Cyber security for your medical practice
If you are a medical practice or any company that processes credit card payments, now is the time to take a moment to understand your cybersecurity posture and their accompanying business risk. Based on industry standards, investments in preventative cyber security before an attack have a 10:1 ROI as compared to the cost of reacting to and mitigating problems after an attack.
Here are a few real examples (source: Foresite):
A dental practice found a ransomware demand for $4,900 on a computer which contained protected health information (“PHI”) for 3,780 patients. In addition to paying the ransom, the dental practice incurred the following expenses: forensics, legal services, breach notification expenses, identity restoration and credit monitoring and public relations expenses which totaled $49.428.79.
A public-facing business in Washington was notified of a breach by MasterCard due to the high level of fraud they identified. The company was required by Mastercard to immediately undergo a forensic examination which totaled $11,646.90 in costs. Six months later, the company was fined an additional $26,242 for Fraud Recovery along with a Case Management Fee of $8000. Two months after those expenses, Visa assessed a non-compliance fine of $5000. The company experienced a total cost of $50,888.90 due to the breach.
A medical practice closed its doors after hackers deleted all its patient records once the doctors refused to pay the hackers’ ransom demands. The two doctor partners decided to retire early rather than try to rebuild their practice. Hackers demanded a $6,500 ransom in exchange for the code the doctors could use to access their encrypted medical files, and the doctors refused to pay. The hackers then permanently deleted all the records, including all files, appointment schedules, and all payment and patient information.
Cyber-attacks often make the target company feel violated, vulnerable and generally helpless, and these risks are on the rise. The damage related to cybercrime is projected to hit $6 trillion annually by EOY2021, according to Cybersecurity Ventures. To give you a better view of the current state of overall security, we offer the following statistics about data breaches, hacking, and industry-specific statistics (including healthcare).
Worldwide spending on cybersecurity is going to reach $133.7 billion in 2022. (Gartner)
68% of business leaders feel their cybersecurity risks are increasing.
Data breaches exposed 4.1 billion records in the first half of 2019. (RiskBased)
71% of breaches were financially motivated and 25% were motivated by espionage. (Verizon)
52% of breaches featured hacking, 28% involved malware and 32–33% included phishing or social engineering, respectively. (Verizon)
However, even in the face of these rising attack vectors, you are not alone. Further, you do not have to have an IT Security background (to go along with your medical credentials) just to maintain a reasonably safe practice. Intellikor is available to help assess your business and help you create a playbook for preventing breach. Often our analysis finds vulnerabilities around the most common causes of breach, and we can tailor our research to determine exactly which problems your practice is most likely to experience. Some examples include:
Weak and/or Stolen passwords
Back Doors, Application Vulnerabilities
Improper Configuration and User Error
The growth of large-scale breaches represents a growing trend in the industry. As we exemplified above, data breaches expose sensitive information that often leave users at risk for identity theft, ruin companies’ reputations and leave the company liable for compliance violations. The following data was compiled in 2019, and cybercrime has been on the rise since then:
Security breaches have increased by 11% since 2018 and 67% since 2014. (Ponemon Institute)
Hackers attack every 39 seconds, on average 2,244 times a day. (University of Maryland)
The average time to identify a breach in 2019 was 7 months. (IBM)
The average lifecycle of a breach lasted almost 11 months (from the breach to containment). (IBM)
In 2016, Uber reported that hackers stole the information of over 57 million riders and drivers and forced to pay them $100,000. (Bloomberg)
Even though the Equifax breach was in 2017, the company is still paying off the $4 billion in total.
But these banner headlines are not the whole story, only the most notorious incidents. Reducing your enterprise’s cyber risk requires a holistic approach, and threats are just as real to a small practice as to a global giant. Here are some of the steps you should be thinking about, and if your staff does not have a cert ified IT staff, it may be time to bring in an expert for a posture review. You should discuss with your staff or IT provider the following risks:
Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks
“Man in the Middle” (MitM) penetrations
Phishing (and spear-phishing) attacks
SQL injection attacks
Cross-site Scripting (XSS)
If these types of attack have not been addressed in your environment (or especially if you don’t even know what they mean), it’s time to sit down with the experts. You won’t have to overhaul your entire practice, and you don’t have to create a fortress for your data, but a few timely investments in both IT and Operations protections with a roadmap for the future will put your practice ahead of the pack and encourage those bad actors to attack elsewhere.
69% of organizations don’t believe the threats they’re seeing can be blocked by their anti-virus software. (Ponemon Institute)
The average cost of a ransomware attack on businesses is $133,000. (SafeAtLast)
92% of malware is delivered by email. (CSO Online)
Ransomware detections have been more dominant in countries with higher numbers of internet-connected populations. The United States ranks highest with 18.2% of all ransomware attacks. (Symantec)
It may also interest you to note that Finance and Healthcare are the most popular targets for hackers. Sadly, (in general) no one is safe nowadays. Additionally, SMBs were widely targeted due to the perception that they possess fewer security capabilities in place.
43% of breach victims were small and medium businesses. (Verizon)
15% of breaches involved Healthcare organizations, 10% in the Financial industry and 16% in the Public Sector. (Verizon)
The banking industry incurred the most cybercrime costs in 2018 at $18.3 million (Ponemon Institute)
The estimated losses in 2019 for the healthcare industry were $25 billion. (SafeAtLast)
We offer these elements to maintain “top of mind” priority to cyber security. Since this field is where we live, we understand these risks and we routinely help our clients to mitigate them. Unfortunately, most of our clients are too busy serving customers, paying bills, sending invoices and collecting revenues to devote the proper attention to their security posture. There are plenty of solution providers out there, and a broad expanse of security “point products” to help protect your business, but remember that an analysis of your business and your current technologies are the best starting point for any security investments. If you believe you have addressed these threats properly, congratulations, because you are in the minority. But if your investments have been lacking, you can call us for help.
Intellikor is a cybersecurity company focused on protecting our clients’ IT and operations, both on-prem and in the cloud (private, public, community and hybrid cloud). Based in New Jersey and with security engineers certified in the latest security technologies, Intellikor is offering this audience a no-risk discussion on improving your cybersecurity posture and awareness. We believe 80% of data breaches can be prevented with basic actions, such as vulnerability assessments, patching, and proper configurations, as well as best practices for handling and backing up your data. We are also hosting an event on Friday, April 2nd where you can ask our engineers your own security questions. For details, you can find us at www.intellikor.com. Although the current state of hacking is challenging (and sometimes scary), we can help you address these threats and get ahead of the most malicious attacks to help you improve your overall cybersecurity.