Suneel Udani, MD, FASN, said he cannot recall how he first heard about the February 21st cyberattack that took down practices at Change Healthcare, one of the largest clearinghouses for insurance billing and payments in the country, but the effects on numerous medical settings, including his, are hard to forget.
Only about 30% of claims from Udani's practice, Nephrology Associates of Northern Illinois and Indiana (NANI) in Hinsdale, IL, are processed through Change Healthcare. But another clearinghouse that NANI uses became “overflooded” as it worked to make up the difference, he said. Additionally, revenue from a joint venture partnership with Fresenius Medical Care that the practice relies on to lower overhead and help pay for office staff and equipment rentals “essentially went to zero” for 3 months. “Because this was unprecedented, there was no playbook [for what to do],” Udani said. “We’re a large practice and had a very longstanding and large partnership with Fresenius, so if we were in this position, I can only imagine what other practices have been going through…. It definitely did leave us in a position [in which] we were kind of in limbo.”
Practices of all sizes are at risk for cyberattack, said Brian Mazanec, deputy director of the Office of Preparedness for the U.S. Department of Health and Human Services’ Administration for Strategic Preparedness and Response (ASPR). “Even for a small clinic, there's generally an opportunity for malicious actors to exploit the fragmented infrastructure, the unwieldy number of applications, the legacy systems, and network-connected devices,” he noted, adding that some practices may not have a lot of information technology (IT) support staff. “It's just a very vulnerable, hard-to-defend target.”
Nephrology practices are among those that are vulnerable. Hypertension Nephrology Associates, P.C., of Willow Grove, PA, disclosed in May that it had been the target of an extortion attack on February 6th. The discovery came after an extortion note was found on its computer system. The practice took immediate action, including hiring cybersecurity experts and launching an investigation to discover the scope of the breach, according to a local news story (1). A forensic investigation revealed that cybercriminals had infiltrated the firm's computer systems and gained access to data files from January 20th to February 6th, potentially acquiring files containing sensitive information on 39,491 individuals, according to an announcement from the Murphy Law Firm, Oklahoma City, OK, which announced it was evaluating legal options on behalf of patients affected (2). Kidney News’ calls to the nephrology practice were not returned.
In NANI's case, Udani said that some payors relayed that despite the Change Healthcare cyberattack, they would not extend the deadlines for claims to be submitted. This meant that with the clearinghouse's electronic systems disabled, NANI's revenue-cycle staff had to fill out and send paper claims by regular mail. “Everyone had to either relearn old processes to utilize them now, or had to develop new ones on the fly,” he said. “In a time [in which] physician office staffing shortages are sort of the norm, it only increased the burden on those folks.”
Heightened preparedness
Following the Change Healthcare cyberattack, the IT staff at NANI made several adaptations, Udani said. Previously, he and other physicians could log onto the system from any location or device. Now, they are required to conduct work only on practice-issued computers from a secure location. If they access patient records from a nonsecure location outside of a hospital, they are required to use a virtual private network, or VPN, to protect data from being intercepted. The practice is also instituting cybersecurity courses for staff to maintain compliance and periodically sending test emails with suspicious links to assess their savvy in recognizing potential spam. Steps like these are among a number of procedures that medical offices can adopt to protect patient data, say experts interviewed for this article. It starts with user education.
Most breaches occur as a result of an employee unwittingly responding to a phishing request (a scam in which attackers deceive people into revealing sensitive information), said Emily Jones, principal practice leader for the Warren Averett Technology Group, an IT consulting firm in Montgomery, AL. “People don't necessarily have ill intent, but they don't realize that what they just clicked on in a phishing email or something they just downloaded actually was malware [malicious software],” she said.
Generative artificial intelligence programs often used by hackers to send phishing emails are getting more sophisticated and more difficult to detect, said Chris Callahan, chief of cybersecurity for the Cybersecurity and Infrastructure Security Agency (CISA) Region 10, which covers the Pacific Northwest. CISA is a federal agency that helps protect the country from cyberattacks and other threats. “We used to say, ‘Oh, look at the language,’ because it might be a little bit off, but now they’re doing a really good job with that,” Callahan warns. “Don't click on any attachments or any links within a suspicious-looking email.”
ASPR released a list in January of voluntary health care-specific cybersecurity performance goals (https://hphcyber.hhs.gov/performance-goals.html) and a new website (https://hphcyber.hhs.gov/) to help health care organizations prioritize implementation of high-impact cybersecurity practices. It includes 10 essential goals, such as mandating basic cybersecurity training for staff and using strong encryption to share sensitive data, as well as 10 enhanced goals, including establishing processes to discover and respond to known threats, Mazanec explained. “They were developed to try to demystify the multiple, more complicated sets of best practices that exist,” he said. “We recognize that small clinics and underresourced rural hospitals don't have dedicated cybersecurity teams.”
Jones suggests four key steps that organizations of any size can take:
Educate. Educate all employees who work for your practice about cybersecurity practices, and repeat it frequently.
Maintain infrastructure. Keep up to date on all software patches for your devices and servers.
Create a disaster recovery plan and backup procedures to operate in downtime. “It's not if you’re breached, it's when you’re breached,” said Jones, “and when you’re breached, you definitely don't want to be without some type of plan.” Ensure all employees know where to find your plan and are able to work to the best of their abilities.
Test your systems. Testing should be thorough and frequent. “There are various types: backup and recovery testing, security assessments, vulnerability scanning, and penetration testing that can give you a clear picture of your practice's security footprint,” Jones said. CISA and other cybersecurity companies perform such services, looking for vulnerabilities in need of patching.
Additionally, Jones advises that employees use complex passwords and are prohibited from using the same passwords for personal and work-related devices. Organizations should use multifactor authentication to verify users allowed onto the network, and they should establish separate wireless networks for patient versus business use. In testing scenarios, Jones has seen computer-savvy individuals sit in an organization's lobby and gain access to accounting and employee records.
Breach response
Through a free service called the Pre-Ransomware Notification Initiative (3), CISA representatives can monitor networks at small- to medium-sized medical practices and alert them if it finds malware on their system, so the practice can fix the problem. The challenge is that a breach will often occur after hours or on a weekend, Callahan said, and contacting the appropriate IT person or third-party vendor can take time.
If you are impacted by a breach, disconnect your system, and do not panic, he said. Report the breach to CISA by emailing report@cisa.gov, calling 1-844-say-CISA, or filling out an incident report online at https://www.cisa.gov/report. Also, contact your attorney if you have cybersecurity insurance. CISA can keep your identification anonymous while still alerting others about the breach as well as trends that it may observe. There may be other state oversight or Health Insurance Portability and Accountability Act-related regulations that CISA or an attorney can help you understand.
Should you pay a ransom? The federal government advises against it, Callahan said. “But at the end of the day, it's a business decision that has to be made within these organizations.” Even if the attackers provide a decryption key, it is likely that they already have copied patient information like birth dates or Social Security numbers that could be sold on the dark web, Jones cautioned.
Do not be ashamed if a breach occurs, Callahan added. Some organizations do not want to talk about cyberattacks, but by sharing information, they can help protect others.
Cybersecurity Resources
The American Medical Association has a website with tools and resources dedicated to physician cybersecurity (https://www.ama-assn.org/practice-management/sustainability/physician-cybersecurity). It also has an eight-part training on cybersecurity in a clinical setting.
CISA offers several free services for physician and medical practices, including cyber assessments (https://www.cisa.gov/resources-tools/resources/cyber-assessments) and penetration testing (https://www.cisa.gov/resources-tools/services/penetration-testing) to identify potential vulnerabilities in networks and systems and ongoing cyber hygiene services (https://www.cisa.gov/cyber-hygiene-services) to help organizations reduce their exposure to threats.
The Department of Health and Human Services' ASPR offers its free Risk Identification and Site Criticality Toolkit (https://aspr.hhs.gov/RISC/Pages/default.aspx) to help organizations with risk assessment for multiple areas including cybersecurity. It also releases a weekly cybersecurity bulletin (https://www.phe.gov/Preparedness/planning/cip/Pages/CIPInquiry.aspx), as well as a cyber incident response bulletin as needed to alert readers about cyber incidents impacting the health care and public health sector. ASPR also can support tabletop exercises (an employee collaborative learning situation with suggestions about an organization's emergency plans) with public health departments or hospitals to help practice how to respond to a cyber incident.
There is good news for rural and critical access hospitals. The White House announced in June that it will be partnering with technology companies Microsoft and Google to offer free or low-cost cybersecurity products. For independent critical access hospitals and rural emergency hospitals, Microsoft is extending its nonprofit program to provide grants and up to a 75% discount on security products optimized for smaller organizations (4). Larger rural hospitals already using Microsoft solutions can add an advanced security suite at no cost for 1 year. Additional benefits include free cybersecurity assessments and training for frontline and IT staff at eligible hospitals. For more information, see https://nonprofits.tsi.microsoft.com/EN-US/security-program-for-rural-hospitals/.
As part of the same initiative, Google will provide no-cost security advice to rural hospitals and nonprofit organizations as well as discounted pricing for some of its tools and provide funding to support software migration.
References
- 1.↑
Alexander T.; MyChesCo. Hypertension-Nephrology Associates faces extortion attack, potentially compromising patient data. May 19, 2024. https://www.mychesco.com/a/news/regional/hypertension-nephrology-associates-faces-extortion-attack-potentially-compromising-patient-data/
- 2.↑
Hypertension-Nephrology Associates data breach exposes personal information: Murphy Law Firm investigates legal claims. May 20, 2024. https://www.globenewswire.com/us/news-release/2024/05/20/2885187/0/en/Hypertension-Nephrology-Associates-Data-Breach-Exposes-Personal-Information-Murphy-Law-Firm-Investigates-Legal-Claims.html
- 3.↑
Romans C.; Cybersecurity and Infrastructure Security Agency. Getting ahead of the Ransomware epidemic: CISA's Pre-Ransomware Notifications help organizations stop attacks before damage occurs. March 23, 2023. https://www.cisa.gov/news-events/news/getting-ahead-ransomware-epidemic-cisas-pre-ransomware-notifications-help-organizations-stop-attacks
- 4.
The White House. Fact sheet: Biden-Harris Administration bolsters protections for Americans’ access to healthcare through strengthening cybersecurity. June 10, 2024. https://www.whitehouse.gov/briefing-room/statements-releases/2024/06/10/fact-sheet-biden-harris-administration-bolsters-protections-for-americans-access-to-healthcare-through-strengthening-cybersecurity/
