Medical practices are falling prey to cyberattacks at an exponential rate. Some outlets report that medical data is 10 times more likely to be targeted than banking information.

Medical Practices: A Steady Target for Cyber Attack

The more than 85% of physicians relying on electronic medical records, and approximately 1 million active physicians in the United States (not including nurse practitioners, dentists or optometrists) add up to a lot of potential targets.

The medical profession’s adoption of electronic records quickly caught the attention of cyber attackers.  In 2020, 41 million patient records were breached. That marks a rather significant increase from the 15 million records illegally accessed in 2018.

For medical practices, and much of the healthcare sector, the ongoing commoditization of health care records constitutes a crisis. This is not randomized data, after all. This is specific data related to an individual’s health. In some cases, cyber attacks have resulted in human death. In many cases, working without electronic records delays an already beleaguered healthcare system.

Medical Data Pursued by Attackers

While hospitals present a larger opportunity due to size and access to financial resources, individual medical practices also present interesting targets for attackers. With each practice hosting hundreds, if not thousands of sensitive medical records, they present an opportunity to leverage a ransom on both the practice and the clients.

Attacks Impact the Practice and Patients

Attackers no longer discriminate between a corporate target and a personal target. A target is a target. Attackers, in some cases, have named victims who do not respond to their demands. When these victims refuse to pay, their personal records are released on the internet for all to see.

Despite the significant liability issue presented to a medical practice when a patient’s name and data is inadvertently revealed, many smaller medical practices are not ready to address the looming threat posed by ransomware. According to the Canadian Medical Protective Association (CMPA), the scale of equipping a medical practice with the required cybersecurity tools and insurance is often perceived as too big to tackle.

The Looming Threat Lurking on Medical Practice Networks

While it takes attackers minutes to breach a medical practice network, it often takes much, much longer before the breach is detected. In 2019, it took an average of 224 days for healthcare organizations to discover they had suffered a cybersecurity breach.

The issue is not solely the time it takes to detect the threat. There is also a gap between the discovery of a breach and the notification of impacted parties. These parties, of course, refer to the medical practice’s patients, employees, and service providers.

The Cyberattacks that Impact Medical Practices

While electronic medical records provide significant advantages to a medical practice, they are also more readily accessible and transferable. In the face of a cyber attack, those records present a privacy risk.

Medical practices, like other businesses, face a range of cybersecurity threats. These include:

  • Malware and ransomware: Software designed to cause harm to the computer running it or the network on which it resides. In some cases, files or systems are encrypted and demand for a ransom is made before files are made accessible to their rightful owner.
  • Phishing attacks: A social engineering technique where an attacker sends communication to a user pretending to be someone else with the intent to either trick the user into revealing their credentials or entice the user into running malicious software.
  • Misleading websites: Links to malicious websites that will trigger a vulnerability or allow the download of the malicious attachment.
  • Cloud storage and apps: Any cloud-based storage or apps that contain sensitive data present a target for cyber attack. When these applications do no use stringent security or encryption tactics, the data is at risk.
  • Insider incidents: From employee error to explicit wrong doing, insider incidents can leave patient data exposed to the public.

Medical Practice Case Studies

With medical practices experiencing an unprecedented rate of attacks, identifying a range of attacks came too easily. We prepared the following case examples to demonstrate the extent of recent attacks, and the result of the attacks.

Medical Practice Ransomware Attack: St Lawrence Health System

On October 27, 2020, New York State-based St. Lawrence Health System experienced a ransomware attack.

The IT team detected the attack within a matter of hours, and promptly react by shutting down all IT systems. While patient care went uninterrupted, emergency care services were temporarily redirected to ensure patient well-being. The hospital quickly switched over to a business continuity plan, triggering processes to maintain patient care and expedite data recovery –  including Electronic Health Record (EHR) downtime and offline documentation processes.

At the time of the attack, officials confirmed the Ryuk ransomware was responsible for the attack. It’s important to note that over the days prior to and after the attack, other healthcare providers and medical practices were targeted as part of the same attack.

While authorities continue to investigate the scope of the incident, the IT team restored systems, applications, patient medical records, laboratory results, and pharmacy records within a two week period.

Electronic files Medical Practice

Medical Practice Ransomware Attack: Allergy Partners

US-based Allergy Partners experienced a ransomware attack on February 23rd, 2021. At first, staff believed the attack to be a network outage. It quickly became apparent that something more nefarious was afoot. Clinic staff received ransom demands for $1.75 million USD in exchange for an encryption key.

After a week of investigation and planning, the clinic’s IT team recovered the systems. During the interim period, staff continued to see patients using paper records.

While the incident is still under investigation, Allergy Partners is building a plan to inform all patients whose data was impacted by the attack.

Medical Practice Cyber Attack: Cochise Eye & Laser

In January 2021, Cochise Eye and Laser in Sierra Vista, Arizona received a message indicating their scheduling and billing software had been encrypted. Operating two clinics and a surgical center, the loss of their systems represented a substantial operating obstacle.

In fact, up until mid-February, 2021, the practice continued to rely on paper file management and scheduling systems.

Investigators indicated that data was stolen, encrypted, and in some cases deleted. Although investigators still don’t have evidence data was resold, the medical practice recommended that its 100,000 patients place a fraud alert on their credit file. Data involved in the attack includes dates of birth, addresses, phone numbers, and social security numbers.

The attack appears to have served as a wake-up call: the practice is now working with an IT team to augment security measures, including building a disaster recovery plan with offsite backup.

Medical Practice Cyber Attack: Woodcreek Provider Service

A series of Washington State pediatric clinics and urgent care centers experienced ransomware attacks starting in late 2020. Attributed to a larger breach experienced by a third party IT service provider,  attackers gained access to personal and protected information about patients, employees, healthcare providers, applicants, and contractors.

The information stolen in the attack is detailed and deeply personal, including but not limited to, names and addresses, medical record numbers, dates of birth, social security numbers, health insurance policy and identification numbers, insurance claims, clinical notes, laboratory reports, benefit and tax forms, and employee health information.

The extent of the attack continues to be under investigation.

What Does an Attack Look Like?

A routine day in a busy medical practice can quickly turn sour with a simple message:

Your important files are encrypted.

Your files are no longer accessible because they have been encrypted.

Nobody can recover your files without our decryption service.

All you need to do is submit payment and purchase the decryption key.

Send $500 worth of Bitcoin.”

It’s official: the medical practice is the subject of a ransomware attack. With the appearance of a daunting message, the practice’s normal operations go awry. A practice that relied on iPads and desktop computers moments ago now requires paper and pen for patient management.

Keeping Digital Records Safe in an Era of Cyber Attacks

Keeping a patient’s records safe takes effort. It is admittedly a big job. Recommended steps include:

  • Promote awareness: Every member of the medical practice plays a role in protecting patient data. Medical practices must promote a culture of data security by offering cybersecurity education.
  • Encourage ‘hygienic’ computer use: Provide no room for guess work on what behaviors are safe and dangerous. Provide clear data security guidelines so staff understands how to protect their workstations. This includes maintaining software and operating system maintenance. Encourage the use of strong passwords and password storage tools.
  • Restrict network access: Require authorization for new software, applications and additions to existing systems.
  • Plan for the worst case: Ensure files are backed up to an external, off-site source that is available in case of an attack.
  • Protect mobile devices: Require protective measures to keep mobile devices and the information on these devices secure.
  • Introduce a comprehensive digital security protocol: From a firewall to anti-virus and endpoint security, every device connected to the internet requires protection.

Managed Endpoint Security for Medical Practices

CYDEF’s Managed Detection and Response solution provides endpoint security made up of anti-malware protection, advanced threat detection and a skilled team of live security analysts. With 100% visibility into what’s happening on devices, in applications and on accounts, a medical practice can be sure that if breached – they’ll know about it. Learn more about our managed security solutions and how CYDEF can support your medical practice.