A medical practice works with sensitive patient data. On the other hand, hardly any doctors have the necessary specialist knowledge to make their practice IT rivet-proof and nail-proof against external cyber attacks. This can be expensive – in many respects. And anyone who thinks that the danger only affects large hospitals and centers, while “small” private practices are of no interest to hackers, is underestimating the criminals’ approach.
If you have not yet fallen victim to a ransomware attack, be happy, but not safe. Because sooner or later, every practice owner will most likely be hit. Ransomware is malware that is used to infiltrate data or entire IT infrastructures, steal data, partially or fully encrypt it and thus prevent access to it (overview 1).
According to the Ransomware Report, which is published annually by the global IT security provider Sophos, around 60% of all companies in the healthcare sector were affected by ransomware attacks in 2023. The reason for this is likely to be “outdated technologies and infrastructure controls”, according to the report: it is probably “more difficult for companies to secure devices, restrict lateral movement and prevent the spread of attacks”. In the IT, technology and telecommunications sector, on the other hand, the proportion of affected devices was only 33%.
The aim behind this is clear: the blocked data can only be released against payment of a ransom. According to Sophos, the average ransom paid amounted to US$ 1,470,000. However, the sometimes horrendous sums demanded are only one aspect of the problem. Before this happens, the practice owner is first faced with the challenge of maintaining his business – and thus his livelihood. In times of digitalization, doctors are also highly dependent on their practice IT: without access to it, patient files cannot be viewed, prescriptions cannot be issued and X-ray or MRI images cannot be called up. In short: patients can no longer be treated.
Double danger through the threat of publication
There is generally a relatively simple way to protect against data loss by creating backups. Modern IT systems carry out this step automatically without the practice owner having to do anything actively. This makes it possible to restore data quickly and minimize disruptions to operations. However, anyone who thinks that cyber criminals won’t be able to harm them just because of this is mistaken: Although the data can be accessed again using backups, this does not change the fact that the hackers are still in possession of this very data. Their next step: a double extortion by not only demanding a ransom, but also threatening to publish the patient data on the internet.
With such a threat, there is much more at stake for a doctor than the mere financial loss caused by a ransom payment. If sensitive patient data is stolen and becomes freely accessible to everyone on the internet, this primarily means an immense loss of trust in the patients concerned – not to mention the long-term damage to the practice’s image and any legal consequences. Anyone who is not worried by the paralysis of their IT will at this point at the latest think about paying rather than suffering even greater damage.
This often causes panic among practice owners, who are understandably overwhelmed by the situation. In addition, in such cases they often try to solve the problem on their own without seeking professional help. The Sophos report found that affected companies rarely pay the amount originally demanded by the attackers. In the healthcare sector, the amount paid was higher than the original demand of the blackmailers in 57% of cases – ultimately also a sign of the helplessness of those affected in the face of cyber attackers.
Practices just as affected as large hospitals
But how do practice owners get caught in the crosshairs of hackers in the first place? Rarely in a targeted manner. Instead, cyber criminals work according to the watering can principle: as many targets as possible are attacked indiscriminately, and a few of them will bite.
The perpetrators’ malware is specially programmed for software that is frequently used by companies. Who the criminals end up targeting is a matter of chance. Large companies and university hospitals that have been hit by cyber attacks in recent years have ultimately only become victims because they were using specific software.
For this reason, no practice owner should be lulled into the false sense of security that their small individual practice is completely uninteresting compared to large hospitals. Large IT structures such as hospitals are more likely to be targeted, but are also generally much more complex and better protected. Hackers are therefore shifting more and more to small and medium-sized companies, whose protective mechanisms are not quite as effective and may offer loopholes.
Human risk factor
No matter how much you have invested in firewalls, virus protection and the like, the greatest threat to an IT system still comes from the doctors and practice staff themselves. Once an unknown e-mail attachment or link is clicked on due to carelessness, the malicious malware loads itself onto the computer, extracting data from the system – sometimes over a period of weeks – until it finally closes its doors and no longer allows access.
A new dimension of cyberattacks is also being reached with the constant development of artificial intelligence: AI-generated images, mail cover letters and even video clips are so deceptively real that it is becoming increasingly difficult for a doctor or medical assistant to recognize the fraud attempt in the daily stress of their practice. Not a good prospect!
| medizinonline series “Danger from the Internet” The series “Danger from the Internet” presents the threats and possible consequences of cyber attacks as well as preventive measures in three parts. In the second part of the upcoming issue of Hausarzt Praxis, you can read how best to proceed if your own IT system has been hacked: Should you pay ransom demands or not? You will also find out how you can get your data back, what legal options are available and how you should approach your patients in terms of loss of trust and any claims for damages. |
But how can a practice protect itself? First of all, the risk can be minimized by raising awareness throughout the practice team. Special training courses or workshops are suitable for drawing attention to the potential dangers. If an employee is unsure whether he or she may have made a mistake and opened the door to malware, this should be dealt with openly and without apportioning blame. Particular caution is required if, for example, a link has been clicked on but no page opens, or if the computer becomes very slow for reasons that are not obvious. To be on the safe side, it is advisable to contact the IT service provider as soon as such signs appear so that they can carry out an in-depth check. After all, no matter how qualified and experienced the medical professional may be in their specialist field, as a layperson you are fighting a losing battle with hackers.
HAUSARZT PRAXIS 2024; 19(10): 42–43 (published on 17.10.24, ahead of print)
InFo ONKOLOGIE & HÄMATOLOGIE 2024; 12(5): 34–35
