Cyber security is becoming an increasing concern throughout our society. Among the most common cyber attacks targeting United States businesses are ransomware (which occur when a hacker uses a computer virus to lock a person or organization out of their computer files unless they pay the hacker a ransom) and phishing (where a hacker will send a potential victim a seemingly credible email and request sensitive information, which can be used to access a computer system), says Peter Cass, OD, vice president of development for Practice Compliance Solutions and chairman of Elevate Digital Optics.

The U.S. Government Accountability Office notes ransomware and data breaches, among other cyber attacks, have been reported with greater frequency to law enforcement agencies (see “Rate of Ransomware and Data Breach Attacks,” p.32). Further, a JAMA article from this past December reveals the number of ransomware attacks increased against health care organizations between the years 2016 and 2021. A total of 374 ransomware attacks on health organizations occurred during that 5-year period, which exposed the personal health information of 42 million patients (for the full study, see bit.ly/JAMAransomware ).

According to Dr. Cass, a medical record will sell for around 50 times what a credit card sells for on the black market. This is highly valued data, and thieves have become increasingly skilled at obtaining it, he says.

A 2021 report from healthcare news website Fierce Healthcare backs up these statistics, listing that medical records obtained by hackers can typically sell $250 and $1,000; comparatively, credit cards can fetch around $5 each (the full article can be viewed at bit.ly/FHmedicalrecords ).

Often, practices aren’t always thinking about these risks. But the truth is, it’s a problem that could happen to any practice, though smaller practices, which tend not to have an IT department, are most at risk, says Dr. Cass.

David R. Gibson, OD, FAAO, of Drs. Gibson, Gibson & Moore in Lubbock, Texas, says that he was hit not once, but twice by ransomware attacks. In the second attack, the practice lost access to their entire server — and thought they they’d lost 12 years of patient data. Fortunately, all the data were recovered, but Dr. Gibson says that he’s now taking even more precautions than ever before.

To help protect optometry practices and patients, Dr. Cass, Dr. Gibson, and Kevin Johnson, senior vice president and program executive for Lockton Affinity (the AOAExcel-endorsed insurance policy provider for American Optometric Association members) review steps to prevent cyber attacks.

UPDATE INTERNET USE POLICES

Both Dr. Cass and Mr. Johnson urge that getting staff policies and procedures in place regarding internet use is a vital first step, as personal device usage can inadvertently lead to security breaches.

“Sometimes staff just doesn’t know that they’re putting the practice at risk — it has to be something that’s talked about,” Dr. Cass says. According to Dr. Cass, two of the biggest risks he sees are ransomware and accidental virus downloads.

Dr. Cass advises practices to develop polices for personal device use among staff and a policy for personal internet usage, as breaches can often result from someone “clicking on something they shouldn’t,” which commonly occurs in phishing scams where fraudulent messages deceive employees by appearing to come from legitimate sources.

“Scammers have gotten really good, and emails sometimes appear very legit. So, there also needs to be a level of training in talking to employees about these threats,” says Dr. Cass.

Mr. Johnson advises that staff should look carefully at the sender’s address — often, phishing emails come from an email address that is close to a legitimate sender or company, but at second glance has a misspelling of some sort.

Dr. Gibson says that he can attest to how phishing is evolving — and how careful everyone must be when it comes to clicking on links.

“The bottom line is if it’s not something you were expecting via email, don’t click on it,” he says.

For even more protection, Dr. Cass says that “permissions” can be set up on the practice’s router in which the practice owner can “white list” or “black list” websites. White-listed websites will be the only ones accessible — such as medical insurance companies or the American Optometric Association. Dr. Cass says this is best set up by an IT company within the router’s firewall; strong firewall protection is critical, he adds, as it can minimize breaches.

“[Limiting websites] can be frustrating, as staff will need to ask about adding legitimate websites to the list, but it’s definitely the safest way,” Dr. Cass says.

Dr. Cass also suggests that practices use policies recommended by the Cybersecurity and Infrastructure Security Agency, which can be found at bit.ly/CISAstopransomware .

UPGRADE AND PROTECT YOUR ROUTER

Practices will also want to consider upgrading their router to better protect it from malicious users. Practices “buy a consumer-grade router when, in reality, any business should be using a commercial-grade router,” says Dr. Cass. “A consumer-grade router is significantly less secure, and it’s easier for a criminal to breach the router and get connected to your network.”

“If you don’t already have a commercial-grade router, I would recommend contacting a local IT company and letting them install one for you,” Dr. Cass continues. “It might cost around $1,000 but that is well worth it.”

Additionally, optometry offices may want to reconsider offering free Wi-Fi in their offices. Dr. Gibson says that since the second attack, his practice has done away with free Wi-Fi because Wi-Fi provides access directly to the router, so it could serve as another possible entry into a system.

“Since most people have 5G [cellular service] now, they don’t really need it,” he says. “We have also asked employees not to log in with their phones on our office Wi-Fi.”

PROMOTE PASSWORD PROTECTION

Protection also comes down to simple things, like better passwords. Mr. Johnson says that the strongest passwords have a variety of letters, numbers, and symbols. Passwords should also be changed regularly. But it’s also a matter of keeping passwords protected.

“So often, we’ll perform an on-site visit, and we see passwords written out on a sticky note taped to the computer,” Dr. Cass says, which makes it easier for malicious practice visitors to see the password. “There must be protocols and policies in place for these types of things or the staff doesn’t realize they’re doing something risky.”

USE ENCRYPTION AND BACK-UPS

Encrypting data is also an important step. Dr. Cass says that just like you wouldn’t leave your office unlocked for the weekend, you shouldn’t leave data unprotected. The Windows operating system, for example, has a built-in encryption program, called BitLocker, which can automatically protect files, says Dr. Cass. Using programs like BitLocker, “makes it more difficult for criminals to access data. If you suffer a ransomware attack but your electronic health records system is password protected and your hard drive is encrypted, you should be pretty safe.”

Dr. Gibson says that his data was encrypted, so even though his practice was locked out of its system by the ransomware attack he knew patients’ data could not have been compromised.

Dr. Gibson says that he has learned the importance of backing everything up – that way, even if an attack compromises your practice’s files you still have a copy of everything. He says a back-up includes should include not just your data file but the entire system with all the configurations, so you can print to other printers besides your own.

“I am fairly computer savvy, but I got lazy and wasn’t keeping up with backing up data,” he says, which hurt him when the ransomware locked him out of his server. “Now, we have a system that runs a back-up automatically,” set up by his IT company.

OUTSIDE REINFORCEMENT

While these steps are critical, practices are sometimes overwhelmed about where to start — not to mention too busy to spend a lot of time on it. That’s when it is recommended to bring in an outside vendor.

“If you don’t feel comfortable with this, having an outside vendor that specializes in cyber security can be a very valuable investment,” says Mr. Johnson.

Dr. Cass agrees and says that he often recommends practices consider bringing in a local IT company or cyber security expert to help identify weak spots. Some companies will also help with IT and computer safety training.

RECOGNIZING THE THREAT

Preventing cyber attacks “can be a huge drain of time and money when a breach occurs,” says Mr. Johnson. “But it’s not that expensive to protect yourself against many of these threats. It’s mostly a matter of taking it seriously — and taking action. Don’t wait until something happens to get serious about cyber security.”

Nobody wants to think about these attacks happening to their practice but it’s something that must be on everyone’s radar, urges Dr. Gibson.

He sums it up this way: “Today’s cyber criminals will take anything. They never know when it will serve to verify some other information, like patient names, addresses, and phone numbers they got from another theft. You always think it will happen to someone else until it happens to you.” OM