Cyber threats are an ongoing concern in the health care industry, which faces unique risks from malicious actors. At the annual meeting of the Large Urology Group Practice Association (LUGPA) in Chicago, Illinois, Michael C. Lamprecht, the president of BigData Insure, LLC, told attendees that cyber threats vary depending on how their practice group is organized. “When it comes to cyber exposure, no 2 companies are the same,” said Lamprecht. “Your risk is mostly determined by what you do” as an organization.
Lamprecht said group practice administrators may be surprised about the nature of the cyber threats they face. Some seem obvious, such as phishing emails or social engineering — the latter of which is on the rise, he explained. “We’re starting to see an increase in health care, where people are posing as vendors and directing you to send funds to a particular account,” he said. While smaller group practices are more likely to know all of their vendors, larger ones that deal with hundreds of outside contractors are often easier to attack. Ransomware is also a ubiquitous threat, Lamprecht explained. Ransomware is software that, once installed in a computer system, denies access to that system until a ransom of tens of thousands of dollars is paid to the attacker. “There are people with very little [computer-based] skill who can extort you for thousands of dollars” with the technique, Lamprecht explained.
He also strongly emphasized the growing risk of fraudulent funds transfers, which often occur when an attacker is spoofing, or mimicking, a trusted vendor’s contact information to elicit payment from an unsuspecting administrator. “One of you in this room will see this in the next 12 months,” Lamprecht said. “Generally speaking, if you realize your money has been misdirected and you can respond within 72 hours, we can recover it.” After that, it’s much, much harder.
But the single largest threat any organization faces comes from within, in the form of employee oversight or dishonesty, he said. “You probably think that could never happen to me, but this is the number one cause of loss in physician practices.” If a practice’s employees are trained on basic computer security, the group is “1000% better off,” he said. Beyond training them not to “click on that email with a picture of a cute cat,” standard cybersecurity protocols should be posted in plain view.
Lamprecht said practices can deal with how they will respond to threats before they occur so that they are poised to do so quickly when an attack or breach happens. “The time you take to respond to breaches will have a huge impact on how much it will cost you,” he explained. He added that administrators should review their current medical malpractice policies to find out if they are covered from cyber threats. “The very first place you should be looking is in the policies you already buy,” he said.
In an interview with Renal & Urology News, Lamprecht said he would love for administrators to come away from the session eager to look at their own risks more than anything else. “It’s not about the insurance, it’s just getting a baseline on where they stand,” he said. “Can they defend against these attacks?” He added that administrators should start by assessing what kind of records they are collecting, how they’re storing records, and whether they’re publishing them anywhere online. “You can’t really do anything [else] until you’ve done that,” he said.
Lamprecht MC. Understanding Health Care Cyber Risk. Presented at: LUGPA 2019 Annual Meeting; November 9, 2019; Chicago, IL.