We will be performing site maintenance on our learning platform at learn.aaos.org on Sunday, February 5th from 12 AM to 5 AM EST. We apologize for the inconvenience.

Courtesy of Thinkstock


Published 3/1/2017
John J. McGraw, MD; Karen R. Clark, MBA

Cybersecurity and the New “Armed Robbery”

Take steps to avoid becoming a target
Criminal activity is on the rise. Orthopaedic practices nationwide are coming under increasing attacks from cyber pirates who, after breaching the office’s security system, are demanding ransom. It is much less risky for perpetrators—often from another country—to hack into a secure computer system than to perform an armed robbery at the reception desk. Yet the goals and rewards are the same.

As orthopaedic surgeons, we must realize that our patients’ level of trust in us reaches far beyond our skills to care for their musculoskeletal ills and injuries. This trust also involves correctly managing their protected health information (PHI). We must also recognize the value of PHI to those outside the medical community.

Cybercrimes can take two forms. In one scenario, the criminal states: “We’ve encrypted your data—pay us if you want it back.” In the second scenario, the message reads like this: “Pay us or we’ll sell this data to the highest bidder.” In both cases, the clinic is looking at data breach notification for many patients—as well as possible monetary penalties and fines.

In 2016, the Department of Health and Human Services (HHS) Office of the Inspector General (OIG) placed increased emphasis on enforcing the Health Insurance Portability and Accountability Act (HIPAA) and the security of medical organizations to protect PHI. Not only is the OIG capable of leveling fines for inadequate security, but two other federal agencies also often become involved—the Office of Civil Rights (OCR) and the Centers for Medicare & Medicaid Services (CMS).

The OCR is the enforcement agency for HIPAA regulations. It can assess penalties for HIPAA breaches. CMS can reduce payments and initiate claw back measures to garner payments already received. With only a relatively small breach, the clinical practice may be investigated by the FBI, which has the potential of exposing further deficiencies and weaknesses.

Cybercrime is not just directed at the medical community. Hackers have successfully breached the cybersecurity systems of government agencies, including the Internal Revenue Service, Office of Personnel Management, the U.S. Central Command (CENTCOM), the National Security Agency, and even the Democratic National Committee. Although hackers may target these entities for pride and bragging rights, targeting health systems and clinics for their valuable PHI can have devastating results if the information is released. Criminals can demand large monetary ransoms and can lock entire computer systems until the requested money is paid.

“Digitized health files are jet fuel for medical identity theft,” said Pam Dixon, executive director of the World Privacy Forum. Cyber criminals know that medical entities will often pay substantial sums of money to retrieve their locked computer systems. Medical health records containing PHI can be easily sold on the cyber market, and clinics and hospitals often fail to realize their value until after an attack occurs.

Evaluate your risks
Sometimes physicians unintentionally handle PHI on unsecured networks, such as the free Wi-Fi provided in coffee shops and various businesses. Messaging or texting on most cell phone networks is unsecure, can easily be breached, and is subject to e-discovery in the case of a lawsuit. To protect PHI, physicians should obtain and use only secure texting software.

If available, clinic email networks should always be used and closely monitored. Firewalls should be locked down to prevent all but authorized users. These users include a variety of business associates who, by nature of their relationship with the clinic, often handle PHI. Business Associate Agreements must be in place with vendors and should include secure methods of transfer of all sensitive data.

Risks come from multiple vectors, and diligence and constant vigilance are mandatory. Regular assessments of security systems not only need to be accomplished but also to be documented. Routine external audits from third-party security experts will verify a good system or highlight deficiencies.

According to a recent report on the risk of user behavior to businesses using the cloud system, just 1 percent of users create 75 percent of the risk. Practices should identify those individuals who most often cause system vulnerability and monitor their activity. Ongoing education of these individuals and, for that matter, all participants is compulsory. The U.S. military conducts annual mandatory HIPAA training for all personnel who handle PHI for any reason. Training also stresses paying careful attention to communications other than Internet-based information, such as faxes and hard copies of documents left in unattended locations.

In addition to the large monetary ransom that criminals may extort from an orthopaedic clinic, hefty fines from U.S. government agencies should serve as impetus for diligence in the security arena. However, the very privilege of caring for patients who entrust their health care and sensitive personal information to the orthopaedic clinic should be reason enough to motivate the clinic to ensure privacy and security.

Data forensics
After a criminal breach occurs, the first step is to ascertain the extent of the compromised records. This can be time-consuming and expensive. An accurate investigation usually involves contracting with an external expert to direct this process.

The Ponemon Institute, a research center dedicated to privacy, data protection, and information security policy, reported that in 2016, the forensic portion could account for 15 percent of the total cost of a breach and average $60 per patient record. Although the forensic phase must be thorough and complete before the notification process begins, timing is important. Once a breach has been identified, a clinic must notify patients within 60 days, depending on state statutes, and provide identity theft monitoring.

Notification may involve more than a simple letter. If the breach affects more than 500 people, the clinic is required to notify HHS and send a press release to the local media. If all records in a clinic’s database are compromised, the cost of postage stamps alone will become an expensive line item. In the Anthem data breach of February 2015, the company spent more than $40 million on postage.

Cybersecurity and HIPAA compliance must be as much a part of an orthopaedic clinic’s operation as practicing quality medicine. Monitoring, keeping up to date with legal changes, and educating all personnel on a recurring basis are mandatory in this environment. Although “armed robbery” in this arena does not involve firearms, those who breach computer systems and hold PHI for ransom can extort money from an institution in an equally effective manner.              

John J. McGraw, MD,is a member of the AAOS Now editorial board and medical director of OrthoTenneessee. Karen R. Clark, MBA, is chief information officer of OrthoTennessee.

Editor’s Note: This article is a follow-up to “Ransomware: A HITECH Shakedown” by Michael R. Marks, MD, MBA, which appeared in the January 2017 issue of AAOS Now.

Additional Information: