Skip To Navigation Skip To Content Skip To Footer

    The MGMA membership renewal portal is experiencing intermittent issues. We are working on a fix. If you're unable to renew, please call 877.275.6462 ext. 1888 or email service@mgma.com to renew.

    Rater8 - You make patients happy. We make sure everyone knows about it. Try it for free.
    Insight Article
    Home > Articles > Article
    Generic profile image
    Andy Stonehouse, MA
    It’s no longer science fiction — highly skilled hackers are actively working to break in and hold electronic healthcare data for ransom or steal millions of identities in an instant.
     
    Andrew Jahnke, a cybersecurity expert and owner and chief technologist for Rain Technologies, Inc., recently joined MGMA senior editor Daniel Williams on the MGMA Insider podcast to discuss how even small medical practices and companies are at risk, and what they can do to protect themselves and better train their staff to prevent breaches.
     

    Healthcare a top target for hackers

    Because of the vast amount of concentrated biometric data healthcare companies collect from their patients, it’s also made the industry one of the biggest targets, he noted.
     
    “In 2018, over eight million individual records faced exposure and hacking,” he said. Those problems often begin from the inside, with overly curious internal users rooting around in secure data. “When you make something available to people and it’s not policed or tightened down very well, it just lends itself to people who end up going in. In other industries (finance, for example), access to records is audited and controlled much more closely than it is in healthcare.”
     
    While viruses were once the biggest issue facing healthcare computer networks, Jahnke said the stakes are much higher now as global criminal networks and even state-sponsored hacking teams attempt to inflict damage or extort users for access to their own information.
     
    “In the late 90s and early 2000s, viruses were relatively benign, and sort of few and far between,” he said. “Now, they are much more high volume, and they’re more effective. Many parts of them are automated, and (hacker organizations) have people operating the scans and attacks all over the world. There are a lot more actors at play, trying to get at information and leverage it to make money in a lot of different ways.”
     
    Jahnke said hacking teams primarily seek to exploit minor security lapses to invade data systems. They’re sneaky, too, often hovering over an opening for as long as 200 days before striking, eventually locking users out, damaging files or stealing data for criminal purposes — or even as part of international espionage, sponsored by foreign governments.
     

    No one is immune

    And though smaller practices or healthcare groups may feel they are likely immune to online threats, Jahnke said they too face exactly the same kind of potential problems that have plagued larger companies. Training employees to spot potential threats is an important first step, as well, he added.
     
    “Smaller companies don’t realize that the compromises are coming in, primarily though the actions of users who are receiving phishing emails or credential-theft email. They’re the ones who are clicking on that. It doesn’t matter how big of an organization you are — when you’re sitting on tens of thousands of healthcare records, you are an absolutely ideal target.”
     
    Jahnke has dealt with many healthcare practices who either employed sloppy security protocols — simple or outdated passwords, or too many employees being given administrative access — and has seen what can happen when threats emerge.
     
    “We had two customers where the doctors put their foot down and said they were not going to employ these mechanisms. And they were compromised with a ransomware infection. Fortunately, in that case, we had sufficient tools in place monitoring network activity to know that no data was actually traded.”

    Jahnke said a safer approach is to work with an IT team to set up tools to safeguard data with layers of protection, in addition to training staff on safer protocols for accessing, sharing and handling sensitive biometric records.
     
    “Endpoint protection is really the last line of defense,” he said. “We want a lot of other layers to be defending users and networks before it ever gets to the workstation or software. So that means having fully licensed, next-generation firewalls inspecting traffic, looking at what’s going in and out of the network and working in concert with other layers of security.”
     
    He also suggested companies purchase technology to electronically screen and filter all incoming emails for threats, in addition to electronic firewalls which actively and actively update with real-time threats experienced by other users across the country.
     
    Generic profile image

    Written By

    Andy Stonehouse, MA

    Andy Stonehouse, MA, is a Colorado-based freelance writer and educator. His professional credits include serving as editor of Employee Benefit News and a variety of financial and insurance publications, in addition to work in the recreation and transportation fields.  


    Explore Related Content

    More Insight Articles

    Ask MGMA
    An error has occurred. The page may no longer respond until reloaded. Reload 🗙