Clinics are at an extremely high risk of being targeted by hackers. Why? One reason is because of how valuable personal health information (PHI) is. According to Secure Link, PHI is nearly 50x more valuable than financial data. Their estimates put the value of a financial record at about $5.40 while a PHI record is worth about $250.
Cybersecurity is an important topic to learn about and understand because of how big a risk certain cyber threats can pose to orthopedic clinics. A single security breach can result in a clinic losing patients, facing fines for potential HIPAA violations, or even being unable to operate.
Between November 1st, 2020 and January 2021, healthcare organizations experienced a 45% increase in cyberattacks, nearly twice the average growth rate experienced across all industries (22%) (Source: Check Point). So, knowing how to avoid common cyber threats and deal with data breaches is a necessity for any medical practice in today’s world.
There are three extremely common cyber threats that orthopedic clinics will likely have to deal with sooner or later: Ransomware, phishing attacks, and “insider attacks” from disgruntled employees.
How do different cyber threats work and how can they affect your orthopedic practice? Most importantly, what can you do about them? Let’s start with a basic explanation of each threat:
The Cybersecurity & Infrastructure Security Agency (CISA) defines ransomware as “a form of malware designed to encrypt files on a device, rendering any files and the systems that rely on them unusable. Malicious actors then demand ransom in exchange for decryption.”
In other words, it’s a type of cyberattack that makes it so that you can’t access the data on your computers. For example, if ransomware infects the computer or server where you store all of your clinic’s patient data, then you wouldn’t be able to access that data—it would all register as unreadable gibberish until you are able to “decrypt” it.
Think of it like this: ransomware's encryption is like taking all of your data and rewriting it in a secret code—if you don’t know the secret code, you can’t read the data. Once your data is encrypted, the crook behind the ransomware will send you a note demanding that you give them something (typically money or something else of value) in exchange for the “secret code” so you can read your data.
Ransomware can be a dire threat to a clinic’s operations because it brings operations to a grinding halt. Imagine not being able to access any of your patient records (previous visit notes, payment information, prescription data, health histories, etc.) or financial records (accounts payable/receivable).
This could put a stranglehold on your clinic’s operational workflows and make it impossible to help patients or generate revenue.
Phishing.org defines phishing as: “a cybercrime in which a target or targets are contacted by email, telephone or text message by someone posing as a legitimate institution to lure individuals into providing sensitive data such as personally identifiable information, financial details (i.e., bank or credit card info), and passwords.”
A famous (or infamous) example of phishing would be the old “Nigerian Prince” emails—the ones where someone claiming to be a foreign prince or someone who just inherited a massive fortune would contact people asking for banking details so they could “transfer the money over for safekeeping.” Once they got the banking info, however, the scammer would instead withdraw money or use it to commit identity theft.
However, modern phishing scams aren’t usually so easy to spot. Scammers have evolved their tactics to make themselves nearly indistinguishable from legitimate communications. In some cases, they may pose as administrators within a business, vendors that the business works with, or even as patients requesting information—a tactic that is sometimes called “spear phishing” because it’s more targeted than regular phishing techniques.
Phishing attacks can have a variety of negative effects depending on the goal of the scammer behind the attack. For example, a scammer might use a phishing email to trick a member of your clinic staff into downloading ransomware. They might add an executable file to their phishing email with a request to run the program to fix some problem the scammer made up or claim that it’s a new program that is supposed to be installed on their computer.
In this instance, the effects of the attack would be identical to the effects of a ransomware attack.
Another way that phishing could hurt a clinic is by using stolen information to commit fraud against the clinic, its staff, or its patients. This could lead to large monetary losses as the scam artist steals money by taking it from bank accounts, making fraudulent purchases, or filing for new credit cards, loans, or other financial services with stolen information.
A side effect of the massive fraud that a phishing attack could cause is a major loss of reputation in the community. If a clinic develops a reputation for not protecting private information, then patients are much less likely to use that clinic’s services.
Finally, leaks of patient data from a phishing attack could result in HIPAA fines—and further fines if the breach isn’t disclosed in a timely manner. The HIPAA Journal website splits HIPAA violations into four tiers with separate minimum fines:
It should be noted that these fines were set per the HITECH Act and may change to account for inflation.
For orthopedic clinics, insider attacks are when a member of the clinic’s staff or an approved vendor working with the clinic abuses their access privileges to the clinic’s systems to commit fraud or cause harm to the practice.
Insider attacks can be especially devastating because many traditional cybersecurity measures won’t stop someone who has legitimate access credentials. For example, a firewall normally filters out “bad” traffic from cybercrooks looking to get into your system. However, an insider can bypass a firewall entirely since they have legitimate access privileges.
This makes it incredibly hard to stop a disgruntled employee or malicious vendor before they can cause extreme harm to the practice.
The effects of an insider attack can be similar to the effects of a successful phishing attack—loss of reputation, significant financial losses, disruption to the practice’s clinical workflows and revenue, etc.
So, what can your practice do to protect itself from cyber threats? First, it’s important to note that cybersecurity is an incredibly complicated topic that requires dedicated expertise to handle effectively—more than can be communicated in a single blog post of reasonable length. For this reason, it’s incredibly important to seek out expert advice from someone with extensive experience in managing data security or IT.
This is where consulting with a cybersecurity service provider or one of your clinic’s IT specialists can help. They’ll often know many of the basic security measures you should take to meet or exceed basic HIPAA data security compliance standards so you can minimize your data breach risks.
With this in mind, here are some basic things that you may want to do immediately (if you haven’t already done them) include:
Implementing proper cybersecurity policies and procedures is critical for any clinic to meet HIPAA guidelines. However, what is a “proper” set of cybersecurity policies? To avoid getting too technical, here are some basic security policies that you can enact to get started:
Phishing attacks and other social engineering scams seek to leverage the most common weakness in any cybersecurity setup: the people who are using the systems and data the scammers want access to.
To protect against phishing schemes, it’s important to give your employees basic cybersecurity training so they can learn to distinguish phishing emails from legitimate ones. Some of the warning signs of phishing include:
It can also help to work with your software vendors to train your employees in how to use the clinic’s orthopedic software solutions. For example, Phoenix Ortho provides live training and support to help clinic staff learn how to use our software platform safely and efficiently.
When setting up cybersecurity rules for your team to follow, it’s important to model the behaviors that you want them to exemplify. Few things frustrate employees as quickly as being told “do as I say, not as I do” or feeling like they’re being subjected to a double standard.
If administrators don’t appear to respect the cybersecurity rules that everyone else has to follow, then the rest of the staff won’t respect the rules, either. So, leading by example is important for getting the staff to follow the rules.
These are just a few of the things that you can do to reduce the threat of phishing, ransomware, and insider attacks. For more information, it’s important to consult with an IT or cybersecurity expert.
Looking for an orthopedic software partner that will work with you to help your clinic achieve success? Reach out to Phoenix Ortho today to get started!