Is Your Clinic Losing Money to Phishing and Ransomware?

September 19, 2022

Clinics are at an extremely high risk of being targeted by hackers. Why? One reason is because of how valuable personal health information (PHI) is. According to Secure Link, PHI is nearly 50x more valuable than financial data. Their estimates put the value of a financial record at about $5.40 while a PHI record is worth about $250.

Cybersecurity is an important topic to learn about and understand because of how big a risk certain cyber threats can pose to orthopedic clinics. A single security breach can result in a clinic losing patients, facing fines for potential HIPAA violations, or even being unable to operate.

Between November 1st, 2020 and January 2021, healthcare organizations experienced a 45% increase in cyberattacks, nearly twice the average growth rate experienced across all industries (22%) (Source: Check Point). So, knowing how to avoid common cyber threats and deal with data breaches is a necessity for any medical practice in today’s world.

There are three extremely common cyber threats that orthopedic clinics will likely have to deal with sooner or later: Ransomware, phishing attacks, and “insider attacks” from disgruntled employees.

How do different cyber threats work and how can they affect your orthopedic practice? Most importantly, what can you do about them? Let’s start with a basic explanation of each threat:

What Is Ransomware?

The Cybersecurity & Infrastructure Security Agency (CISA) defines ransomware as “a form of malware designed to encrypt files on a device, rendering any files and the systems that rely on them unusable. Malicious actors then demand ransom in exchange for decryption.”

In other words, it’s a type of cyberattack that makes it so that you can’t access the data on your computers. For example, if ransomware infects the computer or server where you store all of your clinic’s patient data, then you wouldn’t be able to access that data—it would all register as unreadable gibberish until you are able to “decrypt” it.

Think of it like this: ransomware's encryption is like taking all of your data and rewriting it in a secret code—if you don’t know the secret code, you can’t read the data. Once your data is encrypted, the crook behind the ransomware will send you a note demanding that you give them something (typically money or something else of value) in exchange for the “secret code” so you can read your data.

How Can Ransomware Affect an Orthopedic Clinic?

Ransomware can be a dire threat to a clinic’s operations because it brings operations to a grinding halt. Imagine not being able to access any of your patient records (previous visit notes, payment information, prescription data, health histories, etc.) or financial records (accounts payable/receivable).

This could put a stranglehold on your clinic’s operational workflows and make it impossible to help patients or generate revenue.

What is a Phishing Attack?

Phishing.org defines phishing as: “a cybercrime in which a target or targets are contacted by email, telephone or text message by someone posing as a legitimate institution to lure individuals into providing sensitive data such as personally identifiable information, financial details (i.e., bank or credit card info), and passwords.”

A famous (or infamous) example of phishing would be the old “Nigerian Prince” emails—the ones where someone claiming to be a foreign prince or someone who just inherited a massive fortune would contact people asking for banking details so they could “transfer the money over for safekeeping.” Once they got the banking info, however, the scammer would instead withdraw money or use it to commit identity theft.

However, modern phishing scams aren’t usually so easy to spot. Scammers have evolved their tactics to make themselves nearly indistinguishable from legitimate communications. In some cases, they may pose as administrators within a business, vendors that the business works with, or even as patients requesting information—a tactic that is sometimes called “spear phishing” because it’s more targeted than regular phishing techniques.

How Can Phishing Attacks Affect Your Orthopedic Clinic?

Phishing attacks can have a variety of negative effects depending on the goal of the scammer behind the attack. For example, a scammer might use a phishing email to trick a member of your clinic staff into downloading ransomware. They might add an executable file to their phishing email with a request to run the program to fix some problem the scammer made up or claim that it’s a new program that is supposed to be installed on their computer.

In this instance, the effects of the attack would be identical to the effects of a ransomware attack.

Another way that phishing could hurt a clinic is by using stolen information to commit fraud against the clinic, its staff, or its patients. This could lead to large monetary losses as the scam artist steals money by taking it from bank accounts, making fraudulent purchases, or filing for new credit cards, loans, or other financial services with stolen information.

A side effect of the massive fraud that a phishing attack could cause is a major loss of reputation in the community. If a clinic develops a reputation for not protecting private information, then patients are much less likely to use that clinic’s services.

Finally, leaks of patient data from a phishing attack could result in HIPAA fines—and further fines if the breach isn’t disclosed in a timely manner. The HIPAA Journal website splits HIPAA violations into four tiers with separate minimum fines:

  • Tier 1 violations (ones the covered entity is unaware of and could not have realistically avoided) have a minimum fine of $100 per violation (Max $50,000).
  • Tier 2 violations (where the covered entity should have been aware but could not have avoided even with reasonable care) have a minimum fine of $1,000 per violation (Max $50,000).
  • Tier 3 violations (violations caused by “willful neglect” of HIPAA Rules, but where attempts were made to correct the violation) have a minimum fine of $10,000 per violation (Max $50,000).
  • Tier 4 violations (willful neglect with no attempt at correction) have a minimum fine of $50,000 per violation.

It should be noted that these fines were set per the HITECH Act and may change to account for inflation.

What Are Insider Attacks?

For orthopedic clinics, insider attacks are when a member of the clinic’s staff or an approved vendor working with the clinic abuses their access privileges to the clinic’s systems to commit fraud or cause harm to the practice.

Insider attacks can be especially devastating because many traditional cybersecurity measures won’t stop someone who has legitimate access credentials. For example, a firewall normally filters out “bad” traffic from cybercrooks looking to get into your system. However, an insider can bypass a firewall entirely since they have legitimate access privileges.

This makes it incredibly hard to stop a disgruntled employee or malicious vendor before they can cause extreme harm to the practice.

The effects of an insider attack can be similar to the effects of a successful phishing attack—loss of reputation, significant financial losses, disruption to the practice’s clinical workflows and revenue, etc.

Some Simple Ways to Reduce Cybersecurity Risks

So, what can your practice do to protect itself from cyber threats? First, it’s important to note that cybersecurity is an incredibly complicated topic that requires dedicated expertise to handle effectively—more than can be communicated in a single blog post of reasonable length. For this reason, it’s incredibly important to seek out expert advice from someone with extensive experience in managing data security or IT.

This is where consulting with a cybersecurity service provider or one of your clinic’s IT specialists can help. They’ll often know many of the basic security measures you should take to meet or exceed basic HIPAA data security compliance standards so you can minimize your data breach risks.

With this in mind, here are some basic things that you may want to do immediately (if you haven’t already done them) include:

1. Implement Basic Cybersecurity Policies and Procedures

Implementing proper cybersecurity policies and procedures is critical for any clinic to meet HIPAA guidelines. However, what is a “proper” set of cybersecurity policies? To avoid getting too technical, here are some basic security policies that you can enact to get started:

  • Don’t install non-work apps on work devices. “Free” software from websites on the internet may have hidden malware or other issues that make them risky to download. So, if an app isn’t related to work, it shouldn’t be installed on your clinic’s computers or tablets.
  • Never share passwords or login information with anyone for any reason. Scammers often steal access credentials by posing as IT guys or managers and asking for a phishing victim’s login information to “fix a problem.”
  • Don’t run an executable file from an email. These are commonly used to put malware on your computer systems.
  • Never use personal devices for clinic work. In other words, the staff members should avoid using their personally owned laptops, phones, USB drives, etc. for clinic work. Personal devices may have malware on them that could then spread to the clinic’s network of devices.
  • Install basic antivirus programs on all workplace devices. There are numerous companies that offer affordable antivirus solutions that can detect simple malware and help you remove it from your clinic’s computers.
  • Change your clinic’s Wi-Fi password instead of using the default password. Hackers often have lists of default Wi-Fi passwords that they can use to bypass your Wi-Fi security.

2. Learn the Warning Signs of Phishing Attacks

Phishing attacks and other social engineering scams seek to leverage the most common weakness in any cybersecurity setup: the people who are using the systems and data the scammers want access to.

To protect against phishing schemes, it’s important to give your employees basic cybersecurity training so they can learn to distinguish phishing emails from legitimate ones. Some of the warning signs of phishing include:

  • Urgent or Threatening Messaging. Phishing scams often use phrases that sound like threats to create a sense of urgency and trick the recipient into clicking on something they shouldn’t. Phrases such as “last chance” or “final warning” can indicate that the message is a phishing attempt.
  • Requests for Passwords. If you have an internal policy to never share passwords, any request for password information should be an automatic red flag. If an email is asking for a password, then it’s probably part of a scam. 
  • Oddities in the Email Name. Some scammers may try to imitate the email address of a trusted sender in order to trick you or your employees. So, it can help to carefully read the email address of a suspicious email to see if there are any oddities like the name being misspelled or there being extra numbers or letters in the domain name. For example, instead of the email address being dave@familyclinic.com it’s duve@1familyclinic.com. If you aren’t looking carefully, it’s easy to miss the difference in the name or overlook the extra “1” in the domain name. 

It can also help to work with your software vendors to train your employees in how to use the clinic’s orthopedic software solutions. For example, Phoenix Ortho provides live training and support to help clinic staff learn how to use our software platform safely and efficiently.

3. Lead by Example

When setting up cybersecurity rules for your team to follow, it’s important to model the behaviors that you want them to exemplify. Few things frustrate employees as quickly as being told “do as I say, not as I do” or feeling like they’re being subjected to a double standard.

If administrators don’t appear to respect the cybersecurity rules that everyone else has to follow, then the rest of the staff won’t respect the rules, either. So, leading by example is important for getting the staff to follow the rules.

These are just a few of the things that you can do to reduce the threat of phishing, ransomware, and insider attacks. For more information, it’s important to consult with an IT or cybersecurity expert.

Looking for an orthopedic software partner that will work with you to help your clinic achieve success? Reach out to Phoenix Ortho today to get started!

 

Watch the Webinar Here!

Schedule a 1:1

Get in touch with Phoenix Ortho to learn more about how you can save time, money, and mouse clicks with an orthopedic-specific EHR.

Schedule a 1:1