In an era where data breaches and cyber threats loom, the security of patient information in plastic surgery practices (PSPs) is more critical than ever. Envision a scenario where, in a mere moment, the confidential data of your patients is at risk, posing a serious threat to the trust they place in your practice and to the ethical integrity of your operations. This situation is not a mere speculative exercise; it’s a critical, real-world issue that necessitates prompt and effective countermeasures.

After all, says Mark D. Epstein, MD, FACS, a dual-board-certified plastic surgeon in Hauppauge, N.Y., “As plastic surgeons, we are responsible for highly sensitive data but also tend to lack the necessary knowledge and skill set to safely protect it from unauthorized access and exfiltration.”

Integrating technology in healthcare has been a boon for PSPs, enhancing patient care and operational efficiency. However, this digital transformation brings an increased risk of cyber threats. A staggering American Medical Association (AMA) statistic reveals that approximately 83% of physicians have experienced cyberattacks. This reality places an immense responsibility on PSPs to understand and actively combat these risks.

Cybersecurity in PSPs goes beyond protecting data; it is fundamentally about safeguarding patient trust and your practice’s reputation. The implications of a breach are profound, ranging from legal liabilities to irreparable damage to patient relationships. According to the IBM Cost of a Data Breach Report, the healthcare sector saw an average data breach cost of $11 million, the lion’s share being the theft of PPI files. 

These statistics are not just numbers but a clarion call for PSPs to strengthen their cybersecurity posture. Below are seven actionable steps to secure your practice against ever-evolving cyber threats. Each step is tailored to be practical and achievable, ensuring that your journey toward enhanced cybersecurity is successful and sustainable.

1. Build a Cybersecurity Program Built on Risk

The foundation of a robust cybersecurity strategy lies in understanding and mitigating risks. Begin by conducting a thorough risk assessment and identifying system and process vulnerabilities. This could range from weak passwords to unsecured Wi-Fi networks. A cybersecurity program should include regular updates to your software systems, strict access controls, and frequent training of staff on cybersecurity best practices. 

Remember: Breaches can result not only from external attacks but also from internal oversights.Per HIPAA, maintaining patient confidentiality is an ethical and legal obligation. So, ensure your cybersecurity measures align with HIPAA guidelines.

2. Invest in the Right Technological Controls

Incorporating the right technological tools is essential in safeguarding your practice from cyber threats. Invest in endpoint protection, access control policies, next-generation firewalls, and strong intrusion detection systems. These mechanisms are essential as key defenses in case of a possible cyberattack. Additionally, consider implementing secure, encrypted communication channels for sharing patient data, especially when involving telemedicine. 

Regular data backups are also vital; in the event of data loss due to a cyberattack, having a recent backup can be the difference between a quick recovery and a prolonged, costly disruption. While the investment in these technologies may seem substantial, the cost of a data breach—financially and in terms of patient trust—can be far more significant.

3. Take Account of Compliance and Regulations

For PSPs, compliance with health data regulations isn’t just a legal mandate; it’s a cornerstone of patient trust. In 2021, the healthcare industry faced over 22% of all data breaches, emphasizing the need for stringent compliance measures. Failing to adhere to regulations may result in significant financial repercussions. For instance, penalties for violating HIPAA standards can escalate to as much as $1.5 million annually.

PSPs must routinely carry out evaluations and reviews of their data management procedures to guarantee adherence to compliance standards. This includes evaluating how patient information is stored, accessed, and shared. Encryption of patient data, both in transit and at rest, becomes non-negotiable. Additionally, it’s vital to stay informed about changing state and federal regulations in response to emerging cyber threats. By embedding compliance into your cybersecurity strategy, you safeguard your practice against legal repercussions and reinforce your commitment to patient confidentiality.

4. Train Staff on Cybersecurity Hygiene

Your staff is the first and last line of defense against cyber threats. Astonishingly, human error contributes to 90% of all cybersecurity breaches. Therefore, comprehensive training in cybersecurity hygiene is essential. This training should cover basics like strong password policies, phishing attempt recognition, and safe internet practices.

Regular training sessions, updated with the latest cybersecurity trends and threats, are necessary. For instance, with the rise in telehealth services, staff must be adept at handling patient data securely over digital platforms. Moreover, instilling a culture of cybersecurity awareness can significantly reduce the risk of breaches caused by internal mistakes. 

5. Have a Vendor Risk Management Program in Place

The increasing reliance on third-party vendors for various services, including EHR systems and cloud storage, introduces new vulnerabilities into your cybersecurity framework. A startling statistic from the Ponemon Institute reveals that 54% of companies have experienced a data breach caused by a third party.

Implementing a comprehensive vendor risk management program is imperative. Start by conducting thorough due diligence before onboarding any new vendor, evaluating their cybersecurity status and compliance with applicable regulations. Continuous monitoring and periodic audits of existing vendors are equally important to ensure they maintain the required security standards. Establishing clear contracts with vendors, outlining their cybersecurity responsibilities, and protocols for incident response is also vital. 

6. Pen Test Defenses Regularly

Penetration testing (or pen testing) is a simulated cyberattack against your network to check for exploitable vulnerabilities. In the context of a PSP, regular pen testing is not just a proactive measure, but a necessity. Pen testing should be conducted annually by a third party or whenever significant changes are made to your IT infrastructure. 

This process is crucial for revealing vulnerabilities that hackers might leverage, including outdated software, inadequate encryption, or substandard security protocols. If you actively look for and fix these weak spots, there is a much lower chance of a serious cyberattack that could compromise private patient information and hurt the credibility of your practice.

7. Consider Cyber Insurance

Cyber insurance has become an essential layer of protection for businesses, including PSPs. Cyber insurance plays a pivotal role in lessening the economic consequences of cyberattack by providing coverage for expenses associated with data breaches, ransomware attacks, and disruptions in business operations.

When choosing cyber insurance, ensure it covers immediate expenses (e.g., forensics and legal fees) and indirect financial impacts (like business disruptions and reputation management).

According to IBM, the typical expense incurred from a data breach averages $4.45 million. That’s why having a robust cyber insurance policy cannot be overstated. This element is vital in your comprehensive approach to cybersecurity, offering both financial security and reassurance. 

“Setting aside an adequate budget for cybersecurity protection is difficult,” says plastic surgeon Mark D. Epstein. “If you don’t need it, it will seem like money wasted. But if you need it and you don’t have it, the consequences can be dire. While having every defense imaginable would be ideal, it’s also not feasible.”

Cybersecurity extends beyond mere data protection—it encompasses the preservation of patient trust and their overall welfare. From building a risk-based cybersecurity program, to investing in technology controls, to understanding compliance and training staff, a robust defense strategy will reinforce the commitment to providing safe, confidential, and high-quality care. “Working with the right cybersecurity consultants can help you use your available budget in the most efficient way,” Epstein adds. “It’s all about mitigating risk; no matter how hard you try, you will never eliminate it completely.” 

Michelle Drolet is CEO of Towerwall, a specialized cybersecurity consulting firm offering security and compliance services.

In 2022, the healthcare industry remained altered by the effects of the pandemic and The Great Resignation, resulting in nursing turnover, ongoing staffing shortages, increased remote and hybrid work, financial pressures, and increased “mega mergers.” As the report puts it, cybercriminals have long targeted healthcare’s vulnerabilities, and the continuing industry disruption created opportunities for exploitation. There were 956 reported health data breaches in 2022, up 5% from 905 reported in 2021, however the number of patient records breached increased 18% year over year to nearly 60 million.

The Breach Barometer also notes that insiders continue to be a risk, accounting for one in 10 healthcare data breaches. According to the report, insider behavior often gives outsiders a foothold for improper access to patient data and may have provided an entryway for the many hacking incidents behind the majority of 2022 breaches. Records breached by insider error alone skyrocketed 141% last year. 

Nick Culbertson, CEO and co-founder of Protenus, stressed the importance of reducing insider risk, “A preventive, proactive approach is the only way to mitigate the significant breach risk insiders pose. Healthcare organizations need to look at whether they’re truly able to monitor every access to patient data every day. The financial cost of a breach is staggering, but the reputational damage and impact on patient safety will have serious repercussions on affected healthcare organizations and their patients for years to come.”

Incidents included in the analyses for the report were compiled and analyzed by DataBreaches.net, with additional research and analyses by Protenus.

Protenus’ AI-driven patient privacy monitoring and drug diversion surveillance solutions help hospitals and health systems ensure health data is safe and being used appropriately. 

By Steven Martinez

We’ve all seen the suspicious email. Unknown senders, broken English, and a suspicious insistence to click the link.

It’s easy enough to delete—if it even makes it past the spam filter. It might seem like only a gullible person would fall for the most obvious traps.

While many people understand how to sidestep the Nigerian prince asking for money, hackers are professionalizing and becoming more sophisticated and focused—and specifically targeting patient data for ransom.

“The days of improperly worded requests for things that just didn’t seem realistic have pretty much subsided,” says Gary Salman, chief executive officer of cybersecurity firm Black Talon Security.

A Sophisticated Enemy

One of the most malicious and challenging attack methods to avoid is what’s known as a spear phishing attack.

Using an email from somebody known to the practice owner, they send an email with a link containing malicious code to gain access and control of the network. The link could also lead to what looks like a legitimate website to harvest passwords and logins.

“We’re seeing a lot more attacks where they breach a legitimate email system, and then they use that email to target all of the contacts in the email system,” says Salman. “Spear phishing is usually from someone you know, trust, or do business with. So it could be another team member, a colleague, a referral, a vendor, an accountant, or even an attorney.”

Hackers may also forgo the subterfuge and directly attack your network, scanning firewalls for any vulnerabilities and exploiting them to gain control.

Once they gain access to the data, they copy it and contact the practice owner, demanding money in exchange for keeping the data safe.

Even if a practice owner had the foresight to back up all of their data and update it regularly, it is simply not enough once patient data has been breached.

“Practices might think, I don’t care about ransomware because I have a backup of my data,” says Salman. “The first thing they should know is that hackers will usually find their backups and destroy them.”

Even if a plastic surgeon manages to retain a full backup of their data, they still have to face the fact that their patient data has been stolen, and once they have it, the cybercriminals will go to great lengths to get their ransom money.

How Hackers Targeting Your Patient Data Get Their Money

“The hackers will say, hey, I got all your patient data, and to prove it, I’m going to show you some photographs of your children, private emails or patient X-rays, and if you don’t pay me, I’m going to sell all of your patient records on the dark web,” says Salman.

In addition to the reputational hit a practice would receive from losing patient data, simply undoing the damage from the hack could take weeks, costing thousands of dollars in downtime. Not least of all, doctors are required by law to protect this data from a ransomware attack.

“They know that healthcare almost always pays because regardless of whether you’re a general dentist or cardiothoracic surgeon, you can’t have your patient data published,” says Salman.

He says that around 90% of doctors end up paying the ransom for their patient data. In the cases where a doctor tries to resist or can’t pay, the hackers will be relentless in trying to extract their money.

Salman recalled one instance where hackers were asking for a six-figure ransom, and the practice was struggling to come up with the money.

“The hackers were getting so frustrated with the victim that they extracted all of the cell phone numbers of the owners, and every hour, on the hour, they called demanding that they pay,” says Salman. “It got to the point where they started cursing at the victims. They threatened to call the local news station and newspapers in their town to let them know that this business has been hacked.”

In the end, that practice took out loans to pay the ransom.

The interactions are so jarring and unpleasant that some doctors have told Salman they have PTSD, to the point that they might consider selling their practice.

“The amount of stress and aggravation and frustration that causes everyone is something no one talks about,” says Salman. “It’s just this complete invasion of not only their personal privacy, but their livelihood.”

The Business of Cybercrime and Ransomware Attacks

Cybercrime has morphed into a multi-billion-dollar industry. Salman says that some groups generate a quarter of a billion dollars a year with these ransomware attacks.

In some instances, the hackers will negotiate the ransom—a service that Black Talon provides. They might come down 10% or as much as 60%, so long as they get their money. Others refuse to negotiate at all.

Primarily based out of Russia, with some groups operating in China, Iran, Ukraine, and North Korea, the hackers thrive in an environment with little to no government intervention.

Get the image out of your head of small-time crooks or nihilistic overweight teenagers. The largest groups operate like real businesses with tech support, development teams, and financial staff.

Some groups even outsource the work to smaller groups, charging a fee for their technology and methods and receiving a percentage of the successful ransoms.

“It’s basically like a cartel or a pyramid scheme,” says Salman. “Everything rolls back to these gangs, and they don’t really have to do the attacks themselves. They’re just selling the tools to do it, and they profit greatly from it.”

The groups are a cold mix of pragmatic professionals and emotionless thieves. They have zero pity for a practice owner’s plight but at the same time understand that they have a reputation to uphold.

During the earliest days of the pandemic, Salman says he tried to use the financial hardships caused by lockdowns to negotiate better ransoms for patient data. They told him that the price already took the COVID-19 pandemic into account.

About the only grace hackers extend is upholding the promise not to sell patient data once the ransom has been paid.

“Believe it or not, it’s a reputational thing for them,” explains Salman. “What happens is a company like Black Talon will tell a future client, hey, if you pay these guys, there’s a high likelihood that they’re still going to publish your data. We advise you not to pay.”

There’s a certain honor amongst thieves, and, as strange as it sounds, they have a reputation to uphold as well. Double-crossing a victim would be tantamount to receiving a 1-star review on Yelp and might cause other victims to refuse to pay. Salman says that he’s never had a situation where the hackers burned a practice after paying the ransom.

The flip side of this is that they must follow through on their threat to publish patient data if the victim doesn’t pay.

“So typically, what happens is, if you refuse to make a payment, they’ll take between 1% and 10% of the patient data that they stole, and they will put it on their dark website where it’s viewable by whoever comes across their dark website,” says Salman.

Black Talon will go to clients refusing to pay and show them the dark websites containing their patient’s photographs, x-rays, and health history forms. Usually, next to the data is a counter showing the number of people who have already viewed the patient records.

“That’s when it gets really real for the doctor, and they say, alright, I got a big problem,” says Salman.

Shoring Up Your Defenses to Protect Patient Data

With an increasingly sophisticated, cunning, and ruthless enemy, the outlook might seem bleak for any practice owner. It might seem like dumb luck is the only thing standing between a practice and financial ruin.

But Salman says that the best way to fight back is to regularly test and evaluate your cybersecurity.

He says that many business owners think that if they contract with an IT security company, they are safe. But even with firewalls and antivirus software in place, a dedicated cybersecurity firm needs to test how safe things really are.

Salman recommends that practices have their firewalls scanned at least once a month for vulnerabilities. They should also have their computers scanned daily for vulnerabilities, and they need to implement cybersecurity awareness training, something that is required for healthcare businesses under HIPAA law.

“Search out a company that specializes in cybersecurity awareness training,” says Salman. “It’s not, hey, some dude came into my office and talked to us for 30 minutes over pizza. That doesn’t work.”

Practices should also have a security risk assessment done by a credentialed security expert. They’ll ask around 100 questions related to security and operations and then provide a report showing the areas that are doing well and the areas that need improvement.

Lastly, practices should consider doing an annual penetration test. A cybersecurity firm looks at the network like a hacker would, using the same technology and techniques to find vulnerabilities and breach the network. The information from the penetration test will show where defenses need to be shored up and vulnerabilities patched.

“The reality is, you can basically fight back and win and not be a victim,” says Salman. PSP

Photo 92559217 © Vchalup | Dreamstime.com

By Tonya Johnson

Being the victim of a cyber-attack feels like an emotional assault against everything a doctor has worked for in his or her medical career. Gary Salman, CEO of New York-based Black Talon Security, has witnessed attacks’ devastating aftermath.

“The biggest problem is that 99% of private practices do not have a plan, and they have no idea what to do next,” he says.

The recovery process from a ransomware cyber-attack takes at least 7 to 14 days, in Salman’s observation. If your private practice facility is a victim of cyber-crimes, Black Talon Security advises 5 steps to help prepare for what’s to come in the weeks and months ahead.

1. Immediately unplug your network connection to the internet, and remove any backup drives. There’s a chance that the hackers haven’t taken out the facility’s external backup drives.
2. Call a cybersecurity company before demanding your information technology (IT) vendor gets your practice back online. While most practitioners will be anxious to have their IT team get the office’s network running again, most IT companies are not trained to investigate cyber-crimes. Hackers are even known to use the IT vendor as a vulnerable entry point to attack. Cybersecurity firms guide the practitioner through the correct steps and processes to work toward the best possible outcome. Ideally, it’s best to engage with the company before you need the service.
3. Call an attorney. An attorney can provide important information on the legal ramifications—including violations of HIPAA guidelines. Salman finds that about 90% of doctors don’t report cyber-attacks—due to lack of knowledge of the law or concern about the IT company’s reputation among other clients.
4. Report the cyber-attack as a crime. Under HIPAA, a ransomware attack is a data breach. As a crime, cyber-attacks must be reported to local authorities. Not only do hackers often gain access to a patient’s personal data, cyber-criminals, are also privy to confidential medical photos from patient procedures. Some individual states across the country have more stringent laws than the federal laws.
5. Regain the trust of your clients, reassure your staff, and get ahead of a potential public relations nightmare. As a condition of employment, have employees agree to a nondisclosure agreement that explicitly states they are not to discuss any cyber-attacks outside of the practice. If an attack occurs, put an action plan in place to communicate a reliable, trustworthy message to your clients and medical staff—“Here’s what happened, here’s how we plan to fix it.” Also notify any outside medical specialists who may have collaborated on a client case. Through an attorney, public relations firm, and compliance company, craft a letter to the patients explaining what happened, if data was compromised, offer identity theft monitoring service, and provide a company contact number for patient questions and concerns.

In most cases, it’s best for patients to hear about the cyber-attack from their practitioner directly because it builds their confidence in the provider. In general, the more transparency you provide, the better. But always work under the advisement of an attorney.

Tonya Johnson is associate editor at Plastic Surgery Practice.

READ MORE:

CYBERSECURITY: HOW TO PROTECT YOUR PRACTICE FROM FALLING VICTIM TO RANSOMWARE CYBER-ATTACKS

By Tonya Johnson

Four years ago, information technology (IT) programmer Gary Salman started receiving a ton of phone calls from doctors who were victims of ransomware cyber-attacks. In the ensuing years, cyber-attacks against healthcare facilities have only gotten worse.

Salman says the primary reason hackers focus on the healthcare market is because of the tremendous amount of data available. “It’s the perfect source of identity theft because it contains all of a patient’s pertinent information—name, address, social security number, and date of birth,” he explains. What’s more, if sensitive healthcare data has been encrypted with ransomware or stolen entirely, criminals know doctors are willing to pay a hefty price to get it back.

To empower healthcare practitioners and help them combat the growing problem, Salman partnered with expert colleagues in the cybersecurity, healthcare, and finance arenas to launch Black Talon Security. Black Talon Security utilizes technology and human intelligence to keep criminals away from private practices.

If you’ve never been the victim of a ransomware cyber-attack, consider yourself lucky. Read more to learn about the importance of having a solid cybersecurity action plan in place at your practice. Then start implementing the steps outlined below by Black Talon Security.

WHAT IS CYBERSECURITY?

Cybersecurity is a holistic solution to protect your practice against the hackers. A traditional solution includes vulnerability management, which is crucial because every device on a doctor’s network will have some form of vulnerability—an entry point a hacker can use to gain control of the network.

Cybersecurity firms use sophisticated software to analyze a doctor’s firewall setup and all of the devices in the office, search for the vulnerabilities, and work with the doctor’s information technology company to close those unlocked doors and windows.

CAN AN INSURANCE POLICY COVER MY RISK IN THE EVENT OF A CYBER-ATTACK?

When patient data is compromised for even a small plastic surgery practice, the cost can potentially exceed a quarter of a million dollars.

“In fact part of our business is to help plastic surgeons and other doctors recover from these cyber-attacks,” Salman says. “Close to 100% of doctors who have been victimized end up having to pay the ransom. Criminals are going to follow the money trail, and that’s a major issue in the healthcare industry right now.”

Many doctors have insurance policies to cover these types of online attacks, and the insurance companies will pay out a lot of money to get the doctors’ data back—the criminals know this as well. According to Salman’s client case experience, the average plastic surgeon’s ransom payment is $50,000. But, add on ransom negotiation fees and time lost to get the practice back up and running (14 days minimum) and most practitioners don’t walk away from a cyber incident for less than $100,000 in total expenses.

Doctors cannot offset their risks through insurance policies alone, Salman says. In fact, many insurance companies now require a private practice to have a cyber security system already in place before they will consider insuring it.

To find a good insurance policy for cybersecurity, ask your malpractice insurance carrier. If the insurance carrier does not cover cybersecurity, then reach out to a general business insurance company and a local insurance agent to get competitive quotes. On average, the rates for small plastic surgery practices range from $1,000 to $2,000 per year. But prices are rising, approximately 30% to 50% in 2021, due to all of the cyber-attacks in 2020.

TRAIN YOUR STAFF

Employees present a tremendous amount of risk. If they receive a phishing email and click on the link or an attachment, that can result in an attack against the practice.

Under the federal law, a plastic surgeon must train their staff on cybersecurity awareness. Every team member needs to be able to identify potential threats that present over email, telephone, or through the internet.

I HAVE AN IT TEAM; WHY SHOULD I HIRE A CYBERSECURITY FIRM?

IT companies and cybersecurity companies are different, Salman explains.

An IT company’s responsibility is to keep the network up and running and help the practice update its technology. But IT companies don’t typically have the in-house knowledge and certifications to secure the network.

To mitigate risks, it’s best to partner with an IT company and a cybersecurity company—the cybersecurity company can validate the work that an IT company is doing. In many cases networks are not configured properly and the security that an IT company thinks it has in place to protect the practice is not functional. The biggest problem Black Talon Security sees is that plastic surgeons don’t realize their IT company is not properly equipped to secure them from hackers.

Having a firewall and antivirus software system in place are necessary but not a magic bullet. Antivirus software is ineffective at blocking ransomware. When the hackers get into the computer system, they shut down the antivirus software, turning off the computer’s defenses. Typically, hackers know how to defeat firewalls.

HOW DO I HIRE THE RIGHT CYBERSECURITY FIRM?

Salman offers the following advice.

1. Choose a cybersecurity firm that specializes in healthcare. Many cybersecurity firms are set up to work with medium and large size businesses that generate hundreds to millions of dollars. So they don’t understand the smaller healthcare provider market. A cybersecurity firm that focuses on smaller providers in the healthcare industry is going to better understand the types of systems that plastic surgeons use—such as EMR and EHR. They’ll be able to fine tune a solution for that specific practice.
2. How long has the company been in business? Ask for a reference list of plastic surgeons they work with.

WHAT ELSE CAN I DO TO PROTECT MY PRACTICE FROM A CYBER-ATTACK?

Three to four weeks before the practice realizes it has been attacked, the hackers are already in their system—watching what the medical staff is doing, learning how they conduct backup, (how often and where). Therefore, it’s important for doctors to have a disconnected backup drive of all practice/patient data to keep with them at all times—during the day at practice and to carry with them at home in the evening.

Most cybersecurity experts advise practice staff members to leave their computers on after work because security updates are typically done at this time. The flip side is that many cyber-attacks occur at night because it’s less likely for a staff member to detect a hacker in the system then.

A cybersecurity firm can also conduct a penetration test. Specifically, an ethical hacker inside the firm will try to breach the network using the same types of tools and techniques that the cyber criminals would use. Once they break the network, they discuss with the doctor and the IT staff to share how they were able to break into the system and explain which doors and windows need to be closed.

If you implement effective protocols, the chances of your plastic surgery practice being breached are low.

Tonya Johnson is associate editor of Plastic Surgery Practice.

READ MORE:

5 STEPS TO RECOVERING FROM A RANSOMWARE CYBER-ATTACK