Healthcare entities have become one of the favorite targets of hackers. The number of successful ransomware attacks that have been launched against private practice providers and DSOs continues to be woefully under-reported. Covid-19, the political climate, and major cyberattacks launched against Fortune 100 companies and hospitals continue to dominate the news. However, in just the past 12 months, hackers have also successfully attacked thousands of private practice medical and dental providers, yet these attacks have been almost completely ignored by the media.
Practice owners who were already hit hard by the pandemic have quietly had to deal with an epidemic of ransomware attacks. The cost of one of these attacks has also increased significantly. During an already difficult time, cybercriminals have “upped their game” and increased the sophistication of their attacks, increasing the victims’ costs to recover. Gone are the days of recovering from a ransomware attack for less than a six-figure impact on your practice. With the increase in ransom demands, lost production time, breach response, legal fees and possible equipment replacement, it will easily cost small practices over $100,000.
In 2020, we were introduced to a vicious new tactic by cybercriminals where they are now publishing patient records to public-facing, Dark Web auction sites. If the victims refuse to pay the ransom, patient demographic information, images, health history forms, etc. are now being published by cybercriminals.
Too many practice owners make the mistake of assuming that “the bigger the healthcare entity, the bigger the risk,” but the reality is that small- to medium-sized practices are even more attractive targets for criminal hackers. Cybercriminals typically take the path of least resistance when targeting organizations.
Why Do I Need to be Concerned?
What does this trend mean for the small- to medium-sized practices and DSOs? What if on a Monday morning you arrive at your office and find 100% of all your computers encrypted with ransomware? Your IT vendor comes onsite and says, “We have a major problem! Not only is your data encrypted, but the hackers left a note indicating they STOLE all your data.” Then you find out all your backups, including your Cloud backup, are gone. Through an investigation, it is determined that hackers installed screen-sharing software four weeks prior to the ransomware attack and have been watching everything you do on your computer—including accessing your Cloud software. What will you do?
This is a common problem that we see on a regular basis. Here are some common variables in all these attacks against providers:
- Each practice thought they were protected by their IT company.
- All offices had a firewall and anti-virus software.
- The recovery costs and business interruption resulted in providers spending $100,000+.
- All local backups were encrypted with ransomware and many of the Cloud backups were destroyed by the hackers.
- Most systems had been compromised for days or even weeks prior to the IT company or practice knowing that they had been breached.
There are effective and affordable steps that any size DSO can take today. The first, and possibly most significant, step is understanding that your IT provider is not a cybersecurity expert. A typical IT company’s area of responsibility is the installation and maintenance of a network. Most IT companies do not have the tools, training, certifications, or real-world experience to offer an effective security solution. If your IT company encourages you to engage with a dedicated cybersecurity company, then at least you know that you are working with a technology partner who has your best interest at heart.
Cyber Due Diligence is Critical
Some important questions that a DSO should ask any practice that they consider purchasing:
- Have you ever been a victim of a cyberattack?
- Does your IT company provide you with regular vulnerability reports?
- Does your IT company have an ethical hacker performing annual penetration tests on your network?
Before purchasing any practice, you should make sure you have the answers to the above questions. You certainly don’t want any of their prior issues or lack of knowledge on proper “cyber hygiene” to ultimately become your problem.
The Importance of an Independent Security Audit
Taking the next step and engaging a dedicated cybersecurity company may be easier and less expensive than you think. There are companies that offer affordable, effective security solutions that add the necessary layer of protection healthcare providers should have in place to protect themselves and their patients. At a minimum, any company you consider hiring should offer the four pillars of an effective security solution:
- Pillar #1 – A complete assessment of your operations, technology, policies and procedures.
- Pillar #2 -The management of vulnerabilities that exist on your network. These vulnerabilities are present on everyone’s network and are what hackers use to gain access to your data.
- Pillar #3 – Cybersecurity awareness training for your staff (which is required for HIPAA compliance).
- Pillar #4 – Penetration test performed against your network on at least an annual basis by an ethical hacker.
Implementing an effective cybersecurity solution in your practice requires zero downtime. Most cybersecurity professionals can add the required layers of security without your having to take your network offline, and most of the work that they do is completely behind the scenes.
The Ripple Effect of a Data Breach is Paralyzing
It is time to protect your practice and your patients. It is time to go on the offensive, feel empowered, and take the steps necessary to protect your livelihood. Take the power away from the ruthless cybercriminals who wreaked havoc against healthcare providers in 2020.
You are not powerless.
You can avoid becoming a victim and remove that target from your back.
You should feel confident being able to focus on your patients and let your cybersecurity provider worry about the hackers.
Contact us at https://www.blacktalonsecurity.com/contact-us
or call (800) 683-3797
Watch Gary Salman’s recent appearance on
The Group Dentistry Now Show: The Voice of the DSO Industry!
Looking for a Job? Looking to Fill a Job? JoinDSO.com can help:Subscribe for free to the most-read and respected
resource for DSO analysis, news & events:Read what our subscribers & advertisers think of us: