Healthcare Cyber Attacks! Is your Organization at Risk?

We’ve all heard of the recent healthcare cyber attacks on organizations like 21st Century Oncology Holdings and Hollywood Presbyterian Medical Center. Although these were two very different cyber attacks, nonetheless information from both organizations was compromised.  What’s unfortunate is that many of the organizations that have been victimized by cyber attacks did not know about it until a law enforcement investigation into other attacks disclosed them as being targets.

Healthcare Cyber Attacks

Twenty First Century Oncology stated that it was more than 30 days before they were notified by the FBI that, “patient information was illegally obtained by an unauthorized third party who may have gained access to the company database.” Despite the security efforts of 21st Century Oncology, they were unable to prevent a healthcare cyber attack.

Information compromised within the 21st Century organization could have included patient names, Social Security numbers, physician names, insurance information, and diagnosis and treatment information. Imagine the breach notification efforts required to contact 2.2 million individuals associated with 145 Cancer Treatment Centers in the United States and 36 centers in Latin America!

In the case of Hollywood Presbyterian Medical Center, it was reported that the hackers used malware to infect the institution’s computers, preventing the hospital staff from being able to communicate from their devices. This particular type of malware locks systems by encrypting files; then the hackers demanded ransom to obtain the decryption key. The hackers demanded 40 bitcoins, the equivalent of about $17,000.  The Chief Executive of Hollywood Presbyterian noted that “the quickest and most efficient way to restore their systems and administrative functions was to pay the ransom and obtain the decryption key.”  Two more healthcare cyber attacks have afflicted hospitals in southern California since the HPMC incident.

Preventing Healthcare Cyber attacks: A Cybersecurity Task Force

The Department of Health and Human Services (HHS) has named 21 healthcare industry stakeholders to the Health Care Industry Cybersecurity Task Force that was authorized under the Cybersecurity Information Sharing Act of 2015.

The members of this Task Force are leaders in government and private industry. They’re innovators in technology and pioneers in health care. They represent organizations of various sizes, and they hail from different parts of the country.

HHS reported that over the next year, the task force will devise ideas for better cyber preparedness across the industry. The individuals selected will collectively look across industries and sectors to find the best ways organizations of all types are keeping data and connected medical devices safe and secure. They’ll develop materials and report their findings to Congress and the public to ensure that every organization that plays a part in our health care system can protect the data.

Healthcare Cyber Attacks: The Department of Homeland Security’s Practical Tips to Protect Your Organization

The Department of Homeland Security plays an important role in countering threats to cyber networks.  They aim to secure the federal civilian networks, cyberspace and critical infrastructures that are essential to our day-to-day lives. 

The Department of Homeland Security recommends the following preventative strategies to help an organization proactively look for emails attempting to deceive users into “clicking the link” or opening attachments to seemingly real websites.  Since business networks are sometimes infected or compromised by employees using work computers for work purposes, or for personal activities, make sure they know about these precautions, too.

  • Never click on links in emails.  If you do not think the email is legitimate, whether from a third party retailer or primary retailer, go to the site and log on directly.
  • Never open the attachments. Typically, retailers will not send emails with attachments.  If there is any doubt, contact the retailer directly and ask whether the email with the attachment was sent from them.
  • Do not give out personal information over the phone or in an email unless completely sure.  Social engineering (aka phishing) is a process of deceiving individuals into providing personal information to seemingly trusted agents who turn out to be malicious actors.  If contacted over the phone by someone claiming to be a retailer or collection agency, do not give out your personal information. Ask them to provide you their name and a call-back number.  Just because they may have some of your information does not mean they are legitimate!
  • Set secure passwords and don’t share them with anyone.  Avoid using common words, phrases, or personal information and update regularly.
  • Keep your operating system, browser, anti-virus and other critical software up to date.  Security updates and patches are available for free from major companies.  And if or when you have a breach, your Healthcare Cyber Attacks insurance carrier will be asking if you have installed the latest versions and patches to applications and telecommunications software.
  • Verify the authenticity of requests from companies or individuals by contacting them directly. If you are asked to provide personal information via email, you can independently contact the company directly to verify this request.  Most banks and government agencies (like the IRS) say they will never contact you by email and ask you to do something or reveal information.
  • Pay close attention to website URLs of websites you visit.  Malicious websites sometimes use a variation in common spelling or a different domain (for example, .com instead of .net) to deceive unsuspecting computer users.
  • Turn off the option to automatically download attachments to email.
  • Be suspicious of unknown links or requests sent through email or text message.  Do not click on unknown links or answer strange questions sent to your mobile device, regardless of who the sender appears to be.

Healthcare cyber attacks are increasing in frequency, especially against larger institutions who can easily afford to pay ransom.  But small organizations are just as vulnerable to attacks, and just as vulnerable to the loss of their organization’s digital information.  Don’t find out the hard way. Protect your organization from healthcare cyber attacks!

When you need proven expertise and performance

Cindy Winn, MBA, CHSP

Ms. Cindy Winn has over 20 years of healthcare experience and expertise in operations, project management, and is certified as a HIPAA Security Professional (CHSP).

Leave a Reply

Your email address will not be published. Required fields are marked *

I accept the Privacy Policy

4 thoughts on “Healthcare Cyber Attacks! Is your Organization at Risk?

  1. That was a lot of information delivered in concise clear language. I think all healthcare facilities have a duty to do all they can to protect the privacy of patients. Personal treatment related details as well as financial information should be guarded and not held up for ransom at the whim of a cyber-terrorist.

    1. Patricia, as consultants to the healthcare industry, we want to make sure that our clients/readers can comprehend the information that we’re providing to better their business and/or personal lives. While I agree that healthcare facilities have a duty to do all they can to protect the privacy of patients (i.e. secure passwords, antivirus protection, employee training, etc.), we also have to depend on organizations like The Department of Homeland Security to secure cyberspace, networks and infrastructures that are critical to our day-to-day lives. I do believe, in time, a collaborative effort will mitigate future healthcare cyber attacks and we will all feel a much needed sense of security again.

    1. Danny, thank you for your comment. Please keep in mind that the “Practical Tips to Protect Your Organization” are preventative strategies for both personal and professional computers.