Who is an easy target?
Cyber criminals look for easy targets, said Ms. Hughes. “A lot of threat actors are not targeting a specific practice – they’re simply throwing out a net and looking for vulnerable systems on the Internet.”
Small medical practices are particularly vulnerable to ransomware attacks because they lack the resources to pay for dedicated IT or cyber security staff, said Ms. Hughes, who oversees security for more than 800 outpatient practices. They’re not replacing outdated or unsupported equipment, applying regular “patches” that fix, update, or improve operating systems, application software, and Internet browsers, or using password controls.
As large practices or health systems acquire medical practices with different EHR systems, security can be more challenging. “Our goal at Northwell is always to get them onto our standard platform, where we use best practices for technology and security controls,” Ms. Hughes said. “In the world of security, having fewer EHR systems is better so there are fewer things to watch, fewer systems to patch, and fewer servers to monitor. From our point of view, it makes sense to have a standardized and streamlined system.”
Still, some practices may feel strongly about using their EHR system, she said. When that happens, “We at least bring them up to our security standards by having them implement password controls and regular patches. We communicate and collaborate with them constantly to get them to a more secure posture.”
Cyber security lapses may have increased during the pandemic when practices had to pivot rapidly to allow administrative staff to work remotely and clinical staff to use telehealth with patients.
“In the rush to get people out of the building during the pandemic, health care organizations bent many of their own rules on remote access. As they moved quickly to new telehealth solutions, they skipped steps like auditing new vendors and cyber-testing new equipment and software. Many organizations are still cleaning up the security ‘exceptions’ they made earlier in the pandemic,” said Mr. DeFord.
Hackers are sophisticated criminals
“The version of a hacker a lot of us grew up with – someone in a basement hacking into your environment and possibly deploying ransomware – isn’t accurate,” said Mr. DeFord. What experts know now is that these cyber criminals operate more like companies that have hired, trained, and developed people to be stealth-like – getting inside your network without being detected.
“They are more sophisticated than the health care organizations they often target,” added Mr. DeFord. “Their developers write the encryption software; they use chatbots to make paying the ransom easy and refer to the people they ransom as clients, because it’s a lucrative business,” he said.
These groups also have specialized roles – one may come in and map your network’s vulnerabilities and sell that information to another group that is good at extracting data and that sells that information to another group that is good at setting off ransomware and negotiation, said Mr. DeFord. “By the time a ransomware attack occurs, we often find that the bad guys have owned the network for at least 6 months.”
Patient records are attractive targets because the information can be sold on the dark web, the part of the Internet that’s unavailable to search engines and requires an anonymous browser called Tor to gain access, said Ms. Hughes.
Criminals steal patient identifiers such as Social Security numbers and birth dates, payment or insurance information, as well as medical histories and prescription data. Other people buy the information for fraudulent purposes, such as filing false tax returns, obtaining medical services, and opening credit cards, said Ms. Hughes.
Lately, criminal gangs appear to be targeting the IT or EHR systems that practices rely on for clinical care and making them unavailable. By locking EHR files or databases and holding them for ransom, criminals hope practices will be more likely to pay, said Ms. Hughes.
They also don’t want to get caught, and this tactic “gets them in and out faster” than extracting and posting patient data, although criminals may use that as a threat to extort a ransom payment, she said.