AAOS Fall Meeting symposium provides different stakeholder perspectives
Technology hacks and digital ransom demands have become more commonplace in the healthcare sector, and many physicians and practices may not be well equipped to ward off a future attack. During the AAOS Fall Meeting in San Antonio, Texas, Amy L. Ladd, MD, chair of the AAOS Board of Specialty Societies, moderated a panel discussion on real-world examples of healthcare hacks and tips to improve cybersecurity, titled “Cybersecurity, Hacks, and Ransom.” Samuel E. Murrell III, MD, an orthopaedic surgeon in Tennessee; Gregory Garza, an FBI intelligence analyst in the San Antonio Division Cyber Squad; and Paul Haisman, MBA, BSc, AAOS chief information officer, provided personal insights and offered guidance.
Dr. Ladd: Dr. Murrell, you came into work one morning and found out your facility had been hacked. What was that like?
Dr. Murrell: I went to log in to our system, and instead of seeing the usual green, smiling face on the screen, I received a frowning face. I also noticed that the internet was down. I went to our information technology (IT) department to tell them our internet was down, and that’s when I found out we had a security hack.
It’s just a horrible, sick feeling, kind of like coming home and finding your house was broken into. Then you have to consider who to notify. We need to tell our patients; the Health Insurance Portability and Accountability Act (HIPAA) has reporting requirements. Every state has its own civil laws, so you need to be aware and meet the standard of any state in which you have patients who need to be notified.
Dr. Ladd: Was there a ransom note?
Dr. Murrell: In most situations, there is a ransom note, but in our case, it was an attack on our server, which, fortunately, doesn’t really contain our protected health information (PHI) data.
The most common way to get hacked is through phishing expeditions with emails. For example, you’ll receive a fraudulent email that says, “Your password has expired. We need you to reset it.” When you click and comply, you’ve provided the hacker with a new password that they can then use to penetrate the system.
Orthopaedic practices are an easy target. Apparently, the practices are of the size where there’s a certain associated revenue, which makes them a good target.
Dr. Ladd: Mr. Haisman, what is the Academy doing about this?
That changes the roles of the positions we hire. It also increases our risk factor as an organization. In February, we hired a full-time security engineer who works on securing our network systems and data and looks at our processes by working with our business stakeholders to understand who has access to the data. We’ve also instituted mandatory HIPAA security training across the technology team, which is one of the largest departments in the Academy. Additionally, we will be requiring every AAOS staff member to undergo HIPAA security awareness and information security training. We are also installing upgraded firewalls and monitoring services, as well as looking for data anomalies.
There is a recognition that most of the breaches we’re talking about happen from the inside. People with access to data may not understand with whom they’re sharing it.
Dr. Ladd: Mr. Garza, can you give us some insights on healthcare hacks from the FBI perspective?
Mr. Garza: It’s a bigger problem than most people think. People aren’t breaking into banks anymore. Everything is done virtually now, because it’s low risk, high reward.
There have been some practices here in San Antonio that have been impacted with ransomware. It was very scary for them, because they couldn’t function and had to stop seeing patients.
Most folks aren’t IT or cyber savvy—all they know is they got hacked. That’s about the extent of their knowledge. We have to kind of walk them through it.
Mr. Haisman: In this industry, if a hack occurs, the first thing you’re probably told is, “Don’t say a word. Don’t talk to patients. Go through our legal system.” We are never told to share what our vulnerabilities might be or why this happened. If that continues to happen, how are we ever going to learn from other experiences? From an Academy perspective, these are the types of things we should be talking about as it relates to cybersecurity and securing our patients’ data. I think the more we discuss it, the more that we can share best practices.
Dr. Ladd: Dr. Murrell, based your experience, what does everyone need to know?
Dr. Murrell: Be wary of anything coming into your email. We also have a policy on personal device use during the day. It’s just one more avenue for someone to get into your system, especially if you’re using the facility’s WiFi to access your personal phone.
Mr. Garza: Social media is definitely an area that can be exploited. Hackers will do a lot of research on you—your social media and professional website. They’ll look at your “About Us” page and your staff and executive board. Then they’ll look at all your social media sites and build a complete dossier on you. That’s how they create these personas and start portraying you. They’ll create spinoff email accounts that are convincing at quick glance; for example, substituting the number one for the letter L, and no one is the wiser.
Mr. Haisman: Last month, the Academy performed an internal phishing exercise with the staff. We sent out an email that had a link that looked like it was from a valid source. It asked users to go in and update their information. They were presented with a login screen that went to a totally different site than the regular location. Within an hour, we had several employees enter their credentials. We didn’t do it to tick people off, but it was absolutely necessary to help increase awareness of phishing links. As much as we try, we can’t stop all the emails that come through.
Another issue is that people use the same password across multiple sites.
Mr. Garza: The most important thing from a password perspective is that the longer the length, the harder it is to crack. A six- or eight-character password is extremely easy to crack. But the longer the password, the harder it is to remember, so I recommend using a password management tool. They’re pretty inexpensive and can be plugged in or embedded into your browser.
I also recommend using pass phrases for passwords. Think about three words that are totally unrelated but mean something to you that you’ll always remember.
Dr. Ladd: What about registries? Who owns the data, and who protects them?
Mr. Haisman: AAOS is a business associate. We’re not a healthcare provider, but with HIPAA rules, regulations do pass through to business associates. We have to make sure we follow the same rules and guidelines and have a formal security program as a business associate of the covered entities, which are the participating institutions of the registries. But the data are not owned by the Academy; they are owned by the respective institutions. Related to data security, there are a very limited number of staff who have access to the actual raw data that come into the Academy. Those data never reside anywhere unless they are encrypted.
Dr. Ladd: Mr. Garza, California and the European Union have new privacy laws about user data. What do you think about those laws?
Mr. Garza: Europe’s General Data Protection Regulation (GDPR) requires companies to be transparent with customers about how they plan to use their data, how data are collected, and how data are sold. I believe this is a good thing, so the customer or subscriber has more control over his or her privacy. California’s strategy echoes that of the GDPR, but it’s slower moving.
Everything has an IP address now—even your toaster and refrigerator. If you have an IP address, you are touchable from anywhere in the world.
Dr. Ladd: Security is slow and expensive, and technology is light-years ahead of regulations. What’s your final take-home point, Mr. Haisman?
Mr. Haisman: Awareness is number one. Go back to your respective organizations and think about security from a strategic perspective—is security even on your roadmap? Are you having conversations about security, and are the right people involved in those conversations? The industry needs to have broader conversations, but it needs to start local. A one-and-done conversation about national security is not going to cut it.
Dr. Ladd: Mr. Garza, what’s your final take-home point?
Mr. Garza: You must separate your personal and professional affairs, even if that means having two separate phones.
Kerri Fitzgerald is the managing editor of AAOS Now. She can be reached at firstname.lastname@example.org.
The Department of Health and Human Services’ top 10 tips for cybersecurity in health care
- Establish a security culture.
- Protect mobile devices.
- Maintain good computer habits.
- Use a firewall.
- Install and maintain antivirus software.
- Plan for the unexpected.
- Control access to protected health information.
- Use strong passwords and change them regularly.
- Limit network access.
- Control physician access.
Department of Health and Human Services: Top ten tips for cybersecurity in health care. Available at: www.healthit.gov/sites/default/files/Top_10_Tips_for_Cybersecurity.pdf. Accessed November 8, 2018.