Executive Session: Confronting the growing threats to medical practice cybersecurity

Over the past year, healthcare organizations have faced a rising trend of attempted and successful cyberattacks, infiltrating their information technology systems and stealing vast amounts of employee or patient information.

Worse yet, some organizations had malware or ransomware inserted into their information systems, freezing their entire IT infrastructure until the organization either paid a ransom to an anonymous attacker or reconstructed its entire system.

The fact that any system can be victimized is reinforced by the recent news that multiple U. S. government agencies were hacked by Russian agents who surreptitiously collected information for months without being detected.

I recently had the pleasure of speaking with Marion Jenkins, PhD, FHIMSS, founding partner of HealthSpaces, a consulting firm that focuses on helping healthcare organizations define and successfully execute a viable technology strategy. Jenkins has decades of experience in strategy and buildout of healthcare IT in business technology projects and has extensive experience in confronting these intensifying threats to medical groups and mitigating risk.

As Jenkins explained, the complexity of technology in healthcare has grown alongside these cybersecurity risks, which can create “a lot of fear, uncertainty and doubt” — or what he calls “FUD” — that must be confronted to keep clinical operations on track, so patients receive quality care without technology getting in the way.

As Jenkins explored in his October 2020 MGMA Connection magazine article, “Don’t be a teleworking crash dummy,” the most important and effective security tool for healthcare organizations are the employees working at their keyboards, not falling prey to all types of scams and cyberattacks.

“They really run the spectrum: From somebody who might be trying to convince someone in accounting to pay an invoice that’s not owed … on the low end of things,” Jenkins said, “to the high end of things — installing ransomware,” which has become much more prevalent in the past year.

The human factor in cybersecurity

Jenkins noted it is important for healthcare leaders to recognize that cyberattackers and scammers operate like regular businesses and create threats tailored to market conditions and circumstances.

For example, new rounds of federal relief during the COVID-19 pandemic [e.g., Paycheck Protection Program (PPP) loans] might be fodder for attention-grabbing emails that are phishing attempts. There have also been more traditional consumer or business fraud scams around offering personal protective equipment (PPE) for sale that are never delivered.

To avoid falling victim to these tailored threats, Jenkins encourages healthcare leaders to prepare workers — especially those who may be working remotely during the pandemic — to look for these types of “social engineering” and recognize the red flags on inbound emails, social media and other communications.

“Education really is a big part of it,” added Jenkins, who encouraged the use of new systems to test your workforce with fake phishing messages for training purposes. “It’s not a real virus or real ransomware, but it’s designed to ferret those things out.”

The new year might be an ideal time to review other basic security measures, such as creating stronger passwords, and ensuring that users with the highest levels of access to network drives (e.g., administrators, the chief financial officer, physician-owners) are taking proper precautions with their digital footprints.

Disconnect if in doubt

Minutes or even seconds can be crucial when a computer or system has been infiltrated, and Jenkins said healthcare leaders should resist the natural temptation to try and troubleshoot or reboot. “If there’s a suspected attack, the absolute most critical thing … is to physically disconnect and turn off those devices,” Jenkins said. “Every minute that computer is connected to the network gives that ransomware more ability to go out and find more shares to be encrypted.”

It’s also important to consider the role of recovery and the importance of checking your system backups if your system has been affected by malware or ransomware. “If your backups are connected and you do daily backups, if you have a ransomware attack and don’t discover it within one day, then … it will encrypt your daily backups.

“You have to balance having your backups being not just done on a routine basis, but being taken offline,” Jenkins said, to ensure the data in those backups is out of harm’s way if the backup system is connected to other systems that might be compromised.

It’s a matter of mindset

Given the increasing number of potential cyberattacks, being prepared is “not a matter of if you’re going to get attacked,” Jenkins said. “This is a matter of when you’re going to get attacked.” Preparing a cyberattack recovery procedure when you’re not actively dealing with an attack is crucial so you can know how to respond when it’s time to shut down systems, restore data and resume operations.

Above all, Jenkins said it’s important for medical groups to recognize that this is not simply a compliance issue or something for an IT team to fix. Rather, good cybersecurity “needs to be adopted and be part of daily practice” so your organization creates a mindset of being careful, and not viewing precautionary measures such as password changes as inconveniences.

“This is an operational issue — technology cannot save us,” Jenkins said. “The biggest threat and the most important tool is the person sitting behind the keyboard. … If we don't give that end user the tools and the information they need to be safe, then we have failed.”

Additional resources

• “Maintaining Cybersecurity While Working Remotely” (MGMA Advocacy resource)
• “Don’t be a teleworking crash dummy” (MGMA Connection magazine)
• “The most important and effective security tools are your medical practice’s staff” (MGMA Stat)
• “HIPAA Security: Debunking the myths and finding the real risks in your practice” (MGMA Connection magazine)
• “Beware of COVID-19 financial bailout scams” (MGMA Insight article)