We’ve grown accustomed to reading about data breaches: airlines, retailers, banks and service providers are “hacked” and valuable information is stolen: Uber, Equifax, Yahoo, Target, eBay, Anthem, JP Morgan Chase – it reads like a list of who’s who in American business.
The consequences can be serious for those whose personal data was stolen and include identity theft. The ramifications for those businesses that were hacked are equally serious, including damage to reputation, loss of business continuity and potential federal and state legal action, including fines.
Data Breaches and Cyber Crimes Happen to all Businesses
Cyber incidents targeting businesses nearly doubled in 2017 and it is estimated that the actual number of data breaches in 2017 could easily exceed 350,000. 1 Many incidents go unreported or undetected.
What’s most interesting is that small and mid-size businesses account for 62% of all cyber-attacks. Hackers have learned that small businesses are less prepared to defend themselves and slower to respond when a breach occurs.
While many small businesses store data on the cloud, that doesn’t protect them from a cybercrime. Most hackers enter a network via e-mail phishing to deposit ransomware or malware. All it takes is an employee opening a phishing e-mail and clicking on a link to open the door to data theft or ransomware. Ransomware is causing U.S. businesses to lose more than $75 billion a year.2
What a Cyber Crime Could Mean to You
As a physician or health care professional, you may be thinking a data breach or cybercrime can’t happen to you. Or you may not think about the possibility at all. Most likely, you understand that a breach of your practice is possible but don’t know what to do to properly protect yourself.
But what happens should you experience a breach? The possibilities are sobering but worth thinking about:
- Ransomware. Most common is a ransomware attack, where your network and/or the data in your network is frozen or made inaccessible until you pay a ransom. 65% of businesses hit with ransomware lost access to a “significant amount or all” of their data.3
- Ransom Denial of Service. This is when criminals threaten a denial of service attack, where they threaten to direct computers to send massive amounts of digital traffic to a domain – your web site – (basically shutting it down) unless a ransom is paid.
- Data Theft. This is when criminals steal data – patient and employee records, business information, financial and tax information, proprietary data, etc. They often place the data for sale on one of many thousands of Dark Web sites where it can be bought and used to commit identity crimes: account takeovers, theft of money from financial providers, false medical claims, etc. Regulations within the ACA and HITEC Act mean that most medical practices must comply with patient privacy and security concerns associated with electronic transmissions — being found negligent can result in fines by Federal and State agencies. Any data breach must be reported to the appropriate regulatory bodies.
What may be comforting to know is there are steps you can take to avoid the above.
The Three Right Things to Do
As evidenced by all the data breaches, there is no surefire way to prevent a breach or hack. But there are best practices that professionals can take to reduce the risk of a falling victim to cybercrime. Big businesses invest in network security and have large IT departments dedicated to constantly monitoring and protecting their data. You likely can’t support that level of investment, but you can follow the same steps they do. The basic approach is threefold:
There are two important tasks to establish a baseline understanding of your network and data. First is to conduct a network vulnerability scan to determine if your network software is up to date and has all the latest patches/fixes/updates. Next, it’s wise to learn if you’ve already suffered a hack. The best way to accomplish this is to scan the thousands of Dark Web sites to look for your data: EIN numbers, e-mail addresses and passwords, etc.
The greatest threat to any business is employee behavior: their browsing, social media and e-mail behaviors as well as how they treat sensitive information. Employees need to be trained in security awareness, phishing awareness and how to protect sensitive business and customer information. There are also tools that should be installed in desktop browsers and mobile devices to block access to phishing sites and non-secure sites.
While you may never be the victim of a cybercrime, or experience a data breach, it’s important to have a plan to both prevent and manage such an occurrence. You should know where data is stored and backed up and who to contact in the event of a cybercrime.
Take the Next Step
MicroMD is making available a solution specifically for professionals like yourself called Data Breach Readiness, developed by Identity Guard ®, an industry leader with over 22 years’ experience in identity protection services.
Call (800) 624-8832, or visit micromd.com, to learn how Identity Guard can help protect your practice.
1,3 Online Trust Alliance. Cyber Incident and Breach Trends Report, January 25, 2018.
2 Cook, Sam. 2017 Ransomware Statistics and Facts, May 24, 2018