October is National Cybersecurity Awareness Month, and this year’s focus is on taking proactive steps to enhance cybersecurity at home and in the workplace. So, what better time to take a closer look at the greatest threats facing providers and what you can do to avoid becoming a victim by protecting yourself and your practice!
According to the FTC, the top three scams reported in 2018 were Identity Theft, Imposter Scams, and Debt Collection Scams. The following are typical examples of what companies face on a regular basis:
Recently, a practice received a call (purportedly) from a healthcare organization seeking to “confirm” some bank account information. The practice provided the information. A few days later, the practice was contacted by a national bank indicating two accounts in the practice’s name would be closed due to insufficient funds. Notably, though, the practice did not have any accounts with that bank. In working with the bank, the practice determined that these accounts were set up only a few days prior, around the same time the healthcare organization called.
Late on a Friday afternoon, “Betty” an assistant to the company president, “Joe,” received a phone call from a pleasant man calling himself “Don.” Don asked to speak with Joe, claiming he and Joe were friends. When Joe wasn’t available, Don asked for Betty’s name, which she provided. Don said he would call back the next week and told Betty to have a great weekend.
Don spent the weekend searching out Betty’s social-media profiles, where he found that she recently attended Joe’s son’s wedding. He downloaded some of the wedding pictures, at which time he embedded a virus into the digital images. On Monday, Don sent Betty a friendly email – “Betty, it was nice speaking with you on Friday. I forgot to mention that I attended Joe’s son’s wedding. I got some great photos. Maybe you’re in one. Please let Joe know that I will call him later this week.”
By the time Joe had a chance to tell Betty that he didn’t know anyone named Don, it was too late. Betty opened the wedding photos, and Don had full access to the company systems. Within a few hours, Don had locked down the system and demanded a substantial payment for the access codes.
In each scenario, the company fell victim to a vishing (voice-phishing) scam. This is a common type of social engineering that is becoming more sophisticated and brazen. Thankfully, the issue in Scenario 1 was quickly resolved, but not all victims can say the same. Ransomware attacks like the one in Scenario 2 can result (and have resulted) in practices shuttering their doors. In April of this year, for example, a practice in Southwest Michigan closed after falling victim to a ransomware attack by hackers who prevented the practice from accessing patient medical records and other information needed to operate the practice.
Although the types of scams and the targeted results may differ, pay close attention to what the attacks in the two scenarios above have in common. Neither attack could have been accomplished without someone on the “inside,” even if that person was unaware of their role. Indeed, attacks that are purely technical – i.e., where a “hacker” breaks through external security measures – are somewhat rare and are curtailed by keeping IT security systems updated and properly configured.
So what can your practice do to avoid becoming a victim of a cyber-attack?
1. Train personnel on cybersecurity awareness;
2. Ensure your practice has updated cybersecurity and data-privacy policies, including your policies for regulatory compliance;
3. Ensure your practice’s IT infrastructure is properly updated and configured; and
4. Train personnel on cybersecurity awareness (yes, I said that twice!).
1. Train Personnel on Cybersecurity Awareness
I can’t emphasize enough how important this is. Almost every IT professional will tell you that an organization’s greatest vulnerability is its own users. Sometimes intentionally but usually as the victim of a scam, authorized users allow cyber-criminals to bypass technological security measures with ease. The only way to effectively reduce this risk is to conduct regular, organization-wide training. Until that happens, though, the US Department of Homeland Security provides the following suggestions:
Play hard to get with strangers. Links in email and online posts are often the way cybercriminals compromise your computer. If you’re unsure who an email is from—even if the details appear accurate—do not respond, and do not click on any links or attachments found in that email. Be cautious of generic greetings such as “Hello Bank Customer,” as these are often signs of phishing attempts. If you are concerned about the legitimacy of an email, call the company directly.
Think before you act. Be wary of communications that implore you to act immediately. Many phishing emails attempt to create a sense of urgency, causing the recipient to fear their account or information is in jeopardy. If you receive a suspicious email that appears to be from someone you know, reach out to that person directly on a separate secure platform. If the email comes from an organization but still looks “phishy,” reach out to them via customer service to verify the communication.
Protect your personal information. If people contacting you have key details from your life—your job title, multiple email addresses, full name, and more that you may have published online somewhere—they can attempt a direct spear-phishing attack on you. Cyber criminals can also use social engineering with these details to try to manipulate you into skipping normal security protocols.
Double your login protection. Enable multi-factor authentication (MFA) to ensure that the only person who has access to your account is you. Use it for email, banking, social media, and any other service that requires logging in. If MFA is an option, enable it by using a trusted mobile device, such as your smartphone or an authenticator app. Another option is a secure token—a small physical device that can hook onto your key ring.
Shake up your password protocol. According to NIST guidance, you should consider using the longest password or passphrase permissible. Get creative and customize your standard password for different sites. This can prevent cyber criminals from gaining access to these accounts and protect you in the event of a breach. Use password managers to generate and remember different, complex passwords for each of your accounts.
Stay Protected While Connected. The bottom line is that whenever you’re online, you’re vulnerable. If devices on your network are compromised for any reason, or if hackers break through an encrypted firewall, someone could be eavesdropping on you—even in your own home on encrypted Wi-Fi.
2. Update your Cybersecurity and Data Privacy Policies and Procedures
Nearly every heath care provider must comply with HIPAA’s standards for the exchange, privacy, and security of health information. But when was the last time you looked at your internal polices and safeguards? And have you considered whether the information you store is subject to any other data-privacy laws or regulations? Moreover, are you prepared to respond in the event of a cyber-“incident?” And do you have appropriate cyber-insurance coverage? How would your practice respond to an email compromise or a data breach?
In the event of a data breach or system compromise, you may have a legal obligation under both state and federal law to report the event to regulators and patients, and if so, you must do so on a timely basis. Responding to such an incident with the assistance of counsel is vital, but planning for your response in advance is equally important. While it’s easy to take the “it-will-never-happen-to-me” approach, sitting down with a data-privacy professional to discuss your practice’s risks and exposure and to plan for a future breach will provide substantial peace of mind.
3. Update and Configure your IT Infrastructure
Do you remember that firewall your neighbor’s son helped you install at your office back in 2008? The hacker looking to steal your patient’s data thanks you for your purchase and highly recommends that product. If it’s been more than a year or so since your last IT audit, you should engage a technology firm experienced in healthcare security to review your system for vulnerabilities. While it’s tempting to avoid such a review in light of the potential cost, the cost of a breach will far exceed the cost of the review, particularly if you don’t have an appropriate disaster-recovery plan in place. Moreover, HIPAA requires you to maintain “reasonable and appropriate administrative, technical, and physical safeguards” for protecting electronic protected health information, or “e-PHI,” which necessarily includes keeping your technical safeguards up to date.
Unfortunately, the cybersecurity game of cat-and-mouse will continue for the foreseeable future. It is important to spot the threats and have a planned response.
Jeffrey A. May practices in the areas of general business law, intellectual property, and litigation with a focus on the increasingly important area of Cybersecurity and Data Privacy Law. He is credentialed as a Certified Information Privacy Professional/United States (CIPP/US). His prior experience owning and operating a technology-based business, and his educational background in information technology, allow him to assist clients with a wide range of business issues and litigation matters. Jeffrey helps clients identify and mitigate risks related to data security incidents and breaches, information technology policies and practices, and data sharing arrangements with third parties.
Other posts to consider:
AttorneysJeffrey A. May