MGMA 2022: How COVID-19 introduced a new cyber threat to practices, health systems

Working from home offers flexibility for staff, gateway for cyberattacks.

Working from home offers flexibility for medical staff and a new avenue for hackers to compromise data from physicians’ offices and health care systems.

Employees remain the weakest link in the cyber security chain that protects computer networks and patient information that by law must remain confidential, said Jeffery Daigrepont, senior vice president for health information technology for Coker Group, physician advisory group based in Alpharetta, Georgia.

Daigrepont presented “Confessions of a Hacker: How Cyberattackers Have Targeted Remote Workers,” as part of 2022 Medical Practice Excellence Leaders Conference of the Medical Group Management Association. He noted he is not a real computer hacker – but there are plenty out there targeting physician offices and health systems seeking money and personal details about patients.

The bad news is that cyberattackers are unrelenting and are good at what they do.

“Individuals, us, even the most savviest of IT individuals can be tricked into being compromised,” Daigrepont said. But there are hints and signs that staff can recognize, and steps to take, to guard against cyber breaches, he said.


Many physicians and health care workers are familiar with rules governing patient privacy protections of the Health Insurance Portability Accountability Act.

But there is a difference between privacy and security, Daigrepont said. Security is a process or set of actions, comparable to a lock on a door: It must be activated to ensure privacy, and without it, there is no privacy.

In information technology, 10% of the safeguards are technical, while 90% of the safeguards rely on users. Meanwhile, data is spread out over a number of electronic devices, including copy machines, Daigrepont said.

One easy tip to avoid compromised data is, when upgrading to new computer hardware, ensure the old equipment is destroyed, he said.

Social engineering

The COVID-19 pandemic was a once-in-a-lifetime opportunity for hackers because office information went with employees working from home, but some office cybersecurity measures did not.

Now attackers are using social engineering, including emails and queries that include personal details about the recipients, taken from social media websites where people openly share information without thinking about it.

“The weakest link is our entire cybersecurity efforts is the individual, us in this room,” Daigrepont said. “You might think, I would never fall for any of these gimmicks, I’m too smart, I know this stuff. A lot of the social engineering is getting to the point where they are dialing into you at a very personal level.”

He used the example of a Facebook post asking for prayers for a family members diagnosed with cancer. In a case study, Daigrepont described a hacker who created a phony fundraising document sent to the sister of a woman diagnosed with cancer.

“Do you think she clicked on that? Absolutely she did, absolutely. Well, why would she click on it? Well, they knew personal information about her,” he said.

Other threats

Practice-based computer security measures don’t necessarily transfer to home-based computers that remote staff are using. Daigrepont described various cyberattacks that can fool people into offering personal information or allowing hackers access to computers:

Phishing is relatively well-known. Hackers pose as trusted entities to extract sensitive information via email.Perhaps the best known is the example of an email from a Nigerian royal asking for a recipient’s bank account information to transfer money. But phishing takes many forms and can be convincing. To avoid phishing, look for awkward phrasing, unofficial website and email addresses, and don’t click on links in the email.

Drive-by downloads happen when users visit a compromised website that can infect the user’s computer with a virus.

The lost jump drive hack happens when a hacker deliberately drops an infected jump drive, also called a thumb drive, in a parking lot or waiting room. Studies show curious staff will insert the drive into their computers 60% of the time, launching an automatic virus attack.

Steps to take

  • There are security measures to help.
  • Practices should run vulnerability scans on their networks at least once a year.
  • Do everything you can to filter emails with potential threats, before they get to workers’ inboxes.
  • Back up data and be obsessive with software updates.
  • Prohibit the use of personal emails.
  • Have unique user IDs and passwords. Daigremont compared passwords to toothbrushes: Choose a good one, don’t share it with anyone, and change it occasionally.

An amusing example of bad security