Written by Mike Sacopulos, JD; Michael R. Marks, MD, MBA, FAAOS. Originally posted on: American Academy of Orthopedic Surgeons (AAOS) aaos.org (November 2020)
Editor’s note: This article is part one of a two-part series on what practices need to know about ransomware. Part two will appear in the December issue of AAOS Now.
The message on the screen reads like a 21st-century version of the black spot in Treasure Island. (In Robert Louis Stevenson’s classic book Treasure Island, the black spot represents the pirate sign for impending doom.) Your practice is locked out of its electronic health record. Patient charts are inaccessible; your calendars, surgery schedule, and third-party payer information are missing. All that remains is an electronic ransom note: Pay up, or your data are gone.
While physicians have been combating the COVID-19 pandemic, this year has seen an increase in ransomware attacks. In the first six months of the year, the top 11 attacks forced victims to pay more than $144 million. Cyber criminals, not ones to waste a pandemic, have launched COVID-19-related strategies. Fake COVID-19 “tracker apps” appeared in March, infecting systems with ransomware. Unsuspecting victims thought they were getting an app to follow the spread of the virus with statistics and heatmaps. Instead, their screens were locked, and a note informed them that their phones had been encrypted. All of their contacts, photographs, videos, etc., would be deleted unless they paid $100 in Bitcoin within 48 hours. COVID-19 has created more mayhem than physical illness and physical distancing.
Orthopaedic practices are not immune from this recent wave of ransomware attacks. A network of orthopaedic and sports medicine centers in the Southeast suffered ransomware attacks this summer. Prior to being encrypted and ransomed back, their data were exfiltrated, including patient information, and then published online. As if a ransomware attack was not misery enough, another orthopaedic practice was subjected to a class action lawsuit. The initial ransomware attack occurred in April. By midsummer, the law firm Morgan & Morgan had brought a class action claim allegedly on behalf of approximately 100,000 current and former patients of the practice. The claim alleged the practice was negligent in protecting patient information.
There are many more examples of orthopaedic practices being infected with ransomware, but are there solutions?
Protecting your practice
Your practice’s first line of defense from a ransomware attack is a risk analysis. This is a top-to-bottom look at how protected health information is handled and stored by your practice. A risk analysis should be performed on a “routine” basis, most believe every 12 to 18 months. As part of the risk analysis, your information technology (IT) structure should be examined. Is your office running the most current versions of your various software programs? Have programs been properly patched? Is your firewall properly configured? Has former employees’ password access been deleted? These and many other questions go into a proper risk analysis.
There is no requirement that a risk analysis needs to be performed by a third party. However, it is in your best interest to use an experienced vendor. Obtaining an independent, fresh perspective is always useful. Furthermore, it is simply human nature to avoid disclosing shortcomings. We know that most staff work diligently to protect patient information. However, if you were to ask them what could be done better or differently, they may come up short; it is difficult. It also seems impossible for staff to fully describe or recognize what they do not know. The adage “You don’t know what you don’t know” was never more appropriate than when examining IT shortcomings. We believe that the most effective risk analyses are performed by parties unrelated to your practice or IT vendors.
Most successful ransomware attacks result, at least in part, from human error. The most common delivery of ransomware comes from spam or phishing emails, where a staff member receives an email that seems legitimate, so he or she clicks on the link, which launches ransomware into your system. Other causes include poor password habits. Most of the problems related to human error are a result of a lack of cybersecurity training and retraining.
We understand that your staff is busy and that cybersecurity training is on the list of annual chores somewhere between elevator recertification and cleaning out old lunches from the breakroom refrigerator. You need to move this activity up the list. Thankfully, there are some sources available to help.
No matter the frequency and quality of your risk analyses, some threats may go undetected. Cybersecurity training prevents many problems, but it is not an absolute vaccine to ransomware. Your practice needs a backstop. That backstop is “comprehensive” cybersecurity coverage.
“Industry data show a 29 percent chance of experiencing a data breach in the next two years,” said Pete Reilly, area executive and vice president of health care for Arthur J. Gallagher. There is a legitimate threat to all orthopaedic practices of suffering a ransomware or data breach event. Mr. Reilly explained: “There are a number of cyber insurance options available. Beyond policy limits, there are first- and third-party options that need to be considered.” We concur with Mr. Reilly’s position that there are a number of moving parts when considering appropriate cyber insurance coverage for your practice. We recommend a broker who spends most of his or her day dealing with cyber issues. This is a dynamic area where options and opportunities change frequently. Hopefully, you will never need to make a claim on your cyber insurance carrier, but if you do, you will be glad that you spent the time purchasing the proper policy.
Ransomware is a present danger to orthopaedic practices. Legal and professional requirements mandate that you address this threat on behalf of your patients. A risk analysis by a third party will help determine where your vulnerabilities rest. Appropriate training of your staff will go a long way to prevent cybersecurity attacks. Finally, your last line of defense is cyber insurance. Spend the time and effort to select an appropriate policy. If you follow these steps, your patients and practices will be well protected from cyber criminals.
The next article in this series will cover what to do if you are the victim of ransomware attack.
Mike Sacopulos, JD, is the chief executive officer of Medical Risk Institute, which provides proactive counsel to the healthcare community to identify where liability risks originate and to reduce or remove those risks.
Michael R. Marks, MD, MBA, FAAOS, is an orthopaedic spine surgeon from Westport, Conn. He currently is the senior medical director for Relievant Medsystems. He is past president of the Connecticut Orthopaedic Society and AAOS Board of Councilors, having chaired the Communications Committee. He has worked on the AAOS Medical Liability Committee and Coding Coverage & Reimbursement Committee, and he currently sits on the Practice Management Committee for the Annual Meeting.
References
- Novinson M: The 11 Biggest Ransomware Attacks of 2020 (So Far). Available at: https://www.crn.com/slide-shows/security/the-11-biggest-ransomware-attacks-of-2020-so-far-. Accessed September 22, 2020.
- Zorz Z: Fake COVID-19 Tracker App Delivers Ransomware, Disinformation Abounds. Available at: https://www.helpnetsecurity.com/2020/03/16/fake-covid-19-tracker/. Accessed September 22, 2020.
- HIPAA Journal: Four Healthcare Providers and a Ventilator Manufacturer Attacked With Ransomware. Available at: https://www.hipaajournal.com/four-healthcare-providers-and-a-ventilator-manufacturer-attacked-with-ransomware/. Accessed September 22, 2020.
- HIPAA Journal: Florida Orthopaedic Institute Facing Class Action Lawsuit Over Ransomware Attack. Available at: https://www.hipaajournal.com/florida-orthopaedic-institute-facing-class-action-lawsuit-over-ransomware-attack/. Accessed September 22, 2020.
- Statista: Most Common Delivery Methods and Cybersecurity Vulnerabilities Causing Ransomware Infections According to MSPs Worldwide as of 2019. Available at: https://bit.ly/2KjhdFB. Accessed September 22, 2020.
FBI warns healthcare system of cybersecurity threat
The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency, and Department of Health and Human Services issued a warning in late October about cybersecurity threats targeting the healthcare sector. The agencies stated they “have credible information of an increased and imminent cybercrime threat to U.S. hospitals and healthcare providers” and recommend that providers take the appropriate steps to protect themselves and their practices.