Federal Government Warns of Cybercrime Threat to Healthcare Providers
What ASCs can do proactively to protect their data
BY ROBERT KURTZ | NOVEMBER 2020
Federal agencies, including the Federal Bureau of Investigation and the US Department of Health & Human Services, issued a warning last week on an "increased and imminent cybercrime threat to US hospitals and healthcare providers."
The agencies reported that cybercriminals were targeting providers with ransomware, a type of malicious software designed to encrypt data with a security key known only to the cybercriminal. Once the malware is executed on a user's local computer system, it encrypts all files on the machine and possibly others on a shared network. Once finished, the malware usually displays a text file that provides an electronic "address" to send a payment—usually a digital currency like bitcoin—in exchange for the software key to decrypt the files. Making the payment, however, does not assure that the cybercriminals will provide the key.
The Associated Press reported last week that the cyberattacks have already hit multiple hospitals and many more are likely to be in these cybercriminals' crosshairs.
"ASCs, like other healthcare providers, collect and store large amounts of protected health information and other sensitive information essential to running their operations and delivering care,” says Nelson Gomes, senior vice president of business development for Medicus IT in Alpharetta, Georgia. “This data is considered highly valuable to cybercriminals."
Once stolen, healthcare data can be used for identity theft, blackmail or extortion. ASCs, because of their size and budgets, tend to lack the more comprehensive and extensive (i.e., enterprise-level) security measures and systems of larger organizations like hospitals, Gomes says, potentially making surgery centers more vulnerable to a cyberattack.
ASCs can take a few steps to help strengthen their preparations for and defenses against cyberattacks. Ransomware is typically spread via email, Gomes says, so he recommends ASCs do the following:
- Do not click on links or open attachments from senders you do not know.
- If you receive an email from someone you know with an attachment or link, review the email's content. If the email does not read like something that person would send you, do not open the attachment or click the link. Contact that person via a mechanism other than email to verify the email's legitimacy. If the email is illegitimate, report the incident to the individual(s) or vendor managing your information technology.
- Watch for email spoofing, which is when a cybercriminal disguises an email address, sender name, phone number or website URL to convince you that you are interacting with an individual or company you trust.
- If you are prompted to log in to a website, verify the URL in your web browser to help ensure you are signing into a legitimate website.
- If you believe you entered your login credentials into a non-legitimate website, immediately change your password and inform your IT point person.
The federal government also provides some valuable resources to help healthcare providers better protect their networks, such as a ransomware guide that includes a response checklist and a fact sheet about ransomware and the Health Insurance Portability and Accountability Act of 1996.
"ASCs need to take the threat of cyberattacks seriously," Gomes says. "Effective preparation can help ASCs reduce the likelihood that they will experience a ransomware attack or at least allow them to more effectively respond if they do fall victim."