What physicians can do about ransomware
Protecting a practice doesn't always require a large investment of money, just time and employee training.
A new kind of malicious software poses a direct and serious threat to ambulatory care facilities like physicians' offices. But many tools are available to help offices address IT weak points without a lot of time or expense.
Ransomware typically infiltrates an IT network when a user inadvertently clicks a bad link that was designed to appear legitimate. Ransomware disables the original computer and then spreads itself across the network. The hackers who deployed the ransomware then demand payment for each affected machine before restoring access to the data inside.
The entire health care sector is enticing to ransomware attackers, experts said. Although hospitals are higher profile because of their size and resources, individual ambulatory care facilities like physicians' offices also make for juicy targets.
“Most software [in hospitals] is up to date, but I'm not so sure about the physician's office,” said Patricia Hale, MD, FACP, associate medical director for informatics at Albany Medical Center in New York and chair of ACP's Medical Informatics Committee. “There are very poor security systems set up in a lot of places, and doctors don't get too involved in this part of their business. Their nephew is running the server. So in the physician sector there's a real concern. Physicians' offices are much less prepared and much less protected.”
Plenty of programs and tactics can make an immediate difference in an office's security and preparedness, experts said. The key challenge may not be technology, money, or staffing expertise, but rather simple willpower.
“A lot of it is about attitude,” said Ryan Walsh, MD, vice president and chief medical information officer at the University of Texas Health Science Center at Houston. “[Physicians] in smaller practices say ‘I'm not ready to address this because it's too big to handle.’ But taking a common-sense approach to at least putting in a core set of competencies and services is really not that hard.”
The problem
The health care sector is not just vulnerable to ransomware. It's an active target.
According to the U.S. Department of Health and Human Services, close to 2,000 hospital data breaches occurred between 2009 and 2016. In March, the FBI warned that health care organizations sat squarely in cybercriminal crosshairs.
In May 2017, a piece of ransomware called WannaCry crippled networks around the globe, hitting 300,000 computers in 150 countries. As reported widely in the media and discussed in the Oct. 17, 2017, Annals of Internal Medicine, the most prominent victim was giant credit bureau Equifax, but WannaCry also buckled Great Britain's National Health Service (NHS) and the hospitals, pharmacies, and clinics across its system. Attackers demanded a few hundred dollars per affected machine, with payment requested in the form of hard-to-trace bitcoins, then threatened to begin deleting data unless ransom payments arrived in a certain time frame.
During that time, NHS employees reverted to ink and paper and personal phones to coordinate care. Facilities postponed or canceled appointments, asking patients to seek care only in case of emergency. It wasn't the first or last such attack, or even the most successful in terms of forcing people to pay the ransom, but it was a high-profile outbreak that vaulted the term “ransomware” into public consciousness.
What makes ransomware so dangerous is its ability to spread throughout a network, according to experts. In previous times, one click on the wrong URL could only affect one computer. Now it can affect an entire facility.
“This year with WannaCry it morphed from an incommunicable disease to a communicable disease, if you will,” said Amar Yousif, chief information security officer at the University of Texas Health Science Center at Houston. “It uses your computer to spread to the other computers in the network. I don't have to be on the computer to fall victim to an attack. I just have to be on the same network.”
With ransomware's obvious goal being to gain money, hospitals are a more likely target than private physicians' offices. The immediacy of inpatient care also increases the urgency to restore access to data.
“If you have systems that are vital to patients and critical to patient care, the risks are different,” said Douglas Fridsma, MD, FACP, CEO of the American Medical Informatics Association. “Often hospitals or health systems have systems and personnel designed to safeguard against such attacks. But they're a more likely target because a hospital is a more valuable asset.”
Ambulatory care centers are still vulnerable, but for a different reason: their relative lack of preparedness for such an attack.
“Small practices are in the unenviable position of needing cybersecurity but having fewer resources [than hospitals] to pay for or staff it,” said Glenn Cohen, JD, a law professor at Harvard Law School and director of the school's Petrie-Flom Center for Health Law Policy, Biotechnology, and Bioethics in Cambridge, Mass.
Regardless of the type of facility, the personal information contained in health care record systems holds tremendous value on the black market.
“[Ransomware] can have a direct monetary purpose, but in the health care sector it is most commonly used to gain personal patient health information,” Dr. Hale said. “Health information is so extraordinarily valuable; it can be used to develop a new identity.”
There is another vulnerability inherent to health care, and as it stands clinicians and their IT staffs can't do much about it. The “internet of things” is now a common phenomenon, particularly in health care, where equipment is routinely connected to the internet in some form or fashion. These devices can be infiltrated and disabled just like a computer.
“The health care sector uses its share of medical devices with either embedded computers or an attached computer,” Mr. Yousif said. “X-ray machines, monitors, all have operating systems that cannot be patched. They become sitting ducks for ransomware that can get in and render the device useless.”
The solutions
Preparing for a cyberattack is not unlike delivering patient care. The ideal approach blends prevention and tools for acute response. There is no single off-the-shelf solution to unilaterally attain perfect cybersecurity, but a variety of tools can work together to greatly strengthen a network, and it's not as complex as it might seem.
“For physician offices, this doesn't need to be that expensive,” Dr. Hale said. “The most important things aren't expensive at all … You don't need highly sophisticated software. The people are far more important. The most important things you don't even need to write a check for.”
Begin by tapping into existing connections, such as an EHR provider, experts suggested. “It's important for small practices to work with their vendors and ask them questions,” Dr. Fridsma said.
Where applicable, parent health networks can help for the same reasons. These discussions can provide the foundation for a good strategic blueprint and can do so for free or a reasonable price—perhaps just “a couple thousand dollars,” Dr. Hale noted.
“Your hospital system has a lot of interest in security and very sophisticated security groups that can provide information or help you set up your own system,” Dr. Hale said. “Hospitals have a lot of resources.”
The security rule contained in the Health Insurance Portability and Accountability Act (HIPAA) can provide a guidepost. Comparing requirements of the security rule against a network's specifications can be useful, and complying with the law is always a good idea, but experts say that compliance should not be conflated with full preparedness for ransomware attacks.
“The requirements of HIPAA compliance help reduce the effect of data breaches when they occur,” Mr. Cohen said.
Once there is a road map for improvement, the first action step often is education. After all, ransomware requires a user to click a malicious link in order to release the software into the network. Employees who understand the dangers and warning signs are the first line of defense.
“The education around the staff is what generally starts this process,” Dr. Fridsma said. “You need to stop inadvertent [risk-taking] behavior … even if it looks like it's from a place that's recognized or if it looks like a Facebook [post] or an important Word document.”
Most people realize that the internet is a dodgy place and are open to becoming savvier. Helping employees raise their own awareness may be the best way to get buy-in compared with rigid policies that likely won't be followed anyway.
“Your staff is not going to stop doing email or stop doing social media. It's unrealistic,” Dr. Hale said. “You need to have a realistic policy … Every single office staff member needs to be educated about the risks of ransomware and about email and social media. They want to know this for their own lives, too. People are receptive to information about this. It's a relief to know it.”
Third parties offer education programs for this specific purpose. In a process known as conditioning training or simulation testing, trainers anonymously send emails that mimic those that might carry ransomware, to see whether or which staff members click the offending URL. The costs of such a service are based on the number of email accounts in a given office, so smaller offices will be relatively inexpensive.
“You send a fake phish email, and if someone falls for it, you go back and do more education,” Mr. Yousif said.
Once education is complete, technical preparation is the other half of the equation. Isolation is a key principle. Servers that contain sensitive information are safeguarded by placing a firewall or special authentication protocols between those servers and the broader internet.
“Email and social media are the most common sources of ransomware,” Dr. Hale said. “So what are the access points for ransomware to get into the system? Putting the EMR on its own system and not connected to the internet is ideal.”
If office staff communicate electronically with patients, use a patient portal or another tool to set up secure messaging, rather than using general email.
“If you're connecting with patients through email, do it in a secure manner with a secure messaging system,” Dr. Hale said. “Check with your vendor. Maybe they offer this. If you're not doing this, you are at risk.”
Similarly, validating files and messages that come into facility computers can screen out suspicious content.
“If people have good systems in place, that will filter out things,” Dr. Fridsma said. “Sometimes email can automatically strip off an attachment with a virus. But education has to go hand in hand.”
Installing malware and virus software in both computers and printers can also help. According to experts, easy-to-find services can help filter email and identify ransomware and other malware programs.
“Email filtering services will scrub your emails. It's a service you can subscribe to,” Mr. Yousif said. “If you outsource your email with a company like Google, it is affordable to do it right through Gmail.”
If disaster does strike, having backup files is a key to recovery. Paper files are not only cumbersome but often outdated as new patient information flows into electronic records. Several companies offer daily or real-time backup. In the case of the latter, software automatically detects file changes and keeps all data updated in real time and stored in a remote location.
“The first thing they do is have good solid backups so you have copies of your data updated on a nightly basis,” Dr. Walsh said. “So I may have to restore, but you can refuse to pay a ransomware attacker.”
If patient data exist on the cloud, those services typically offer their own backup restoration options.
“A lot of offices are on the cloud,” Dr. Walsh said. “So if that [cloud] vendor gets hit, that's a problem, but they may have a disaster recovery option. There's a fee, but it's not large.”
One of the most effective technical enhancements is also the simplest. Major operating systems and antivirus programs automatically supply security updates. While this may seem intuitive, users sometimes forget to make the updates.
“Patching, patching, patching,” Mr. Yousif advised. “You need up-to-date security and antivirus software. So even if they click [on a piece of ransomware], the payload's not going to run.”
In some cases, updates are not available. This certainly applies to health care equipment, and as of now there is no viable way to upgrade machines to protect them from evolving threats like ransomware—or whatever may lie beyond.
“Medical equipment makers have a responsibility to make updates,” Mr. Yousif said. “They're running obsolete operating systems. They ought to give us the ability to update and patch these devices.”
Most solutions, however, are easy to install and not particularly costly, especially compared with the havoc a ransomware attack can wreak, although they may involve a bit of legwork or online research. “Collaborating and educating only costs time and materials,” Dr. Hale said. “Isolating your servers, collaborating with vendors and hospitals … I don't think it's cost-prohibitive at all.”
Dr. Walsh said, “When we were all on paper charts, they locked the charts in a chart room. They didn't leave the door open. You shouldn't do that either here. This is the new locking of the chart room.”