Hacking has become a multi-billion-dollar business, and unless doctors prepare their practices, an attack may be inevitable and costly.
By Steven Martinez
We’ve all seen the suspicious email. Unknown senders, broken English, and a suspicious insistence to click the link.
It’s easy enough to delete—if it even makes it past the spam filter. It might seem like only a gullible person would fall for the most obvious traps.
While many people understand how to sidestep the Nigerian prince asking for money, hackers are professionalizing and becoming more sophisticated and focused—and specifically targeting patient data for ransom.
“The days of improperly worded requests for things that just didn’t seem realistic have pretty much subsided,” says Gary Salman, chief executive officer of cybersecurity firm Black Talon Security.
A Sophisticated Enemy
One of the most malicious and challenging attack methods to avoid is what’s known as a spear phishing attack.
Using an email from somebody known to the practice owner, they send an email with a link containing malicious code to gain access and control of the network. The link could also lead to what looks like a legitimate website to harvest passwords and logins.
“We’re seeing a lot more attacks where they breach a legitimate email system, and then they use that email to target all of the contacts in the email system,” says Salman. “Spear phishing is usually from someone you know, trust, or do business with. So it could be another team member, a colleague, a referral, a vendor, an accountant, or even an attorney.”
Hackers may also forgo the subterfuge and directly attack your network, scanning firewalls for any vulnerabilities and exploiting them to gain control.
Once they gain access to the data, they copy it and contact the practice owner, demanding money in exchange for keeping the data safe.
Even if a practice owner had the foresight to back up all of their data and update it regularly, it is simply not enough once patient data has been breached.
“Practices might think, I don’t care about ransomware because I have a backup of my data,” says Salman. “The first thing they should know is that hackers will usually find their backups and destroy them.”
Even if a plastic surgeon manages to retain a full backup of their data, they still have to face the fact that their patient data has been stolen, and once they have it, the cybercriminals will go to great lengths to get their ransom money.
How Hackers Targeting Your Patient Data Get Their Money
“The hackers will say, hey, I got all your patient data, and to prove it, I’m going to show you some photographs of your children, private emails or patient X-rays, and if you don’t pay me, I’m going to sell all of your patient records on the dark web,” says Salman.
In addition to the reputational hit a practice would receive from losing patient data, simply undoing the damage from the hack could take weeks, costing thousands of dollars in downtime. Not least of all, doctors are required by law to protect this data from a ransomware attack.
“They know that healthcare almost always pays because regardless of whether you’re a general dentist or cardiothoracic surgeon, you can’t have your patient data published,” says Salman.
He says that around 90% of doctors end up paying the ransom for their patient data. In the cases where a doctor tries to resist or can’t pay, the hackers will be relentless in trying to extract their money.
Salman recalled one instance where hackers were asking for a six-figure ransom, and the practice was struggling to come up with the money.
“The hackers were getting so frustrated with the victim that they extracted all of the cell phone numbers of the owners, and every hour, on the hour, they called demanding that they pay,” says Salman. “It got to the point where they started cursing at the victims. They threatened to call the local news station and newspapers in their town to let them know that this business has been hacked.”
In the end, that practice took out loans to pay the ransom.
The interactions are so jarring and unpleasant that some doctors have told Salman they have PTSD, to the point that they might consider selling their practice.
“The amount of stress and aggravation and frustration that causes everyone is something no one talks about,” says Salman. “It’s just this complete invasion of not only their personal privacy, but their livelihood.”
The Business of Cybercrime and Ransomware Attacks
Cybercrime has morphed into a multi-billion-dollar industry. Salman says that some groups generate a quarter of a billion dollars a year with these ransomware attacks.
In some instances, the hackers will negotiate the ransom—a service that Black Talon provides. They might come down 10% or as much as 60%, so long as they get their money. Others refuse to negotiate at all.
Primarily based out of Russia, with some groups operating in China, Iran, Ukraine, and North Korea, the hackers thrive in an environment with little to no government intervention.
Get the image out of your head of small-time crooks or nihilistic overweight teenagers. The largest groups operate like real businesses with tech support, development teams, and financial staff.
Some groups even outsource the work to smaller groups, charging a fee for their technology and methods and receiving a percentage of the successful ransoms.
“It’s basically like a cartel or a pyramid scheme,” says Salman. “Everything rolls back to these gangs, and they don’t really have to do the attacks themselves. They’re just selling the tools to do it, and they profit greatly from it.”
The groups are a cold mix of pragmatic professionals and emotionless thieves. They have zero pity for a practice owner’s plight but at the same time understand that they have a reputation to uphold.
During the earliest days of the pandemic, Salman says he tried to use the financial hardships caused by lockdowns to negotiate better ransoms for patient data. They told him that the price already took the COVID-19 pandemic into account.
About the only grace hackers extend is upholding the promise not to sell patient data once the ransom has been paid.
“Believe it or not, it’s a reputational thing for them,” explains Salman. “What happens is a company like Black Talon will tell a future client, hey, if you pay these guys, there’s a high likelihood that they’re still going to publish your data. We advise you not to pay.”
There’s a certain honor amongst thieves, and, as strange as it sounds, they have a reputation to uphold as well. Double-crossing a victim would be tantamount to receiving a 1-star review on Yelp and might cause other victims to refuse to pay. Salman says that he’s never had a situation where the hackers burned a practice after paying the ransom.
The flip side of this is that they must follow through on their threat to publish patient data if the victim doesn’t pay.
“So typically, what happens is, if you refuse to make a payment, they’ll take between 1% and 10% of the patient data that they stole, and they will put it on their dark website where it’s viewable by whoever comes across their dark website,” says Salman.
Black Talon will go to clients refusing to pay and show them the dark websites containing their patient’s photographs, x-rays, and health history forms. Usually, next to the data is a counter showing the number of people who have already viewed the patient records.
“That’s when it gets really real for the doctor, and they say, alright, I got a big problem,” says Salman.
Shoring Up Your Defenses to Protect Patient Data
With an increasingly sophisticated, cunning, and ruthless enemy, the outlook might seem bleak for any practice owner. It might seem like dumb luck is the only thing standing between a practice and financial ruin.
But Salman says that the best way to fight back is to regularly test and evaluate your cybersecurity.
He says that many business owners think that if they contract with an IT security company, they are safe. But even with firewalls and antivirus software in place, a dedicated cybersecurity firm needs to test how safe things really are.
Salman recommends that practices have their firewalls scanned at least once a month for vulnerabilities. They should also have their computers scanned daily for vulnerabilities, and they need to implement cybersecurity awareness training, something that is required for healthcare businesses under HIPAA law.
“Search out a company that specializes in cybersecurity awareness training,” says Salman. “It’s not, hey, some dude came into my office and talked to us for 30 minutes over pizza. That doesn’t work.”
Practices should also have a security risk assessment done by a credentialed security expert. They’ll ask around 100 questions related to security and operations and then provide a report showing the areas that are doing well and the areas that need improvement.
Lastly, practices should consider doing an annual penetration test. A cybersecurity firm looks at the network like a hacker would, using the same technology and techniques to find vulnerabilities and breach the network. The information from the penetration test will show where defenses need to be shored up and vulnerabilities patched.
“The reality is, you can basically fight back and win and not be a victim,” says Salman. PSP