Protecting your practice from cyberthreats

1. Product Recall Fraud (pharmacy/manufacturer): In this scheme, bad actors call pharmacies and other pharmaceutical partners, posing to be an employee of a legitimate manufacturer. During the call, bad actors explain a product recall has been initiated and the alleged "recalled" product needs to be returned. To make the scheme seem more realistic, the bad actors then follow the call up with a fraudulent recall letter. The letter identifies all products that are allegedly being recalled, with instructions to re-package the product for pickup. The bad actors then arrange for an unauthorized courier to pick up the product. The bad actors indicate the “recalled” product will be replaced, which never actually happens. 
2. Pharmacy/Wholesaler Fraud: In this scheme, bad actors first contact wholesale distributor customers to fraudulently obtain account information. The bad actors then use this account information to place fraudulent orders with wholesale distributors.  Wholesalers then send the fraudulently ordered product to their customers. The bad actors, posing as the wholesaler, remain in contact with the customer and indicate the product was shipped in error. The bad actors inform the customer the product will be retrieved by a courier service and a credit will be issued once received. The product is then retrieved by an unauthorized courier service and shipped to an unknown location.  
3. Bank Account/Payment Fraud: In this scheme, customer email accounts are compromised by bad actors. The bad actors then monitor the compromised email accounts to obtain financial related communications. The bad actors then create a fraudulent email domain posing as the customer’s wholesale distributor and seek immediate payment for outstanding invoices. The bad actors then request payment be made to a new bank account they created. This account is not associated with the wholesale distributor.  

With the expansion of telehealth during the pandemic, protecting your patients’ data has become more critical.  Providers and associates took home their work computers, possibly accessed personal email while on your network, or used their personal devices for work-related calls, making your systems more vulnerable. All of these opened your practice up to phishing attacks revolving around a fear – the IRS needs some “information” from you or your online shopping account has been closed because of unusual activity. Practice associates may have innocently opened an email or clicked on a link without checking its validity.

While HIPAA regulations were relaxed, practices may have also used systems which were not originally compliant, protecting your patients’ data. 

Why were practices targeted? Patient data may not have a tremendous value, but hackers understood the cost to you in the event that the information was released to the dark web. Hackers have been able to infiltrate networks and hold the data hostage, a term known as ransomware.  

The hackers understood that while the data might not be sold for a lot, if they held or even released the information, your practice would be liable for the cost of a data breach. That cost, estimated to be on average $430-$500 per patient record, amounts to lost reputational value, lost operational expenses, legal fees and fines from government agencies for the violation of HIPAA.

What does a practice administrator need to consider when using vendors for IT support, as well as vendors to help with telehealth? 

• Is your vendor HIPAA compliant? That should be outlined in their business associate agreement (BAA). 
• Look for their definition of a breach of security – what does that mean to the vendor compared to your practice.
• Look at their disclosure timelines and breach interactions. How the vendor informs your practice of a breach, and how soon after a breach will they inform you can make a significant difference to your practice and patients.

With the expansion of telehealth and its expected continued use, keeping patient data safe and protecting your practice must become a priority. 

Practices who work with our Quality Reporting Engagement Group (QREG) will receive documentation to complete a security risk analysis which is provided as part of their consulting services.

Practices also need to keep in mind the pressures of protecting your organization solely placed on an internal IT team. Typical IT contracts have the focus on maintaining operations, not necessarily security. With outside counsel, a security vendor can perform an assessment of software inventory – to ensure the software has the means to protect from attacks. They can also look at your practice’s network capabilities and perform a vulnerability assessment. Systems that contain PHI information should be limited in access and utilization to strictly professional capacities and localities.  Having data contained and protected within a physical location is the first layer of a multi-layered security posture.  A qualified IT contractor will direct you on which systems are vulnerable and recommend the proper protection. Additionally, there are devices intended for specific functions – limiting utilization to only their intended function minimizes potential avenues of exposure.  

In a recent webinar, it was recommended that practices create a security roadmap.  That process will help align security processes with your practice’s operational goals and determine whether you need outside help for protection.  The roadmap is considered to be a flexible document which changes as cybercriminals change their tactics. Part of that roadmap will include the security risk assessment that each practice must complete for their MIPS submissions.