Cybercrime is a growing problem across all industries, although it has proven to be a particularly rampant issue in the health care sector. A study from the Ponemon Institute found that, in 2015, the rate of cybercrime was exponentially higher — by around 125 percent — than the levels observed in 2010. Furthermore, according to Forbes contributor Steven Morgan, commenting on an IBM study, the health care industry recorded the highest number of cyberattacks in 2015, eclipsing sectors such as the government, finance and manufacturing.
Why is cybercrime such a threat to the health care industry?
Cybercrime, in a health care context, refers to strategies utilized by criminals to access sensitive information — typically patient details stored in electronic medical records. So why are cybercriminals so eager to procure such details? As noted in a white paper published by leading technology company Dell EMC, criminals are interested in health care data due to its high monetary worth on the black market. For example, personal information such as Social Security numbers, home addresses and health insurance details all can be used for identity theft purposes.
It is crucial, therefore, for all health care organizations — big and small — to implement strategies for curtailing the risk of cyberattacks.
Common types of cybercrime
Cybercriminals target health care organizations in two notable ways:
1. Phishing attacks
As explained in a Microsoft fact sheet, phishing scams work in this way: A cybercriminal will send an email to a target — a Family Nurse Practitioner (FNP) in a medical practice, for example — and will pretend to be from a trustworthy source. The criminal either will ask users to click on a link or hand over protected information directly. Links can be used to install software that steal or encrypt important data. In a health care setting, a cybercriminal may email a clinician, pretending to his or her boss, and request that information in electronic health records (EHRs) is sent over.
2. Ransomware attacks
Ransomware crimes are not dissimilar from phishing scams. As Kim Boatman wrote for cybersecurity company Symantec, these attacks occur when cybercriminals use strategies such as emails with links or pop ups to entice users to click and then download malicious ransomware. This software encrypts valuable data, such as electronic medical records, holding it hostage. The criminals then demand payment — a ransom — from the victim to unlock the compromised data.
In May 2017, the world was rocked by the largest ransomware attack ever, an event that impacted some 150 countries, CNN reported. The attack involved malware known as WannaCry, a program that hijacks important data and demands a ransom payment be made via the internet currency bitcoin. The May 2017 attack was especially consequential because it affected a number of health care organizations within Britain’s National Health Service. CNN explained that as many as 16 practices were targeted, leading to canceled outpatient appointments and a suspension of some crucial services.
Health care organizations lagging when it comes to cybersecurity
As observed by journalist Janet Colwell in Medical Economics, cybersecurity concerns often are overlooked by health care providers, particularly in smaller, independent practices. Oversights in this area likely can be attributed to a lack of appreciation of risk and a focus on other priorities.
Colwell interviewed consulting services manager John Southrey, who supported this assertion. He explained how it is common for primary care practice managers to overlook the risk of cybercrime, placing it far down the list of their priorities. This reaction is often due to a lack of understanding of the ubiquity of the problem — most practice managers assume that cybercriminals will not target them, perhaps because of the size of their practice or for other reasons.
But as Southrey pointed out, preparation still is crucial, as the impacts of an attack can be devastating on a practice’s operation, comparable if not worse in scope than problems associated with a disaster such as a fire. He also stressed that what many practice managers do not know is that cybercriminals do target small practices because they often know that security protocols may be less stringent.
Given the vulnerable situation that health care organizations find themselves in with regard to the threat of cybercrime, it is more important than ever that all clinicians have a clear understanding of best practices for mitigating cybercrime risk. This need is especially important for FNPs, who routinely use platforms such as EHRs, where valuable private patient information is stored.
Strategies that FNPs can implement to protect data
Some of the most impactful approaches to protecting valuable patient data are as follows:
1. Using firewalls
According to guidelines published by the U.S. Office of the National Coordinator for Health Information Technology, health care providers should ensure that firewalls are installed to protect important programs — especially EHRs. Firewall software is widely available, and medical providers are encouraged to check with health care IT managers to ensure that the appropriate firewalls are installed on work computers where EHRs routinely are accessed.
2. Installing pop-up blockers
As stated by Boatman, pop-ups are one vehicle through which ransomware attacks are initiated. Health care professionals, therefore, should ensure that pop-up blockers are installed on their computers.
3. Backing up all data
Health care professionals should take time to back up all data, especially personal patient information. The rationale is simple: If ransomware criminals hold the information hostage, another copy will be readily accessible, Bill Siwicki asserted in Healthcare IT News.
4. Using common sense
Sometimes spotting cybersecurity threats is a matter of exercising common sense. This approach means reviewing all emails upon receipt and refraining from clicking on links that are not trustworthy. As noted in the Microsoft fact sheet, there often are telltale signs of scams in emails sent by cybercriminals. Examples include a tone that is forceful and demanding, as well as spelling and other grammatical errors. FNPs also should regard these tactics as red flags.
5. Following basic cybersecurity rules
Guidelines from the Office of the National Coordinator for Health Information Technology stress that simple precautions can go a long way to keep computers and data safe in medical practices. For example, FNPs are advised not to leave computers unattended and to vet any guests using the network.
By following these strategies, FNPs and other health care providers can contribute in the fight against cybercrime across the health care industry.