Posted on

Cybercrime & Healthcare

Cybercrime is one of the “newest” forms of criminal activity, and it can be considered some of the scariest. This is because of the sneaky nature of the incident and the catastrophic outcome it can have. These criminals just need a few bits of personal information to take over your entire life, and healthcare providers are a prime target for gathering the kind of data needed.

What Is Cybercrime?

Cybercrime is any “criminal activity or a crime that involves the Internet, a computer system, or computer technology.” In 2019, there were 1,473 recorded data breaches in the U.S., exposing 164.7 million sensitive records like medical, social security, and bank account information. Though data breaches have occurred for years, the new digital world creates an ease of access for many criminals.

Cybercrimes cost the most annually for the financial industry, causing an average loss of $28 million during 2015. Worldwide, identity theft is the most common type of data breach incident, accounting for 59 percent of all global data breach incidents in 2016, but real estate, investment, and spoofing racked up nearly $3.6 billion in losses for those who were hacked. From 2018 to 2019, the amount of monetary damage caused by reported cybercrime jumped from $2.7 billion to $3.5 billion. With the steep incline, the total cost of cybercrime is estimated to reach $6 trillion annually by next year.

Healthcare Cybercrime

As healthcare aims to innovate its proceedings through technologies that all connect, it creates tempting targets for cybercriminals. In fact, the number of healthcare industry ransomware (a type of malware that locks valuable digital files and demands a ransom to release them) attacks has quadruple since 2017. These are often concealed in an email addressed to a person who then clicks on a seemingly harmless attachment. Once that attachment is opened, the virus is set free on the receiver’s computer and can begin locking or encrypting files.

Cybercrime In Optometry

Earlier this year, the American Optometric Association shared the story of Joe Ellis, OD, a Kentucky optometrist whose practice fell victim to a ransomware attack. A day that started out like any other came to a shocking halt when Dr. Ellis’s managing partner called him explaining that they had been hacked.

After debating and discussing with experts, Dr. Ellis and his practice agreed to pay the requested ransom, which was $1500 in bitcoins, a cryptocurrency that can be exchanged digitally. They were immediately sent a code to decode the encryption and regain access to their computer systems. However, the ordeal was not over. That’s when IT dug into every inch of the network to ensure there was not a trace of malware or virus left for the hackers to get back in.

Records were reviewed, and luckily, none seem to have been breached. But that’s little comfort to Dr. Ellis now. This incident made him realize how vulnerable his practice and every other person are to these kinds of attacks.

“I don’t think Americans truly understand this threat and how commonplace it’s really become. Nobody is safe from this.”

They have since installed a sonic wall to protect against and monitor hacker attempts, which averages 1000+ attempts a day. This calls attention to the desperate need for updated IT systems, firewalls, security protocols, and other protective measures for the healthcare industry.

Consider All Angles

Although ransomware is becoming more and more common in healthcare, Shaji Khan, Ph.D., director of the cybersecurity institute at the University of Missouri-St. Louis, a National Security Administration/Department of Homeland Security Center of Academic Excellence in Cyber Defense Education, warns,

“…it’s important for small and large companies to take seriously the not-so-glamorous side of security, too…it’s the simple things that often land organizations in trouble. For instance, poor configuration of systems, password re-use, poor management of paper records, not understanding how vendors of all types of products and services may pose a risk to the clinic. Additionally, [Internet of Things (IoT)] devices in the clinic connected to local networks and the internet must be carefully configured and managed. This goes for any device, be it clinical to the cool new thermostat or coffee maker.”

Next Steps for Security

Marc Haskelson, CEO of Compliancy Group, an AOAExcel® Endorsed Business Partner, shares this list to help get optometrists and other healthcare providers started on their security updates.

  1. Have strong passwords or passphrases and don’t reuse them.
  2. Restrict access or user privileges to certain software – everyone doesn’t need admin privileges.
  3. Keep anti-malware or anti-viral software up to date.
  4. Filter spam and attachments (.exe, .zip), and don’t open any email/attachment that may seem suspicious or you weren’t expecting. If you have concerns/questions, contact your IT provider.
  5. Don’t download anything from the internet that you don’t 100% trust. Dr. Ellis’s practice was infiltrated through an employee’s computer after he/she downloaded a few files from an online source.
  6. Run the latest version of Windows and be mindful of Microsoft’s end-of-support schedule (when older software versions of Windows won’t be supported or protected by Microsoft anymore).
  7. Discuss safe email and online use protocols with staff. If they don’t know what to look out for or how to surf safely, they can become part of the problem.
  8. Plan and enact a foolproof backup plan for a speedy recovery. Back up and encrypt every file, Haskelson says. Encryption helps keep patient information protected even if you’re hacked, and backups help you get back up and running quickly after a hack.
  9. Ensure you’re HIPAA compliant.