Protect Your Oncology Practice Against Cyber Thieves

Elizabeth M. Nichols, MD

Elizabeth M. Nichols, MD

It's every oncology practice administrator’s worst nightmare: The electronic health record (EHR) and other information systems are hacked, and patient records, radiation oncology settings, and medical oncology treatment plans become inaccessible. Lab testing and treatment grind to a halt. The majority of practices have already been victimized by cybercriminals, according to an American Medical Association survey (Table).¹

Across the US healthcare system, more than 15 million patient records were breached in 2018, triple the number breached in 2017, based on health data breaches reported to the Department of Health and Human Services (HHS).² Hacking incidents made up 44% (222) of all reported 2018 health system data breaches, and oncology practices got their share of attention from unauthorized users of health system data.

In 2018, an employee at Cancer Treatment Centers of America (CTCA), based in Boca Raton, Florida, inadvertently shared network log-in credentials in response to a fraudulent email that appeared to come from a CTCA executive, and personal data for 41,948 patients were potentially exposed to misuse. The following year, several additional breaches were reported that affected at least 24,000 patients at CTCA.³

Click to Enlarge

Click to Enlarge

Business email is increasingly the starting point for assaults on company information (24%), according to a report from the Beazley Group, a London-based insurance underwriter that also sells policies to businesses in the United States. Email-based incidents climbed 133% from 2017 to 2018, and the average ransomware demand in 2018 was more than $116,000, although skewed by some very large demands. The highest demand received by a Beazley client was for $8.5 million.⁶

Ransomware attackers appear to be growing increasingly bold. Across the business community, irrespective of service category, hacking incidents were up 41% in 2019. The average payment for the release of ransomed files was $84,116 in the last quarter of 2019, more than double the figure from the previous quarter.⁷

For one large cancer care provider, a data breach in 2015 led to an HHS Office for Civil Rights investigation that uncovered Health Insurance Portability and Accountability Act (HIPAA) compliance issues. 21st Century Oncology agreed to a $2.3 million settlement with HHS following an investigation that showed the oncology provider failed to appropriately protect health information for 2.2 million patients. The security breakdown included sharing protected data with business partners without obtaining satisfactory assurances that HIPAA requirements would be followed and failing to conduct regular reviews of system activity.⁸

Healthcare providers need to prepare themselves for more of these assaults, said John DiMaggio, cofounder and CEO of Blue Orange Compliance of Dublin, Ohio, a healthcare industry cybersecurity and HIPAA expert. “It’s something that is unfortunately highly effective, and organizations are crippled by it.” Studies indicate not only high potential for such attacks across the healthcare system but also high rates of anxiety among healthcare professionals caused by these risks. These attacks are costly and often begin with a simple email targeting employees (Figure 1,2)^1,9

The Problem in Radiation Oncology

Experts interviewed for this article said radiology departments and systems are particularly vulnerable to electronic data manipulation from within and outside hospitals and freestanding clinics. Most hospital-based medical and surgical oncology practices rely on EHR systems, which may provide more sophisticated security measures, but radiation oncology systems are isolated. “We have to have a separate medical EHR to operate our radiation machines,” said Elizabeth M. Nichols, MD, associate professor of radiation oncology at University of Maryland School of Medicine in Baltimore. “At this point, none of the commercial or hospital-based EHRs have the capability to operate the radiation oncology machines.”

Another challenge with radiation oncology is that vendors perform a lot of machine service and maintenance work remotely, which is challenging from a cybersecurity perspective. “Many hospitals don’t want third-party vendors to have access to their network,” Nichols said.

In 2019, investigators at Ben-Gurion University in Beersheba, Israel, showed how someone could enter a hospital radiology suite off-hours by following the cleaning crew and quickly install a cheap hacking device that would enable them to manipulate volumetric computed tomography scans, adding tumor-like features, or removing them. A panel of experienced radiologists were unable to discern the authentic images from those that were fake. “An attacker may perform this act in order to stop a political candidate, sabotage research, commit insurance fraud, perform an act of terrorism, or even commit murder,” investigators wrote.¹⁰

Reasons for Cybercrime

Click to Enlarge

In healthcare, cybersecurity crimes are not always quickly discovered. The average time between the breach and the discovery is more than 6 months, DiMaggio said. During that time, hackers could continue mining compromised servers for data or selling access to others for further profit.

Cybersecurity Solutions

Cybercriminals can target healthcare systems in many ways, but providers can fight back by preparing a multilayered defense, experts said. Hackers may take advantage of improperly maintained systems without the latest security patches. Efforts to trick computer users into divulging confidential or personal information are also popular with data thieves. “Humans are usually one of your biggest weaknesses,” DiMaggio said.

Train Your Staff

Train staff members to recognize potential threats. That means not clicking on links or files from unknown sources. Hackers may attempt to phish by mimicking a common email address. Some attacks target those with access to financial information. DiMaggio stresses the value of using “out-of-band verification.” If you get an email asking you to change your banking password, verify by calling the bank or separately going to the bank website. “If you’re communicating to the same band of communication, there’s a good chance you’re communicating with the criminal,” DiMaggio said.

Minimize Access

Give employees only the network access needed to do their jobs to help prevent malware spread. “The more contained it is, the less damage can be done,” DiMaggio said. Employees should have access based just on need.

Back Up Data

The potential damage from ransomware can be limited if computer systems are regularly backed up. Nichols said her hospital does a full backup nightly, so if hackers manage to paralyze the system, the hospital still has access to current records. Her healthcare system also has a disaster recovery plan in place, with written procedures. “We can be up and running within 24 hours for certain patients,” she said.

Enable Encryption and Digital Signatures

Encrypting the hospital’s radiology network is another option. Many networks don’t enable this, relying instead on perimeter security, said Yisroel Mirsky, PhD, a senior cyber security researcher at Ben-Gurion University. If encryption is used, it may not be properly enabled. With digital signatures, each scan is signed with a secure mark showing authenticity. “If the image is ever changed, the digital signature won’t match up,” he said. Those using the system must be instructed on how to verify digital signatures. Digital imaging and communications in medicine formats are also valuable for securing information, Mirsky said. However, appropriate systemwide integration is required for successful use of this software, so the network knows and trusts the certificate, the viewing application, and the scanner.

Vet Vendors

If a vendor managing your information technology is disabled by an attack, chances are your oncology practice will be down, too. “If it happens, it’s not something you can control,” DiMaggio said, but when selecting vendors, providers should take the precaution of checking the strength of their data security and information recovery capability.

Use the Cloud

Medical records are increasingly moving to the Cloud instead of local or off-site servers. The larger cloud services have their own cyberattack defenses, which are better than many medical systems can afford, DiMaggio said. Even so, that added security is only effective if the medical system controls access.

Sequester Radiation Oncology

Radiation oncology software doesn’t automatically interact with hospital software, Nichols said. There are risks when building interfaces and having third parties access the software. The University of Maryland’s radiology machines are in an isolated subnetwork. Third party vendors have limited access, and if there’s a cybersecurity threat the hospital can shut down the subnetwork, rather than the entire network.

Communicate With It

Most radiation oncology practices are less integrated with the hospital cybersecurity model, Nichols said. As a result, there may be less protection. The radiology department must advocate for its own cybersecurity needs, as hospitals don’t always have a good sense of the radiation oncology workflow, she said. Any time a hospital transitions to a new EHR, the radiation oncology team must educate staff about why the radiation department can’t make the same transition. Nichols said her department works closely with IT and conducts regular audits.

Cybersecurity and Compliance

“Patient data are vulnerable, and radiation oncology devices are susceptible to hacking and manipulation,” DiMaggio said.

One means of reducing the potential for data misuse is setting computers to log out after short periods of inactivity, which ensures that if an operator steps away from a terminal, there is less opportunity for unauthorized individuals to access sensitive data. Nichols said that to comply with HIPAA requirements, hospitals may set computers to log out after 8 or 15 minutes of inactivity. She noted this is not practical for radiation technologists who may enter and leave operation centers multiple times as they position patients appropriately for radiology equipment. If a computer times out automatically multiple times during the workday, it can mean that fewer patients are treated.

The auto-timeout can also affect radiation plan creation, which can take hours, Nichols said. The University of Maryland addressed this with an override for radiology dosimetrists who worked in an area that is accessible only by badge carriers whose entry and exit information is automatically logged.

Making cybersecurity upgrades may require additional software and hardware and come at an expense. Custom interfaces connecting radiation oncology EHRs with hospital EHRs can cost $20,000 to $50,000 each, Nichols said. A third-party security audit adds expense, as does hiring a partor full-time IT employee.

However, experts said the expenses are worth it, as they help avoid government fines for data breaches, data recovery costs, and the potential for loss of public trust. “Having a good set of policies and procedures is a good foundation. Do security assessments and risk analyses. It’s a HIPAA requirement. And do it on a regular basis,” DiMaggio said.

References

1. American Medical Association staff. 8 in 10 doctors have experienced a cyberattack in practice. AMA website. ama-assn.org/practice-management/sustainability/8-10-doctors- have-experienced-cyberattack-practice. Published December 12, 2017. Accessed February 3, 2020.
2. Breached patient records tripled in 2018 vs 2017 as health data security challenges worsen [news release]. Baltimore, MD: Protenus; February 12, 2019. prnewswire.com/news-releases/ breached-patient-records-tripled-in-2018-vs-2017-ashealth- data-security-challenges-worsen-300793374.html.
3. HIPAA Journal staff. Cancer Treatment Centers of America experiences another phishing attack. HIPAA Journal website. hipaajournal.com/ cancer-treatment-centers-of-america-experiences-another-phishing- attack. Published October 7, 2019. Accessed February 3, 2020.
4. HIPAA Journal staff. 128,400 employees and patients impacted by phishing attack on Albany cancer treatment center. HIPAA Journal. hipaajournal.com/128400-employees-and-patients-impacted- by-phishing-attack-on-albany-cancer-treatment-center. Published November 20, 2018. Accessed February 3, 2020.
5. Diamond ML. Hackensack Meridian: We paid ransom to hackers to stop hospital cyber-attack. Asbury Park Press. Published December 13, 2019. app.com/story/news/health/2019/12/13/ hackensack-meridian-ransom-hackers-cyber-attack-hospitals/ 2638701001. Accessed February 3, 2020.
6. Beazley staff. Beazley breach briefing — 2019. Beazley website. beazley.com/news/2019/beazley_breach_briefing_2019. html. Published March 21, 2019. Accessed February 3, 2020.
7. Popper N. Ransomware attacks grow, crippling cities and businesses. New York Times. February 10, 2020. nytimes. com/2020/02/09/technology/ransomware-attacks.html. Accessed February 10, 2020.
8. $2.3 million 21st Century Oncology HIPAA settlement agreed with OCR. HIPAA Journal. hipaajournal.com/2-3-million- 21st-century-oncology-hipaa-settlement-agreed-ocr. Published December 15, 2017. Accessed February 4, 2020.
9. Code triage: protecting vulnerable healthcare data from security attacks. FireEye. content.fireeye.com/cyber-security- for-healthcare/ig-healthcare-code-triage. Published 2019. Accessed February 4, 2020.
10. Mirsky Y, Mahler T, Shelef I, Elovici Y. CT-GAN: malicious tampering of 3D medical imagery using deep learning. arXiv. org. arxiv.org/pdf/1901.03597v3.pdf. Updated June 6, 2019. Accessed February 4, 2020.

Healthcare information can be more valuable to thieves than credit card numbers, DiMaggio said. Health records may contain Social Security numbers as well as diagnoses and other health data that could support the filing of fraudulent claims. “Credit card numbers can be changed, but with health, you can’t unring the bell,” he said.

Other attacks have the potential to cripple operations. In 2019, Hackensack Meridian Health of New Jersey, which includes the John Theurer Cancer Center, made an undisclosed ransomeware payment to restore patient records that cyberattackers had frozen. The 2-day suspension affected information technology systems throughout the 17-hospital network. The system worked closely with cybersecurity and forensic experts to address the problem, and health system providers and staff worked to ensure that patient safety was not compromised. Providers and staff rescheduled nonemergency surgeries and relied on paper-based health records and manual reporting until the situation was resolved.⁵

Also in 2018, employees at New York Oncology Hematology of Albany were tricked by a seemingly legitimate email login page. Through the ruse, which was quickly detected and countered, the phishers gained temporary access to email accounts containing sensitive information on as many as 128,400 current and former patients and employees from the institution.⁴