For small medical offices, cyber risks loom
Hackers target large hospitals for the same reason John Dillinger robbed banks: It's where the money is.
“If we looked at each industry and asked ‘which one has the most data,’ health care is the biggest one,” said Jesse Biretz, vice president of James B. Murdoch Insurance Group brokerage firm in Hampden Township.
It’s a threat big hospitals are well aware of, said Biretz. But as those hospitals hire full-time teams devoted to network security, Biretz and others are warning small, independent practices they face many of the same risks and many don’t realize it until they’ve suffered a breach.
“They don’t understand how big a deal it is yet,” said Biretz.
Small medical practices face multiple vulnerabilities, including outdated medical software and staff often left untrained in how to avoid phishing scams or use safe passwords — practices network security experts call “cyber hygiene.”
James Murdoch Insurance sells cyber liability insurance plans for businesses, but Biretz notes many companies aren’t willing to prioritize it.
“I insure a local independent firm. They do about $45 million in revenue and I put together a cyber package that included everything they’d run into up to $4 million,” said Biretz.
The annual premium came to $32,000, which the company decided was too high a price. “They never experienced a breach in the past, so they have no benchmark,” said Biretz.
Biretz said his best customers are those who have already experienced a breach, but by then the company has already endured a loss of money and a loss of trust among their patients.
Which is to say nothing of the legal liability a practice may face.
“When you have a breach, not only do you have an immediate hit to your revenue because you can’t conduct business, but the attorney general gets involved for all the states your clients lived in and they impose many, many steps that have to be followed to inform your clients but also any fines they might impose,” said Biretz.
The Health Insurance Portability and Accountability Act — or HIPAA — enforces standards for the security of any identifying medical data a hospital obtains from a patient. Health care workers know HIPAA as the reason they cannot keep client records where others may see them or give patient data to another practice without a release signed by the patient.
“What the HIPAA security rule requires is there are technical standards the provider is implementing, that there are administrative standards the provider is implementing, and integrity standards that the provider is implementing,” said Elizabeth Melamed, an associate at Lancaster-based law firm Barley Snyder who provides legal counseling to firms on cyber security and liability.
HIPAA also regulates how a practice responds to a breach. Practices must contact the appropriate law enforcement, which can include local police and the FBI, as well as show evidence of steps taken to close the vulnerability.
Health care providers who discover a breach affecting more than 500 patients have 60 days to disclose it to the Office of Civil Rights in the Department of Health & Human Services. OCR then publishes details of the breach on its website.
The causes for these breaches can vary: a stolen laptop needs to be reported the same as a major ransomware attack. But fines start at $100 per incident and go up to $50,000 per incident, depending on how willfully neglectful investigators found the practice to be and what security measures the practice put in place after the breach.
The standards enforced by HIPAA, said Melamed, act on a “sliding scale.” Large hospitals are held to a higher standard of security and response than are small practices.
“It depends on the resources the provider has and the reasonableness for having certain standards and certain processes in order,” said Melamed.
Still, a breach at a small practice can have a much larger impact than some might expect.
The two largest breaches in Pennsylvania listed by OCR in the past year were reported by midsize medical networks. Over 93,000 patients’ data was involved in an incident at Lower Paxton Township-based Harrisburg Gastroenterology in April of last year.
While the incident is listed by OCR as a hack, the practice said it simply couldn’t identify activity on its servers.
“We had no proof of the data breach, we just had activity we couldn’t define,” said Melissa Seachrist, practice administrator for Harrisburg Gastroenterology. The company disclosed the activity to make sure they were complying with OCR’s standards.
“There was activity in our system that we couldn’t identify, and you only have so long to report a breach. It could’ve been the EMR we use, they work through the night on our systems. They could have gone into a place they shouldn’t be. It was never really defined,” said Seachrist. An EMR, or electronic medical record, refers to data management software used by medical practices to retain patient data.
In May, a reported hack against Women’s Health Care Group of Pennsylvania affected over 300,000 patients. The company, which operates 45 locations in southeastern Pennsylvania and New Jersey, merged with Montgomery County-based Axia Women’s Health Management in April 2017.
While the company did not respond to multiple requests for comment for this article, they released a statement detailing the extent of the hack. The website hosting the statement has since been removed, but an archived version details the extent of the breach.
After discovering a ransomware virus, reads the statement, the practice “immediately removed the infected server and workstation from our network and began an investigation with the assistance of an expert computer forensics team to determine how the virus made it onto our systems and the extent to which the virus may have affected any of our data.”
After also contacting the FBI, the practice learned the virus had access to servers for four months before being discovered. While financial information was spared, the virus may have had access to Social Security numbers, insurance information, medical diagnoses and pregnancy status.
“Maintaining the integrity and confidentiality of our patients’ personal information is very important to us. We’re conducting a comprehensive internal review of our information security practices and procedures to help prevent such events in the future,” the company said.
Breaches like these come not through technical wizardry, but often through social engineering — manipulation of people’s trust — on the part of the hacker.
It’s one reason practices like Davenshire Medical Center in Dover Township implement routine checkups on best practices to ensure staff are doing their part to protect patient data.
“We have a checklist we try to do every quarter. Are we having any problems? Have we had any breaches of confidentiality, no matter how minor it is?” said Robin Terry, practice manager at Davenshire.
The practice, which employs 19 people including four providers, sees 1,600 patients a month. It knows the benefits of keeping employees informed.
“That’s some of the things we try to do: Limit their usage of the kinds of sites they can go on, opening that door and making us vulnerable. We’re required to change our passwords at the minimum of 90 days, not using the same password, not sharing with anybody,” said Terry.
Chad Nagle, owner and president of Alliance Business Technologies in Swatara Township, which helps clients like Davenshire manage their network security needs, described a common scam whereby a hacker sends an email to a doctor posing as a patient.
“If he replies to that and the email is fake, [the hacker] steals his signature and can send emails to pharmacies, to other doctors, looking like the doctor,” said Nagle.
From there, said Nagle, the hacker can send fake files and fake links meant to install malware on the business’s computers. That malware then broadcasts the data to a third party.
Nagle referenced a recent attack on an Indiana hospital, which froze the hospitals’ network until it paid a $50,000 ransom in the form of four bitcoin.
“We can have the best plans in place. Hospitals have regulations they have to abide by. Their IT department is working full time to make sure they weren’t hacked — and they were still hacked,” said Nagle.
Midstate practices that have recently joined larger health networks can take solace in Biretz and Nagle’s one assurance: There is safety in numbers.
“The downside is everything is in one area,” said Biretz. “So if that there were to be a vulnerability, access to everything would be available.”
But big health networks can often afford a level of security prohibitively expensive to independent practices.
“The benefit to that is buying power and expertise. Let’s say I’m ABC Medical Practice and I’ve got five providers. I can invest maybe 20 percent of my bottom line in security. But when I join a group like UPMC Pinnacle, the financial security buys me so much more [network] security,” said Biretz.
Nagle concurs, noting many small companies Alliance works with make Alliance’s job easier by joining a large network of electronic medical records, or EMR. When a practice uses an EMR system — like Epic, Allscripts or Cerner — the software company is responsible for ensuring the integrity of patient data it stores for its customers.
But, said Nagle, medical practices also retain the kinds of data other small businesses do, including employee files and the business’s financial records.
“Anything they’re using to grow their business that does not fall inside that EMR platform, we want to make sure that data is encrypted,” said Nagle.