According to Black Talon Security CEO Gary Salman, most plastic surgeons don’t realize that hiring an information technology company alone may not be enough to secure a medical practice from hackers.
By Tonya Johnson
Four years ago, information technology (IT) programmer Gary Salman started receiving a ton of phone calls from doctors who were victims of ransomware cyber-attacks. In the ensuing years, cyber-attacks against healthcare facilities have only gotten worse.
Salman says the primary reason hackers focus on the healthcare market is because of the tremendous amount of data available. “It’s the perfect source of identity theft because it contains all of a patient’s pertinent information—name, address, social security number, and date of birth,” he explains. What’s more, if sensitive healthcare data has been encrypted with ransomware or stolen entirely, criminals know doctors are willing to pay a hefty price to get it back.
To empower healthcare practitioners and help them combat the growing problem, Salman partnered with expert colleagues in the cybersecurity, healthcare, and finance arenas to launch Black Talon Security. Black Talon Security utilizes technology and human intelligence to keep criminals away from private practices.
If you’ve never been the victim of a ransomware cyber-attack, consider yourself lucky. Read more to learn about the importance of having a solid cybersecurity action plan in place at your practice. Then start implementing the steps outlined below by Black Talon Security.
WHAT IS CYBERSECURITY?
Cybersecurity is a holistic solution to protect your practice against the hackers. A traditional solution includes vulnerability management, which is crucial because every device on a doctor’s network will have some form of vulnerability—an entry point a hacker can use to gain control of the network.
Cybersecurity firms use sophisticated software to analyze a doctor’s firewall setup and all of the devices in the office, search for the vulnerabilities, and work with the doctor’s information technology company to close those unlocked doors and windows.
CAN AN INSURANCE POLICY COVER MY RISK IN THE EVENT OF A CYBER-ATTACK?
When patient data is compromised for even a small plastic surgery practice, the cost can potentially exceed a quarter of a million dollars.
“In fact part of our business is to help plastic surgeons and other doctors recover from these cyber-attacks,” Salman says. “Close to 100% of doctors who have been victimized end up having to pay the ransom. Criminals are going to follow the money trail, and that’s a major issue in the healthcare industry right now.”
Many doctors have insurance policies to cover these types of online attacks, and the insurance companies will pay out a lot of money to get the doctors’ data back—the criminals know this as well. According to Salman’s client case experience, the average plastic surgeon’s ransom payment is $50,000. But, add on ransom negotiation fees and time lost to get the practice back up and running (14 days minimum) and most practitioners don’t walk away from a cyber incident for less than $100,000 in total expenses.
Doctors cannot offset their risks through insurance policies alone, Salman says. In fact, many insurance companies now require a private practice to have a cyber security system already in place before they will consider insuring it.
To find a good insurance policy for cybersecurity, ask your malpractice insurance carrier. If the insurance carrier does not cover cybersecurity, then reach out to a general business insurance company and a local insurance agent to get competitive quotes. On average, the rates for small plastic surgery practices range from $1,000 to $2,000 per year. But prices are rising, approximately 30% to 50% in 2021, due to all of the cyber-attacks in 2020.
TRAIN YOUR STAFF
Employees present a tremendous amount of risk. If they receive a phishing email and click on the link or an attachment, that can result in an attack against the practice.
Under the federal law, a plastic surgeon must train their staff on cybersecurity awareness. Every team member needs to be able to identify potential threats that present over email, telephone, or through the internet.
I HAVE AN IT TEAM; WHY SHOULD I HIRE A CYBERSECURITY FIRM?
IT companies and cybersecurity companies are different, Salman explains.
An IT company’s responsibility is to keep the network up and running and help the practice update its technology. But IT companies don’t typically have the in-house knowledge and certifications to secure the network.
To mitigate risks, it’s best to partner with an IT company and a cybersecurity company—the cybersecurity company can validate the work that an IT company is doing. In many cases networks are not configured properly and the security that an IT company thinks it has in place to protect the practice is not functional. The biggest problem Black Talon Security sees is that plastic surgeons don’t realize their IT company is not properly equipped to secure them from hackers.
Having a firewall and antivirus software system in place are necessary but not a magic bullet. Antivirus software is ineffective at blocking ransomware. When the hackers get into the computer system, they shut down the antivirus software, turning off the computer’s defenses. Typically, hackers know how to defeat firewalls.
HOW DO I HIRE THE RIGHT CYBERSECURITY FIRM?
Salman offers the following advice.
- Choose a cybersecurity firm that specializes in healthcare. Many cybersecurity firms are set up to work with medium and large size businesses that generate hundreds to millions of dollars. So they don’t understand the smaller healthcare provider market. A cybersecurity firm that focuses on smaller providers in the healthcare industry is going to better understand the types of systems that plastic surgeons use—such as EMR and EHR. They’ll be able to fine tune a solution for that specific practice.
- How long has the company been in business? Ask for a reference list of plastic surgeons they work with.
WHAT ELSE CAN I DO TO PROTECT MY PRACTICE FROM A CYBER-ATTACK?
Three to four weeks before the practice realizes it has been attacked, the hackers are already in their system—watching what the medical staff is doing, learning how they conduct backup, (how often and where). Therefore, it’s important for doctors to have a disconnected backup drive of all practice/patient data to keep with them at all times—during the day at practice and to carry with them at home in the evening.
Most cybersecurity experts advise practice staff members to leave their computers on after work because security updates are typically done at this time. The flip side is that many cyber-attacks occur at night because it’s less likely for a staff member to detect a hacker in the system then.
A cybersecurity firm can also conduct a penetration test. Specifically, an ethical hacker inside the firm will try to breach the network using the same types of tools and techniques that the cyber criminals would use. Once they break the network, they discuss with the doctor and the IT staff to share how they were able to break into the system and explain which doors and windows need to be closed.
If you implement effective protocols, the chances of your plastic surgery practice being breached are low.
Tonya Johnson is associate editor of Plastic Surgery Practice.