Wednesday, September 30, 2020
The Growing Cyber Threat – Targeting Medical Offices, Practices and Facilities

The Growing Cyber Threat – Targeting Medical Offices, Practices and Facilities

By Malcolm S. McNeil

We have already heard about the recent twitter attack on high profile individuals. However, they are not the only targets of the hackers.

Right now we see that medical practices are a target of cybercriminals. The common activity is to forward emails to unsuspecting employees who will click on a link. That link installs malware, ransomware, or other insidious viruses. The hackers know that there are general security flaws that exist within a medical practice and further flaws where the medical facility is linked with Internet connections. Information is gathered from social media which is used to trick staffers into revealing patient information, practice information, financial records, and other confidential and protected information.

Cyber security experts agree that the sophistication and volume of attacks are increasing. Unfortunately, part of this increase comes from lax security standards established in medical offices. Some doctors say that they rely on the health insurers and providers and either think that they are covered, or that their efforts to protect themselves would be futile.

However, there is nothing diligent about simply giving up on security steps and it can be malpractice. Moreover, a large number of practices do not have cyber security backup plans in place in case of a cyberattack or any other type of natural disaster which may befall the record keeping.

The present-day cybercriminal is sophisticated. They know where to find vulnerabilities and how to exploit them. They know how technology works and they typically take the path of least resistance.

Malware is the biggest threat and messaging becomes more sophisticated in order to fool the unsuspecting victim.

One of the biggest mistakes that is made is some doctors, in small practices, think that they are too small or have nothing of value for a hacker. These medical providers are fooling themselves. The hackers are looking for a broad range of information and they exploit the least protected.

The market for stolen information is quite vibrant. Hackers will continue to pursue the most vulnerable. There are established prices for various types of health care and financial records. The hackers know that this is valuable and they know how to monetize the stolen information. Smaller organizations are sometimes more lucrative simply because of the lack of effective security protocols.

Medical practices need to have appropriate protocols in place. First, employees must be effectively trained and put on alert that these types of hacks can occur on a daily basis. Additionally, the doctor’s security protocol should be in place, they should be flexible, and constantly monitored for efficiency. There are outside organizations who will test the system to determine how effective the internal systems keep out the malware. These same organizations can arrange a phishing attack and again test the effectiveness of the security systems.

Today’s cybercriminal is not simply a teenager tampering with systems. Instead, these cybercriminals know where to get information about the doctors in the practice, the nature of the practice, and a variety of other records because physicians and their staff are typically on LinkedIn or Facebook or have other websites which provide important information to the public. At the same time, they provide leads for cyber hackers to exploit, and they know how to monetize the information.

Medical practitioners must have a cyber-plan in place in case of a hack. Today’s penalties for privacy breaches are severe and punishing. In California we have the new CCPA, along with the normal HIPPA requirements. There may be other applicable privacy protections that require diligent security protocols in place and constant monitoring.

The basics are obvious. The medical practitioner can ask “what would I say if I were examined regarding the security procedures that I have put in place to promote, promulgate and protect personal information?” The answer will provide the appropriate guidance for the next steps to take.


Malcolm S. McNeil is a Partner with the law firm Arent Fox LLP.
Other WorkAnswers posts related to Security and Technology