Cybercriminals Set Their Sights on Small Medical Practices

While data breaches against large corporate and government entities garner the most headlines, cyberattacks against the healthcare sector have been surging in recent years. Healthcare providers have proven to be highly lucrative targets for cybercriminals—and small medical practices are no exception.

In this blog, we will explore the key cyberthreats to healthcare, why small practices are especially vulnerable, and what can be done to mitigate the risks.

Healthcare: A Prime Target for Cyberattacks

Data breaches in the healthcare sector had an average cost of $10.1 million between March 2021 and March 2022, according to the IBM Cost of a Data Breach Report 2022. That’s a record high for healthcare, nearly half a million more than the national average ($9.44 million) and more than any other industry. For the past 12 years, healthcare has topped the list for the average cost of breaches.

The high costs that healthcare experiences from cyber events largely stem from regulation. Health Insurance Portability and Accountability Act (HIPAA) laws are incredibly strict and medical providers face major legal repercussions when protected health information (PHI) is compromised. A heavily regulated sector like healthcare tends to see costs amass over a lengthy period of time following a breach; IBM found that 24% of costs accrue over two years after an incident. By comparison, less-regulated industries only accrue about 8% in costs over the same time period.

Unfortunately for the medical providers, PHI is incredibly valuable for cybercriminals. Healthcare records are sold on the dark web for up to $1,000, whereas credit cards only sell for up to $110 on average.

Common Cyberthreats

Making matters worse for healthcare is that many threats come from within. According to Verizon’s 2022 Data Breach Investigations Report, healthcare is the industry most impacted by privilege abuse, which is when employees use legitimate access to steal data. In 22% of all privilege abuse incidents, medical data was stolen.

In terms of external threats, ransomware attacks continue to plague the healthcare sector. In February, the ransomware-as-a-service (RaaS) group BlackCat launched an attack against the Lehigh Valley Health Network (LVHN), an eastern Pennsylvania-based health system. LVHN refused to pay the ransom, and BlackCat posted patient information on the dark web, including photographs of cancer patients receiving treatment.

Healthcare payments are also a target; another common scheme involves healthcare providers’ payment processing services. The FBI issued a warning in September 2022 that cybercriminals have been employing social engineering techniques and amassing publicly available personal identifiable information (PII) to impersonate healthcare payment processor employees and redirect payments from providers. Two separate incidents in February 2022 involved fraudsters changing direct deposit information and rerouting payments totaling $3.1 million and $700,000 to accounts they controlled.

Medical providers can also be severely impacted—often through no fault of their own—is through third-party providers. For example, Eye Care Leaders (ECL), which provides ophthalmology-specific electronic medical records (EMR) services, incurred a data breach in December 2021. The breach affected providers ranging from small vision care practices to the Texas Tech University Health Sciences Center, compromising more than 2 million patients.

Small Medical Practices Come Under Fire

While cyberattacks at large healthcare systems tend to receive more attention, cyber incidents impacting smaller medical practices also have been dramatically increasing. According to the Healthcare and Public Health Sector Coordinating Council (HSCC), cybercriminals are targeting smaller practices because they are generally less prepared to detect, respond and recover from attacks.

The 2022 NetDiligence Cyber Claims Study, which analyzed nearly 7,500 incidents that occurred between 2017 and 2021, found that small and medium-sized enterprises (SMEs) in healthcare were among the top five business sectors impacted by cyber incidents. Small and midsized medical practices incurred $103 million in total costs, ranging from $1,000 to $11 million and averaging out to $103,000, over the five-year period. Incidents at healthcare SMEs appear to be on a steep incline; the year-over-year average skyrocketed from $168,000 in 2020 to $541,000 in 2021. Ransomware, staff errors and hackers were the listed as top reasons for losses.

Defenses for Small Medical Practices

Medical providers need to be proactive in protecting their organizations against threats like ransomware. HSCC provided 10 best practices for small medical practices to defend themselves.

Email Protection Systems: While most small practices use third-party email providers, free email systems that fail to meet HIPAA Security Rule requirements should be avoided. Email systems should be configured with antivirus software and multifactor authentication (MFA), and users should be trained to identify common attacks like phishing and ransomware.

Endpoint Protection Systems: Devices like desktops, laptops and mobile devices are endpoints that provide access to your network. Medical practices can secure endpoints through practices like ensuring that only appropriate employees are listed as administrators, keeping all devices patched and updated, and enabling encryption and MFA.

Access Management: Medical practices must identify all users and maintain audit trails that monitor access to data, applications, systems and endpoints.

Data Protection and Loss Prevention: Providers can prevent the compromise of sensitive data by knowing exactly where it resides and how it is accessed. Organizations must establish clear policies, procedures and education around handling this data.

Asset Management: Medical practices should regularly perform IT asset management (ITAM) processes. These processes include capturing key information for each device like asset IDs, purchase orders and IP addresses; establishing standard procedures for procuring new devices; and decommissioning assets no longer in use.

Network Management: Network devices must be managed so they can exchange data safely. When relying on a third-party IT vendor, the medical practice should build effective network management practices into the vendor contract.

Vulnerability Management: Medical practices should establish a process to detect flaws that cybercriminals could exploit. It typically involves scanning devices and systems for common vulnerabilities, like weak passwords and outdated software.

Incident Response: When cyber incidents occur, organizations need to be able to quickly identify and neutralize them. Medical practices must have specific response procedures in place that employees are drilled on regularly. Providers should also join an information sharing and analysis organization (ISAO) or information sharing and analysis center (ISAC) to get regular updates on the latest threats to their industry.

Network Connected Medical Device Security: One emerging threat is the exploitation of vulnerabilities in medical devices, which can put patients in serious danger. Medical devices connected to networks, especially ones managed remotely by third parties, are highly vulnerable and must be carefully secured and monitored.

Cybersecurity Oversight and Governance: Owners and executives at small healthcare practices should establish a culture that emphasizes that cyber risk management is the responsibility of all users. Staff should be carefully trained on cybersecurity best practices to prevent unauthorized entry into the network, as well as their responsibilities around HIPAA laws.

Securing Your Payments and Data

As cybercriminals continue their relentless attempts to intercept PHI and healthcare payments, medical providers have a responsibility to combat these constant attacks. Fortunately, you don’t have to do it alone. Rectangle Health employs the highest levels of security for every payment we process, and we stay on top of policy to ensure compliance with all laws surrounding sensitive data. Cybersecurity is a team effort; you can count on Rectangle Health to protect your practice and your patients.

Learn more about our security and compliance efforts.

References

1. Davis, Jessica. (2022, July 29). “Healthcare data breaches cost an average of $10.1M, more than any other industry.” SC Magazine. https://www.scmagazine.com/analysis/healthcare-data-breaches-cost-an-average-of-10-1m-more-than-any-other-industry
2. (2022, July 27). IBM Cost of a Data Breach Report 2022. https://www.ibm.com/resources/cost-data-breach-report-2022/
3. (2023, Apr. 14). Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients, April 14, 2023. U.S. Department of Health and Human Services, U.S. Healthcare & Public Health Sector Coordinating Council. https://405d.hhs.gov/Documents/HICP-Main-508.pdf
4. (2017, Dec. 6). “Here’s How Much Your Personal Information Is Selling for on the Dark Web.” Experian. https://www.experian.com/blogs/ask-experian/heres-how-much-your-personal-information-is-selling-for-on-the-dark-web/
5. (2023, Mar. 8). “Lehigh Valley Health Network: Patient photos, info from ransomware attack released online.” Pocono Record. https://www.poconorecord.com/story/news/2023/03/08/lvhn-patient-information-from-ransomware-attack-released-online-scranton/69986640007/
6. (2022, Sept. 14). “Cyber Criminals Targeting Healthcare Payment Processors, Costing Victims Millions in Losses.” FBI Cyber Division. https://www.ic3.gov/Media/News/2022/220914-2.pdf
7. McKeon, Jill. (2022, June 17). “Eye Care Leaders EMR Data Breach Tally Surpasses 2 Million.” Health IT Security. https://healthitsecurity.com/news/eye-care-leaders-emr-data-breach-tally-surpasses-2-million
8. Bruce, Giles. (2022, June 7). “33 smaller cyberattacks that hit healthcare providers.” Becker’s Health IT. https://www.beckershospitalreview.com/cybersecurity/33-smaller-cyberattacks-that-hit-healthcare-providers.html
9. (2022, Feb. 15). Technical Volume 1: Cybersecurity Practices for Small Healthcare Organizations. U.S. Department of Health and Human Services, U.S. Healthcare & Public Health Sector Coordinating Council. https://405d.hhs.gov/Documents/tech-vol1-508.pdf
10. (2022, Oct. 3). Cyber Claims Study 2022 Report. Net Diligence. https://netdiligence.com/cyber-claims-study-2022-report-thank-you/
11. (2022, Sept. 12). “Unpatched and Outdated Medical Devices Provide Cyber Attack Opportunities.” FBI Cyber Division. https://www.ic3.gov/Media/News/2022/220912.pdf