Cyber hackers are often large organisations, some of them running
help desks to handle the extortion that they themselves have
perpetrated. Medical businesses are vulnerable to these and other cyber
criminals, as Fiona Thomas discovers
All files gone, hieroglyphics in their place and a message saying pay up or lose it all.
Nelson practice manager Judy Gilmour faced this heart-dropping moment about two years ago, when her practice suffered a cyber attack.
For Stoke Medical Centre, it came in the form of a normal-looking email attachment opened by a staff member. From there, the ball was rolling.
All files on the staff members laptop computer were corrupted, along with all files on one of the practices servers.
It was a ransomware attack, a modern form of digital hostage-taking. When hit by this common form of cyber attack, computers are fully exposed to programmes encrypting as many files as they can access, and then sending the owner a demand for money. In return, the criminals say they will provide the key to get back in.
Ransoms range from $500 to $15,000, and are usually demanded in the digital currency bitcoin, which requires an online wallet and processes very different from those of a debit card or online banking.
Infamous examples of ransomware include the recent attack in which a cryptoworm named WannaCry infected 230,000 computers on its first day.
It eventually took down the computer systems of hospitals and medical centres across the UK. Whats now clear is that medical information is valuable to hackers its worth 10 times as much as credit card information.
And medical providers are often unprepared against a formidable foe in the shape of a billion-dollar hacking industry.
Documents rendered illegible
At Stoke, no patient records were affected, nor was the practices Medtech server. But all documents containing policies and procedures were made illegible, says Mrs Gilmour, who is also chair of the Practice Managers & Administrators Association of New Zealand.
The staff quickly realised what had happened and knew to contact
their IT provider immediately. They also had usable backups meaning, in
the end, they lost only a few hours worth of work once the files were
An IT whizz then spent three days stripping down the infected laptop so it could function again.
The sender of the original email was from overseas, and the attachment enclosed was cunning and believable, Mrs Gilmour says.
While the practice had to pay to get its systems restored, paying the
hacker was not even considered. The moment you pay them, thats just
feeding it, she says. Thats how they make their money. If everybody
didnt pay them, then they might stop doing it.
The practice got off pretty lightly.
Huge financial loss
Frank Risk Management director Rene Swindley says his firm has worked with companies where data loss has caused huge financial hits.
In one accountancy firm, all customer files were lost to a ransomware attack. The firm had to go cap in hand to the IRD asking for information.
It took six months in time, extra staff and money to get back to a working state. Months of recovery is far too long for medical centres, Mr Swindley says.
His company first started noticing the need for both cyber insurance and protection against hacking in New Zealand industries about five years ago.
Frank Risk Management has paired with MAS to offer practices such insurance, through a service called Frankie, with advice on protecting against hacking. At least one in five medical practices will have been affected by some sort of data loss or risk in the past five years, Mr Swindley estimates.
Many events will be the result of malicious attacks, as at Stoke Medical Centre, but potentially with more serious consequences.
Phishing for info
Phishing is another way cyber criminals prey on people, using emails that purport to seek information legitimately. Caught off guard, people can volunteer money or data, releasing it into the wrong hands.
Mr Swindley says medical data are highly valuable because the information can be used to extort people with medical conditions they want to keep secret.
He knows of a US man whose medical records were stolen and used by someone else to get free heart surgery under his name.
Hacking is part of a bigger problem of data loss, which can include system failure when theres a lack of adequate backups, he says.
Malicious or not, data loss can put a practice out of business, and medical organisations are vulnerable as they traditionally spend money on care rather than on the latest and greatest computer technology.
Ignorance or a false sense of security continue to lead people to
take risks. 'Its crazy to have devices without password protection'
Password protection is fundamental. Its crazy to have devices without password protection, he says, and simply having a backup is not enough. It needs to be the right type.
Arranging for one person to take home a physical backup from the practice each day is risky. It could be left at the pub or stolen from a car or, on the one day that person is sick, the practice could be burned to the ground.
Good, automated backups, preferably backing up to a cloud server or a server in another location, are recom-mended.
Have you been hacked fax poll
In a fax poll conducted by IMS and New Zealand Doctor, nearly 20 per cent of the 92 GP respondents had been affected by computer hacking at their practice. Ten per cent of respondents had suffered loss or damage to their practice systems as a result of hacking. Concern about the possibility of a hack rated highly, with 72.8 per cent of respondents saying they were worried about it happening to them.
That same number of respondents had taken steps to protect themselves against hacking, but 27.2 per cent of respondents had not.
Mrs Gilmour says anyone who thinks it isnt a threat is dreaming. Her practice has increased precautions against attacks, although it was already on the ball with daily backups.
Now, vigilance is high, and staff keep an eye out for anything suspicious, showing her any emails they are unsure about.
Despite having good spam filters, attack emails still appear in staff inboxes, and the number of suspicious emails is growing, Mrs Gilmour says.
The Ministry of Business Innovation and Employment is taking note and, in April, launched a Computer Emergency Response Team (CERT) to assist attack victims and collect data. CERT has already reported losses from businesses of more than $730,000 in its first three months.
Microsoft health information security officer Hector Rodriguez
At a Health Informatics New Zealand conference on cybersecurity in health last month, Microsoft worldwide health chief information security officer Hector Rodriguez talked about whether New Zealand businesses are prepared against attacks.
Speaking to New Zealand Doctor, he points out practices vulnerability lies not just with the technology doctors use but with what patients bring into practices.
Some patients are given their records on USB drives, or receive them online and then post information to social media.
The information can be used to create phishing attacks or expose vulnerabilities.
Mr Rodriguez says ransomware has cost businesses US$3 billion in the past few years. That doesnt always include the costs of lost opportunities and lost care.
Cyber insurance is popular in the US, but that will not help stop attacks, he says. What will stop them is security hygiene in other words, good habits in the way we share data and create user names and passwords.
Mr Swindley encourages people to choose a long phrase or sentence as their password, rather than change passwords regularly.
Having to change often leads people to opt for easy-to-guess passwords, he says. By MicrosoftÃ¢ï¿½ï¿½s calculations, it costs US$400 to recover from one medical record being compromised.
Mr Rodriguez wants to see prevention replace cure. Microsoft is
building artificial intelligence and machine learning into its security
systems, to look for patterns across attacks.
Practices keeping attacks under wraps
New Zealand Doctor knows of several practices that have been hacked but, when approached, the people affected declined to be interviewed. Mr Swindley says theres an element of worry and shame in going public, but he emphasises that people can learn from the experience of others.
One very public case was that of the New Zealand Nurses Organisation, targeted by a phishing scam last year. An email was sent to a staff member, pretending to be from chief executive Memo Musa and requesting the emails of all members.
The staff member obliged and sent the information to the address, which turned out to be fake.
Acting chief executive Jane MacGeorge soon realised 47,000 members email addresses had been sent to a hacker.
The organisation put out a mass email to members straight away, letting them know what had happened, who to contact and how they could protect themselves.
The NZNOs member support centre was overwhelmed with calls, as was the call centre of idcare, an Australian-based organisation helping the victims of cyber attacks.
Organisations began blocking NZNO emails, which problem almost every
day, says Ms MacGeorge, who worked 12-hour days in the aftermath. Some
members were very distressed by the security breach, and NZNO needed to
offer them support, she says. Traced to Lithania
The hacker was traced to Lithuania, but there was also a link to a Swedish company, so its suspected identity theft was involved.
Its not known what happened to the member information.
A system has since been set up for members to report any suspicious activity related to their email addresses.
Asked if the NZNO would be ready should something similar happen again, Ms MacGeorge says the experience made the organisation stronger, but the real lesson is that everyone is still vulnerable. The main cost to the organisation was time.
Large organisations at work
Mr Swindley says the perpetrators are not teenagers in darkened rooms.
Rather, the large organisations that develop the attack software are the ones making the real money.
Gallingly, these big players have hotlines, support centres and help desks for their ransomware victims, whom they call clients.
They want to make the transition for you, their client, as smooth as possible, he says.
With such big players in place, cyber protection and precaution are vital. He predicts another big attack making the news by the end of the year, but says the large-scale international examples can make New Zealand small business feel too small to count.
That simply isnt true. Owners of medical practices here will start
taking notice when a friend or neighbour is hit, he suspects. Protective
measures plus insurance
In his view, the best form of cyber-risk management is to have protective measures in place, and insurance as a safety net, should everything go wrong. Because, as Judy Gilmour knows only too well, its a scary world out there.
Predators, prey and ransom
Ransomware: Software restricting access to data by encrypting files or locking computer screens. It then attempts to extort money from victims by asking for a ransom.
Phishing: Emails, websites and phone calls designed to steal money or information, using social engineering to convince people to hand over information or install malicious software under false pretences.
Bitcoin: A decentralised digital currency, released in 2009, which is exchanged for currencies, products and services or held as an investment.
Sources: Microsoft and The New Yorker
Top tips for keeping cyber safe
Frank Risk Management shared their top five security tips for practices based on claims:
1. Passwords: all devices and computers to have strong password protection. The most common password in the world is password123. We recommend using a sentence, eg, Herec0mesthesun2345!
2. Backup and recovery: backup is only as good as the ability to recover. Have robust automated offsite backups (not John from reception taking a USB drive home each night). It is crucial that backups are supported by an effective recovery procedure (and run a drill to make sure it works). So many practices have backup but no way of recovering the data.
3. Get a security audit: including vulnerability testing completed by an IT professional. The vulnerabilities can be addressed before they become an issue.
4. Wireless network: only allow authorised devices to be connected. Dont allow staff, patients or visitors to connect. If you want to provide free wi-fi, set this up on a separate network.
5. Virus protection: ensure all software and virus protection is up to date. In addition, train staff to question every email that comes through. Hackers are getting smart and that PDF invoice you received from a known supplier may actually be a virus.