• Practice Perfect

    Ransomware 101—Hackers Are Trying to Take Your Practice Data Hostage

    Written By: Leslie Burling-Phillips, Contributing Writer, interviewing Janet A. Betchkal MD, Jeffery Daigrepont, EFMP, CMPE, and Ravi D. Goel, MD

    Download PDF

    Many physicians and adminis­trators are familiar with the data lockdown that occurred at Hollywood Presbyterian Medical Center in California last year, when some of the hospital’s systems were hit by hackers who demanded a bitcoin ransom in exchange for unlocking their data. Until a $17,000 ransom was paid, the facility was forced to revert to paper records to manage patient care.

    Unfortunately for small and mid­sized practices, hacking is no longer limited to large institutions. “Because so many companies have already been hacked, you should go to work every day with the assumption that your data has been compromised. If you have not yet been a victim, it is only a matter of time before you are identified as a target and a cybercriminal tries to fig­ure out how to delve deeper into your personal information,” warned Jeffery Daigrepont, EFMP, CMPE, senior vice president at Coker Group, an Atlan­ta-based health care advisory firm.

    What is ransomware? Ransomware is covertly installed malware (malicious software) that prevents you from accessing data stored on a computer system. You will be offered a decryption key to regain access if you pay a ransom.

    Aim to avert attacks, but also pre­pare for the worst. Despite your best efforts to ward off ransomware attacks, prevention is not always possible. Even if you keep up with the latest soft­ware, you may not always be protect­ed. Malware mutates so quickly that antivirus programmers cannot always keep up with the changes, said Janet A. Betchkal, MD, whose solo practice in Jacksonville, Florida, was hacked in 2015 (see “A Glaucoma Practice Is Targeted,” below). And once you have been hit, the likelihood for subsequent attacks increases.

    A Glaucoma Practice Is Targeted

    Dr. Betchkal knows all too well the havoc that can be wreaked after malware infiltrates a computer system.

    Lightning strikes twice. “We were hacked twice in 2015 by 2 different cybercriminals—the first used Cryptowall 3.0 and the second used DMA Locker. We were forced to pay a ransom to unlock our data, and in both cases, the ransom doubled before the payment could be delivered. I had 397,000 doc­uments stored and felt like I had no choice other than to pay the ransom to regain access to my data.” This occurred even though her employees had recently performed a security risk assessment, and the practice tentatively met the relevant requirements of the EHR meaningful use program.

    Pinpointing the cause. “The first attack occurred when an employee opened a job applicant’s resume,” she said. The cause of the second incident remains uncertain, but it is thought that a medical supply order placed with a trusted vendor via the internet was intercepted by a hacker who had tapped into their system.

    Who Hacks and Why

    It is not like the movies. “People often think of hackers as they are portrayed in the movies—as sophisticated code-cracking geniuses running high-end programs designed to crack top-secret government codes. In reality, cyber­criminals typically engage in low-tech endeavors predicated on catching their victims off guard. They look for quick hits and generally only spend a few hours attempting a hack before they move on to another unsuspecting individual or organization,” said Mr. Daigrepont.

    Hackers may consider your prac­tice to be low-hanging fruit. Hackers’ success is contingent on exploiting weaknesses. “They have discovered that smaller practices and groups do not consistently have the level of invest­ment to protect themselves like larger entities do. As a result, smaller practices may cut corners with hardware, soft­ware, and IT [information technology] support staff,” said Mr. Daigrepont. For small companies, hackers set a relatively low ransom—usually under $5,000—which victims can, and do, pay, he said. For the hacker, those smaller amounts add up quickly as the hacker strikes multiple sources.

    Key Terms

    Bitcoin—digital currency that appeals to extortionists because it enables them to maintain anonymity when receiving payment

    Cybersecurity—the protection of computer hardware, software, and data from intentional or accidental theft or damage

    Dark web—similar to the world wide web but requires special codes, configurations, or authorization to enter and is used for criminal activities, including fraud, illegal pornography, and drug sales

    Malware—software created for the purpose of disrupting computer opera­bility for malicious purposes

    Phishing—technique used by cybercriminals to obtain sensitive information by impersonating a trustworthy source in an electronic communication

    Social engineering—a type of fraud based on the manipulation of individu­als in order to coerce them into revealing personal or confidential information

    Reduce Your Vulnerabilities

    Every practice is susceptible to a ran­somware attack, but a few basic steps can minimize the risks. First and fore­most, every practice should be HIPAA compliant and protect patient data to the greatest extent possible.

    Perform a security risk assessment. Performing a security risk assessment is an excellent place to start when evaluat­ing your practice’s level of cybersecu­rity. Furthermore, if you are participat­ing in the advancing care information (ACI) performance category of the Merit Incentive-Based Payment System, performing a security risk assessment is a required ACI measure. The ACI performance category has replaced the meaningful use program for electronic health records (EHRs).

    Ravi D. Goel, MD, a comprehensive ophthalmologist at Regional Eye Asso­ciates in New Jersey, referred to 7 basic pearls for performing a security risk assessment based on the Centers for Medicare & Medicaid Services’ HIPAA mandates:

    • Define the scope of the analysis.
    • Gather data.
    • Identify potential threats.
    • Assess existing security measures.
    • Determine the likelihood of a threat occurrence.
    • Determine the level of risk.
    • Identify and document improved security measures.

    However, completing this process is the minimum a practice should do to address cybersecurity.

    Do not use personal email accounts. The greatest exposure to ransomware comes from physicians and staff using personal email accounts to correspond with each other within a practice, ac­cording to Mr. Daigrepont. “In partic­ular, do not use Gmail or Yahoo email accounts for practice business. Use a corporate server with a firewall and up-to-date virus protection.”

    Be careful about clicking links and opening documents. Hackers frequently use social engineering techniques such as phishing to trick people into clicking on a seemingly harmless link—and this, in turn, launches a cyberattack. Dr. Goel gave the following example. “In my practice, we look for new techni­cians by posting ads on Craigslist. I used to open those without hesitation until I found out that a practice was hit by ransomware because a ‘potential employee’ emailed a CV [curriculum vitae] via Craigslist. All incoming docu­ments should be scanned with antivirus software and treated as a potential threat.”

    Additional safeguards to consider. Dr. Betchkal, Mr. Daigrepont, and Dr. Goel shared the following tips.

    • Use different passwords for each device, and change passwords often.
    • Create multiple backups and test them regularly to ensure that you can easily restore your system.
    • Store a backup of your system offsite.
    • Consider cloud storage from a ven­dor that meets industry standards and offers comprehensive security protec­tions that can be verified.
    • Purchase insurance that covers cy­bersecurity breaches, and take advan­tage of any staff training offered.
    • Utilize monitoring tools that scan your network in real time to detect intrusions.
    • Enlist the assistance of a consultant.
    • Employ an IT expert to protect your practice. This person should be reach­able 24/7 to quickly address problems.
    • Discuss cybersecurity with your EHR vendor, ask about the vendor’s role in your protection, and implement additional precautions where necessary.

    How to Respond

    In the case of ransomware, you will likely know instantly if you were hacked because the goal of a hacker is to quickly secure a ransom payment.

    Step 1: Shut everything down. “If you are hit by a ransomware attack, the first thing you should do is shut every­thing down and immediately ask your IT employee or contractor to perform a full assessment,” said Dr. Goel.

    Step 2: Buy bitcoins. “The minute you find out you have been hacked, look into buying bitcoins,” said Dr. Betchkal. “Even if you find that you do not have to pay the hacker to unlock your data, put them in an account be­cause obtaining them is difficult.”

    To Pay or Not to Pay?

    It’s up for debate whether a victim of ransomware should pay the fee to restore their data. Mr. Daigrepont shared his concerns about paying a ransom to a cyber­criminal: “If you have a good backup and business continuity, your data was probably compromised and breached, but you can get around making the payment because you can restore your data from your backup. These are not people you can trust, and you should not represent yourself as weak and vul­nerable, which could further embolden the hacker. And, even if a ransom is paid and they unlock your data, they are likely to share your information with the dark web [see “Key Terms”].”

    However, there are times when with­holding the ransom may not be prac­tical. “When you do the math, it may actually be cheaper to pay the ransom than having your IT expert try to figure out a workaround,” said Dr. Goel, who is aware of a case in which a physician was hit with ransomware and refused to pay. His IT service ultimately charged him 2 to 3 times the ransom to unlock and rebuild his system. In addition, he lost a few days of data.

    ___________________________

    Dr. Betchkal is in private practice in Jacksonville, Fla. Relevant financial disclosures: None.

    Mr. Daigrepont is senior vice president at the Coker Group, a nationwide consultancy group based in Atlanta. Relevant financial disclosures: Coker Group: E.

    Dr. Goel is in private practice in Cherry Hill, N.J. Relevant financial disclosures: None.

    See the disclosure key at www.aao.org/eyenet/disclosures.