How to strengthen cybersecurity at group practices

T.J. Ramsey

Moscow is about 10,000 miles from Scottsdale, Arizona, but in the digital age they’re only milliseconds apart.

Recently the Medusa ransomware gang (believed to be operating in Russia) attacked the SimonMed Imaging radiology practice in Scottsdale, demanding $1 million in cryptocurrency. SimonMed stopped the intruders before data was encrypted, but was later sued by patients who claimed that the practice failed to protect their health information.

Across the U.S., specialty groups ranging from orthopedics to oncology are likewise being targeted by cyber criminals. The number of physician-owned specialty groups is steadily declining as health systems and private equity firms acquire them.

For example, only about half of U.S. oncology practices are still physician-owned, and the percentage is even lower in radiology (40%). There are many strategic reasons why hospitals and health systems acquire satellite practices, but these transactions come with a “buyer beware” caveat when it comes to cybersecurity.

Here are some of the reasons why entities acquiring specialty practices should be worried:

Hackers pay close attention to acquisition deals – When a hospital or private equity firm announces its plan to acquire a specialty practice, bad actors go on high alert. They surmise that the parties involved are too focused on the pending transaction to worry about cybersecurity. And they know that they’re likelier to collect a ransom because a breach could delay or derail the acquisition.

Specialty practices have limited cybersecurity resources – Compared to hospital chains that have dozens of cybersecurity pros on staff, most specialty groups are lucky to have one person who troubleshoots basic hardware issues. That person usually isn’t well-versed in cybersecurity.

Protecting what’s under your umbrella

For health systems that have affiliated practices – or are contemplating acquisitions – there are several ways to strengthen enterprise-wide data security:

Start fresh with new systems – I recently worked with a hospital whose affiliated orthopedic clinic got hit with ransomware. Most of the clinic’s data was stored in the Cloud, and there was no evidence of data theft. The hospital discovered that the clinic only ran about 15 systems, and executives reasoned, “These systems are old, so let’s just replace everything with new hardware.” In short, they made a clean start – although the clinic did preserve the evidence in the attack for regulatory purposes.

Have a hospital IT staffer keep an eye on security at satellite practices – Many affiliated practices don’t even have one cyber expert on staff. It’s a good idea to have a hospital IT person periodically probe the cyber defenses at these allied practices. Ultimately, their patients are your patients.

Conduct rigorous security testing before acquiring a specialty practice – Prior to acquiring a group practice, the health system (or private equity firm) should do a thorough vulnerability scan of the practice that includes penetration testing. It’s also advisable to do a compromise assessment where you use an EDR forensic tool for 30 days to make sure there are no infections during the acquisition period. That way you can rest assured that you’re acquiring a practice that’s clean on the first day of new management.

Cyber strategies for independent practices

Specialty practices that remain independent don’t have the deep pockets of a health system to rely on for cyber protection. Most of them have a tiny IT staff that’s no match for the growing sophistication of international cyber gangs.

Many cybersecurity companies now offer the services of virtual CISOs who can lend their expertise to a specialty group for a fraction of the cost of hiring a full-time CISO.

So far, most of the cyber incidents in healthcare have involved hospitals of varying sizes. But affiliated practices are just as vulnerable, if not more so. Bad actors know that stolen X-rays and MRI results can fetch a high price on the dark web. You can thwart their efforts with enterprise-wide security vigilance.

T.J. Ramsey is Senior Director of Threat Operations at Fortified Health Security, headquartered in Brentwood, Tennessee.