The health care sector has become America’s top hacking target, but Colorado Springs experts warn most doctors are still leaving the doors wide open for cybercriminals.
Many are failing to keep up with even basic cybersecurity measures, while cybercrime organizations are launching increasingly sophisticated attacks with dire consequences.
Doctors are particularly unreceptive to warnings that they need to boost cybersecurity, according to Shawn Morland, Navakai co-founder and technology adviser, and Jeff Beauprez, president of Colorado Networks Inc.
“What we’ve discovered … in working with medical groups, is that they are sometimes the most reluctant to adopt good security practices — without naming names and getting specific,” Morland said. “… They hold a lot of personal health information and so you would think they’d want to jump on that bandwagon, but security’s not easy. Security comes not only at a price financially, but in time.”
Even the difference between entering a 4-character password and a 15-character password “sounds trivial, but in their minds, that’s just huge,” he said. “I’ve literally gotten into conversations with multiple doctors who have said that there would be no way they would ever adopt those long passwords because it would slow them down.”
Doctors can be “very difficult to convince” of the value of cybersecurity measures, Beauprez said.
“They say … ‘I really don’t want to spend it. What’s the return on that investment? … How do I know if I spend umpteen dollars on equipment and training, is it really going to protect me?’” he said. “That’s difficult because you never know — if you’ve protected yourself from being hacked, they don’t leave a cookie behind to say ‘Nice job, we couldn’t get in.’”
Mike Ware, CEO of the El Paso County Medical Society, said physician practices face the same cybersecurity threats and challenges as large hospital systems, but without experienced in-house IT staff and large bank accounts.
“What we see is two extremes,” he said. “One is just feeling overwhelmed and that this is so far out of our pay grade that you just shut down and ignore it. And the other end, a belief that ‘Well, we’re just a small or medium-sized practice so we’re not a target,’ forgetting that — no pun intended — the way Target was hacked [compromising the personal information of 110 million people] was through a third-party heating and air vendor.
“What we see is a lack of awareness or almost a fatalism of throwing their hands up and saying, ‘Well, if I’m going to get hit, I’m going to get hit,’” Ware added. “This is an issue that’s only going to get more complex and health care’s only going to become more of a target.”
Hacking incidents are rapidly increasing in health care, according to the HIPAA Journal, and account for all but three of the sector’s largest data breaches in 2017.
The American Medical Association’s recent survey on cyber threats in health care found attacks on physician practices are alarmingly common, with 83 percent of practices reporting they’d had some form of cyberattack.
The survey found cyberattacks can lead to clinical practice interruption, system downtime, higher operational expenses and patient safety risks, in addition to theft of health data and personal information.
CSO Online ranks the catastrophic 2015 data breach at Anthem, the nation’s second-largest health insurer, as the 12th-worst data breach of the 21st century. The cyberattack, likely by a foreign government, was unleashed when a single employee at an Anthem subsidiary clicked a link in a phishing email. It resulted in the theft of personal information of about 78.8 million current and former customers, including names, birth dates, addresses, Social Security numbers and employment histories — in short, everything needed to steal an identity.
Cyber experts say the attack should be fresh in the memory of every health care provider, and should drive home the point that an individual physician’s office can be the backdoor to a staggering amount of sensitive information.
“That’s absolutely the case,” Beauprez said. “They can get into pathology files, they can use [a physician’s office as a] backdoor into the hospitals. … We’re seeing that the criminals are not so much interested in stealing medical records. From a terrorist perspective — and we have to be careful about this, we don’t want to talk too much about this — what we’re seeing is they can change the prescriptions. So let’s say somebody’s taking heart medication and the criminals change the dosage, they either add or subtract a zero from the dosage. So now you can start killing people and never have to set foot in the country.”
Ware said cybercriminals can indeed weaponize people’s individual conditions by hacking their health data and using it to do harm.
“That is something that is extremely dangerous,” he said. “Granted, it’s an apocalyptic worst-case-scenario, but the reality is with 7 billion people in the world, somebody’s thinking of this. And that worst case scenario puts an even greater emphasis on the need to protect our health information.”
Even without turning to physical harm, there’s plenty a cybercriminal can do with information stolen from a doctor’s office. Morland said the most common approach he’s aware of is using the stolen personally identifiable information to create false identities, then using those identities to obtain credit.
“I know my mother fell victim to this through a medical clinic where her records were sold off and then somebody in another state actually bought a car under her Social Security number and name,” he said. “I’m not sure how they pulled that off, but it’s been done.”
Ware said doctors describe protecting health information as “extremely important — at the day-to-day level though, the lack of knowledge is a big issue.
“It’s like anything very specialized — these folks spend hours and days and weeks every year staying on top of clinical knowledge; you almost have to have somebody else that just stays on top of cyber knowledge and regulatory compliance knowledge, and that’s a challenge for your average small practice.”
But when it comes to the simplest frontline defenses, like strengthening passwords, Morland says there just aren’t any excuses.
“How honest do you want me to be? I think it’s just lazy,” he said. “I don’t know of any other reason for [not adopting longer passwords]. It’s just like not wanting to put a lock on your house because you don’t want to pull a key out. That’s crazy to me.
“I think they are gamblers. … I think because not that many HIPAA audits have occurred, then ‘It’s not me’ and if I’ve never been breached, I’m never going to worry about a breach.”
Usually, the threats doctors leave unaddressed come down to speed and convenience.
“But if it’s convenient for you, it’s convenient for the bad guy,” Morland said. “You’ll see some situations that just turn your stomach. Unfortunately even in the most rigid environments that I’ve worked with in the community, security is definitely substandard.”
So how should doctors address the dangers?
First, fix the passwords. A long (15-character) string of words is a good start, Morland said. Next, find a consultant to perform a gap analysis, measuring the standards required (like HIPAA) against the defenses you actually have, so that you can tackle the shortfalls. Back up all medical records (professional help will probably be needed to do it properly) and — this is the big one — focus on training.
“We deal with a lot of different companies but still the No. 1 issue is training and staff,” Beauprez said, “and 99.9 percent of the intrusions, the security breaches and stuff, they occur as a result of an employee clicking on something or responding to something fake.”
And in the end, consequences count.
“Training only goes so far. The point comes where we have to — the term is get skin in the game,” Beauprez said. “If there becomes a monetary fine or if it becomes a point in an employee’s performance review — when you tie hard realities to some of that — then people start to pay attention.”
“I’m sure that if it hit them in the pocketbook, unfortunately, I think it would change in a New York minute,” he said.
Ware said the El Paso County Medical Society is responding to the demand for cybersecurity help by offering (through ProPractice, the umbrella under which EPCMS operates) electronic resources and information, webinars, and online training for which doctors can receive continuing education credits.
“Physicians are trained to be the ones with the answers, so you almost have to get to a more comfortable level with them for them to open up,” Ware said. “And when we get to that level and those conversations, what they tell us is they feel overwhelmed, they feel like they’re not adequately prepared and that they don’t have the resources they need. That’s where we as a professional association fall in, to meet that need.”
Morland said countless areas need improvement, and cyberattacks are actually spurring some progress.
“These are huge hacking organizations and they’re making a lot of money — they’re hugely successful so there’s no reason for them to quit,” he said. “What’ll happen is that as more and more organizations get hit, the security will tighten and elevate for every one of them. And at some point the number will be so big that security will pretty darn good for everybody.”
Disclosure: Navakai is a vendor of Colorado Publishing House, which prints the Colorado Springs Business Journal.
Correction: In the original story, Jeff Beauprez was incorrectly described as “president of Colorado Networks Inc. and senior fellow at the National Cyber Exchange.” His correct title is “president of Colorado Networks Inc.”