TMLT risk management staff conduct on-site practice reviews to help physicians determine and address their medical liability risks. In 2016, risk managers reviewed more than 2,000 physician practices, and gave the following 10 recommendations most frequently.
By John Southrey, CIC, CRM
I write regularly about cyber risks in health care. So it was no surprise when I was recently notified of a ransomware attack at a medical practice where I’m a patient. The provider’s notification letter cautioned:
“We are writing to inform you of a data security incident at _________ that may have resulted in the potential disclosure of your medical and personal information . . . Our investigation indicates that your personal information may have been impacted by the ransomware, including your name, address, date of birth, Social Security number, and medical information . . . we have taken steps to prevent a similar event from occurring in the future, including improving our network security, updating our system backups, and retraining our employees regarding suspicious emails and patient privacy and security.”
Lost or stolen health care data can be compromised for years. The data could be used for medical identity theft or the alteration of patient data, so protecting it is critical. However, for many medical practices, the extent of their cyber security is limited to updating their computer hardware and installing critical software patches.
Doing more to protect patients’ health information may be considered unnecessary (“I’m too small to be a target”) or too expensive and disruptive to the practice. So discussions about enhancing data security best practices — such as using endpoint encryption and application control along with workforce security training — may go unheeded.
So how can a practice know what their actual cyber risks and vulnerabilities are? Without a comprehensive risk assessment, they can’t. In such cases, a practice’s cyber security often becomes an idiosyncratic configuration constructed from disparate sources. And without any external assessment, there is little opportunity for an advanced understanding of the broad attack surface in health care and the need for a multi-layered security approach to combat emerging cyber threats.
The usual malware entry point is through social engineering techniques that use phishing emails designed to trick users into providing system access. Unfortunately, these types of ploys have a high success rate because the health care industry is known to be behind in cyber security and because employees are known to be the weakest link.
Attackers use a broad range of vulnerabilities and exploits. Simply installing the latest software patches to prevent exploitation is not enough. The URL (web link) filter installed on the practice’s server might block an employee from visiting a malicious site. If this layer of security fails, the practice’s system is exposed to the exploit.
Sometimes a practice’s system is not equipped to detect certain threats. More sophisticated attacks look for unknown vulnerabilities in a software program — a “zero day vulnerability” — that can go undetected before the vendor can fix it.
According to the Ponemon Institute’s research, 90% of health care organizations have experienced a data breach involving the loss or theft of patient data in the past two years. (1)
To proactively mitigate data breaches, medical practices need up-to-date policies and procedures and robust cyber security protocols. These include the ability to block exploit-based attacks and make any detectable cyber threat go through layers of protections, including a “human” firewall of trained staff who can react to social engineering ploys.
Ultimately, practices must accept cyber threats as a serious business risk and dedicate resources to mitigating them. The clinical dependency and interconnectedness in modern health care has created a digital quagmire — and regardless of how strong a practice’s cyber security defenses are — cyber criminals will always seek a way inside.
1. Ponemon Institute. Sixth annual benchmark study on privacy and security of healthcare data. May 2016.
For further reading
Office of Civil Rights. My entity just experienced a cyber-attack! What do we do now? A Quick-Response Checklist from the HHS, Office for Civil Rights (OCR). Available at https://www.hhs.gov/sites/default/files/cyber-attack-checklist-06-2017.pdf. Accessed June 28.
Department of Health and Human Services. Cyber attack quick response. Available at https://www.hhs.gov/sites/default/files/cyber-attack-quick-response-infographic.gif. Accessed June 28.
Health Care Industry Cybersecurity Task Force. Report on improving cybersecurity in the health care industry. June 2017. Available at https://www.phe.gov/Preparedness/planning/CyberTF/Documents/report2017.pdf
A recent Mayo Clinic survey found that more than half of U.S physicians are experiencing professional burnout. This presentation explains the differences between stress and burnout, while also offering resources for physicians who are experiencing symptoms associated with either of the two.
TMLT remains committed to sharing information with our policyholders on how to protect their sensitive data. Below are three case studies that describe actual cyber claims reported to TMLT. The ultimate goal in publishing these studies is to help physicians respond appropriately to ransomware attacks.
Ransomware case study 1
A practice manager for a small specialty group opened an email attachment and immediately noticed that she could no longer open any files on her computer. She received a pop-up alert with a ransom demand. She contacted IT staff who advised her on initial steps to take.
During IT’s investigation, they found that several months had passed between the last system back up and the ransomware attack. A significant amount of patient data would have not been retrievable from backup, so the group reluctantly decided to pay the small ransom.
Three weeks later, the same employee received another ransomware notice. Again it was decided to pay the ransom, which had doubled in amount since the first attack.
Prompted by the second ransom attack, the group has changed its back-up process to ensure current back ups would always be available. They also employed additional layers of cyber security and trained staff on how to avoid phishing emails.
Because this incident happened before HHS requirements for reporting ransomware attacks, it was not reported as a breach to the practice’s cyber insurance carrier.
While traditional IT security includes ﬁrewalls and antivirus software, these tools no longer provide enough protection. Cyber criminals can bypass IT security, enabling them to pose as authorized users and unlimited access to networks. Finding the right solution to these vulnerabilities includes becoming smarter about data protection and privacy issues and educating your workforce not to click on suspicious links.
Ransomware case study 2
A medium-sized medical practice was unable to access their legacy practice management system. When IT was called, they reported a ransom demand on the server. IT staff took down the entire network to prevent the spread of the ransomware beyond the known server. A new server was restored from backup. Within two days, the practice was functioning normally.
This case demonstrates two important factors:
1. The importance of having a current and complete backup of all your data and a data recovery plan in place;
2. The importance of notifying your cyber liability carrier immediately to help you conduct the required risk assessment.
The infected server was examined to determine if protected health information (PHI) had been accessed and exfiltrated. The risk assessment to determine whether there is a low probability of compromise of the PHI must be thorough, completed in good faith, and reach conclusions that are reasonable given the circumstances. The HHS fact sheet “Ransomware and HIPAA” can help determine if a security incident or ransom attack constitutes a HIPAA breach.
Conducting frequent backups and ensuring the ability to recover data is crucial to recovering from a ransomware attack and ensuring the integrity of PHI. Test restorations should be conducted regularly.
Ransomware case study 3
A physician’s staff returned from lunch to find their network encrypted. Forensic IT specialists were unable to determine if ePHI had been accessed or exfiltrated. The assessment concluded that this incident was a breach, and 30,000 patients were notified. The costs of the forensic investigation, the breach notification process, and legal fees have exhausted the practice’s cyber policy limits. The physician is now responsible for the remaining legal costs related to the OCR investigation.
Before this incident, the physician believed that his practice was too small to be hacked, insisting “who would want my data?”
The practice has now invested heavily in new IT, cyber risk management, and cyber security services. An OCR investigation is underway, which will lead to additional work for practice staff.
Physicians and employees are the greatest vulnerability when it comes to ransom attacks; simply clicking on a link, opening an attachment or using weak or infrequently changed passwords can be the beginning of a long and costly process for practices.
The TMLT claims and risk management departments have seen an alarming increase in the number of claims filed related to Wernicke’s encephalopathy (WE) following bariatric surgery. Specialties included in these claims are general surgery, emergency medicine, internal medicine, and gastroenterology.