data and the need to share it electronically across the continuum. 

“In order to deliver the best care, we all need to share data about our patients,” says Renee C. Bovelle, MD, MCS, of Envision Eye & Laser Center in Glenn Dale, Md. “The retina specialist needs to communicate with the comprehensive ophthalmologist, who needs to communicate with the primary care doctor, and so on. And these are crimes of opportunity. Threat actors will attack the easiest target.”

Awareness and Compliance

As Dr. Bovelle sees it, a better sense of cyber awareness would go a long way to reducing data breaches among her peers in ophthalmology.

“Unfortunately, not enough ophthalmologists — or health-care practices in general — are aware of the need for cybersecurity,” she says. “It’s not laziness. It’s that there’s just a lack of awareness and we’re all very busy. We don’t necessarily think about cybersecurity first, as clinicians. What we think about first is how to best treat our patients, and rightly so.” 

Despite these circumstances, the burden of responsibility to keep electronic protected health information (e-PHI) as secure as possible rests with all health-care covered entities as defined by HHS: health plans, health-care clearinghouses and any health-care providers and their business associates who are subject to certain standards established through the Health Insurance Portability and Accountability Act (HIPAA).³ Under HIPAA’s Security Rule, covered entities are required to maintain reasonable and appropriate administrative, technical and physical safeguards for e-PHI, including steps to encrypt data or convert e-PHI to code unreadable by those not authorized to view it.

“Cybersecurity is everybody's responsibility, including frontline clinicians,” says Greg Garcia, executive director for cybersecurity with the Healthcare Sector Coordinating Council, a coalition of industry associations and members that addresses security and resiliency challenges facing health care. “This existential threat that we’re facing is something that is very well recognized by our policymakers. We have a number of members of Congress introducing new bills and adding more regulations to the quiver of arrows in the HHS arsenal.” 

Mr. Garcia and Dr. Dameff promote strategies that can assist health-care stakeholders in becoming more aware of their cyber surroundings. They both recently participated in an open online forum hosted by the American Medical Association that discussed how to navigate the complexities of cybercrime.

Risks and Red Flags

Most risks associated with malware and ransomware begin and end with email. According to the 2024 Data Breach Investigations Report⁴ published by Verizon Business, more than 90% of these attacks stem from communications found in inboxes.

“One of the most successful ways that hackers disrupt systems and steal data is through email phishing,” says Dr. Dameff. “This requires a persuasive, well-written email. The most common vector is exploiting people, not exploiting technology. It’s tricking people into giving over their passwords and their usernames. Phishing is a huge threat.”

Whether through in-house training or collaboration with independent consultants, today’s practice managers should ensure that all employees are educated about the signs of a malicious email. Any message that requires a link to be clicked or an attachment to be downloaded should be carefully vetted. Other common indicators of dangerous email include:

• Poor grammar and/or spelling
  
  
• Greetings that address “sir” or “madam”
  
  
•  A lack of verifiable contact information
  
  
•  A discrepancy in the name of the domain that the email comes from and the name of the organization that the sender claims to represent
  

This last tactic, which seeks to confuse recipients using graphics and logos that appear to be from an official entity, has become much more prevalent recently. 

“We all need to have a greater level of awareness, suspicion and paranoia to stop ourselves [from engaging with these messages],” Mr. Garcia stresses. “There are ways that you can simply doublecheck to be sure you’re not doing the wrong thing.”

This includes confirming any web addresses contained within the communication by entering them into a search engine — not by clicking on them. “Go to [a web browser] to see if it’s real,” Dr. Dameff advises. 

Admittedly, detecting phishing attempts could become increasingly challenging as more hackers presumably start using AI to develop their scams.

“With AI, we haven't even begun to understand how it would really impact cybersecurity,” says Dr. Dameff. “But AI can supercharge [phishing emails]. No longer are you going to have typos; it’s going to be perfect-looking. I think AI is going to … reduce the amount of effort it takes to execute very sophisticated attacks that we have not yet even seen.” 

Another novel means of committing online theft is “cybercrime as a service,” a model in which threat actors will sell certain capabilities to others, who will then initiate malicious software hacks or make themselves available for hire to initiate hacks.

Also complicating security at present is the current unrest happening around the world, particularly the war between Russia and Ukraine and the Palestine and Israel conflict, says Dr. Bovelle.

“The way that threat actors fund these wars, oftentimes, is through cyberattacks — such as ransom attacks and other means,” she explains. “Wars indicate more likelihood of a rise in cyberattacks. The attacks can be domestic or international. They can come from all over the world.” 

Regardless of the routes taken for any cyberattack, Dr. Bovelle believes that the elimination of as many potential threats as possible must start at the top level of leadership through emphasizing best practices. 

“Threat actors will find doors that you leave open to worm their way through for access,” she says. “And the first red flag will be with leadership. Whether it’s a small office or a large practice, leadership has to care about cybersecurity. If leadership doesn’t make it a priority, nobody else is going to either.” 

Dr. Bovelle suggests these everyday strategies:

• Using multifactor authentication for individuals who have access to patient data
  
  
• Ensuring that software updates are performed whenever alerts are sent by the programs
  
  
• Installing separate WiFi networks for internet usage that does not involve the access of patient data, such as within patient areas
  
  
• Creating cyber policies that promote safety, such as mandating that employee passwords are not shared and workstations are protected with firewalls.
  
  
• Directing staff to use their personal mobile devices for internet access that is not related to work.
  

Practices can also take more comprehensive measures to protect themselves for the long term, such as establishing business associate agreements with all vendors who have access to e-PHI and PHI (HHS provides guidelines and a sample agreement on their website³) and contracting with independent information technology (IT) and cybersecurity professionals.

“We have accountants not because we aren’t capable [of managing money], but because tax laws are constantly changing — and, again, we’re all busy [caring for patients],” Dr. Bovelle points out. “So, we hire specialists. It should be the same with cybersecurity.”

Insuring the Future

Similarly, Dr. Bovelle urges all practices to purchase third-party cyber liability insurance and to perform vulnerability testing.⁵ 

“If you have a data breach that affects more than 500 individuals, you may have to report it to the OCR,” she says. “This negative publicity can have a detrimental effect on a practice or medical institution, and remediation costs may include fines, credit monitoring service fees and repair of computer infrastructure. Other issues are reputation management, poor morale and employee churn. Practices have gone out of business due to cybercrime. We should all have cybersecurity insurance to provide a financial cushion.”

Various types of this coverage are available, according to Russell A. Swain, CIC, senior partner with the Alera Group Inc., a national insurance and risk management firm that works with numerous clients in the ophthalmology sector. 

“There are opportunities to obtain coverage whether you’re a large or small practice,” Swain says. “It’s a very complex coverage, but we find the right coverage for the exposure that the client has. We work with a number of group-purchasing organizations and we offer bundle types of programs. As risk grows, we look to go to specialized carriers.”

While costs will vary depending on business size, location, stored data and potential claim history, both Swain and his fellow senior partner at Alera Group, Scott Edlin, say the costs are easily justified given the consequences that cyberattacks can bring to victims.

“If a practice wants to try to manage risk by just implementing best practices for cybersecurity protection, you’re still exposed for having an incident,” says Swain. “If you have an incident and don’t have protection, you could have a significant loss, depending on what your patient or client size is.”

Consider the recent attack at Change Healthcare, an incident that reportedly affected 100 million individuals and will cost more than an estimated $2 billion to overcome.⁶

“We’re talking about databases that are housing every type of protected information that you can have,” says Edlin, who also suggests independently contracting with cyber experts to improve system security. “If you’re to be attacked, the insurance represents only the money part of it. But getting your business protected and your systems safe is another big part of this. We don’t believe there are enough individuals who are slowing down enough to manage everything here. If major companies can be shut down, there could be practices within this industry experiencing a world of hurt if an attack happens to them.” OM

References

1. U.S. Department of Health and Human Services. HHS Office for Civil Rights Settles HIPAA Ransomware Cybersecurity Investigation for $90,000. Published Oct. 31, 2024. www.hhs.gov/about/news/2024/10/31/hhs-office-for-civil-rights-settles-hipaa-ransomware-cybersecurity-investigation-for-90000-dollars.html. Accessed Nov. 13, 2024.
2. U.S. Department of Health and Human Services. Healthcare Sector Cybersecurity: Introduction to the Strategy of the U.S. Department of Health and Human Services. Published December 2023. https://aspr.hhs.gov/cyber/Documents/Health-Care-Sector-Cybersecurity-Dec2023-508.pdf. Accessed Nov. 13, 2024
3. U.S. Department of Health and Human Services. Summary of the HIPAA Security Rule. Last reviewed Oct. 19, 2022. https://www.hhs.gov/hipaa/for-professionals/security/laws-regulations/index.html. Accessed Nov. 13, 2024.
4. Hylender CD, Langlois P, Pinto A, Widup S. Verizon Business 2024 Data Breach Investigations Report (DBIR). https://www.verizon.com/business/resources/Taf9/reports/2024-dbir-data-breach-investigations-report.pdf. Accessed Nov. 13, 2024.
5. Assistant Secretary for Technology Policy, Office of the National Coordinator for Health IT. Security Risk Assessment Tool. https://www.healthit.gov/topic/privacy-security-and-hipaa/security-risk-assessment-tool. Accessed Nov. 14, 2024
6. Adler, S. Change Healthcare Cyberattack Affected 100 Million Individuals. The HIPAA Journal. Published Oct. 24, 2024. https://www.hipaajournal.com/change-healthcare-responding-to-cyberattack. Accessed Nov. 14, 2024.