Tell us about yourself and the practice.
I am the practice administrator for a small, privately owned family practice in Arizona. We have a single location housing fewer than 10 physicians. Given that this interview focuses on our cybersecurity efforts, I’ve chosen to remain anonymous because the last thing that I want to do is draw attention to our practice. Wouldn’t it be ironic if we became a target for a cyber attack by discussing our precautions against it?
What prompted your practice to look into cybersecurity solutions?
As background, I am something of a geek. I regularly keep up with technology news and trends. A year ago, a buddy of mine shared his experience as a victim of ransomware (the $500 variety on his personal computer), so I had some awareness of this threat. But I became much more concerned with the recent news of hospitals getting attacked and being taken hostage.
As I read about the damage being done, I shared the stories with our physicians and staff. I asked everyone to be vigilant with their email, and tried to impress upon them the consequences that are possible. As I researched this topic further, I became aware of a Security Awareness Training company that offers to test your staff for free. So, a week after I warned my staff, I sent them each a bait email, based off common phishing attacks. In the first hour, three individuals had already clicked on the poisonous link. In total, five individuals clicked on the bait link – two of them were physicians. Rumors began to spread around the office, which likely prevented a couple more clicks.
Was there any pushback from physician leadership or other higher ups?
No, the owner recognized that the threat is real, and that we were obviously susceptible.
Did you look to your peers for advice on what type of vendor/solution to turn to?
KnowBe4 was recommended to us by our IT support company. I was impressed by their methodology and capability, and the price was very reasonable.
Had any of your peers already implemented such technology/services, or is your practice leading the way in this area?
I don’t personally know of any other practices in our area doing this yet. But I have heard through the grapevine of one local practice that had fallen victim to ransomware.
What type of solution did you ultimately opt for? What were the deciding factors that helped it win out?
We are already using enterprise-level virus scanning, spam blocking, and email attachment filtering. But I assume that all of the hospitals that have been hit have also had similar precautions. So, we wanted to add an employee training program with ongoing monitoring.
We ended up going with KnowBe4. They offer a Web-based training platform, and track completion of courses for each employee. they will also continue to monitor compliance through an on-going email campaign where they will repeatedly send simulated scams to all employees. Any employee who clicks the bogus link, or opens the attachment, is identified for retraining.
How receptive have your employees been to the cybersecurity tools now in place?
I was worried about complaints from our staff about a mandatory training video about this geeky stuff. However, virtually all of my staff have responded positively about the training. Some have asked if their family members can take the same training. (KnowBe4 does offer a shorter training that can be shared with family without additional cost.) And we have certainly seen our staff looking more skeptically at emails, and being more hesitant to open attachments. I believe it is working, and we will continue to monitor our staff to ensure that they don’t slip backwards.
Is your practice looking beyond ransomware to other types of cybersecurity attacks looming on the horizon?
Of course. We are worried that our three backup methods are not sufficient. We are worried about the possibility of stolen laptops, hacked Wi-Fi, spear-phishing in the guise of incoming digital medical records on CD or thumb-drive, password security, phone security, and the security of our EHR, ACO, patient portal, and the 20 insurance portals that we log into on a daily basis, each using separate credentials. And despite our efforts in all of these areas, it never feels that we have done enough.
What best practices/advice can you offer other practices that are looking into these types of solutions?
I recommend that they begin with a free test of their staff. It will help to determine how great your need is. But remember, all it takes is one individual to open a bad attachment. Even if that employee doesn’t have an email account with your practice, if they open their personal email on company equipment, you are still vulnerable.
Do you have any final thoughts?
We are becoming increasingly paranoid and frustrated by the current state of affairs. We are paranoid because medical information has become so valuable to criminals that it has made all medical practices a target. And we are frustrated that the system has not found a way to prevent the crimes of identity theft and medical billing fraud, so the strategy is to prevent all thefts. Unfortunately, our country can’t figure out a way to prevent someone from opening a line of credit with a stolen name, SSN, and DOB. So instead, all of our staff members need to be smarter than a trained, professional hacker. And in fact, all medical industry workers will need to be smarter than all of the hackers who are attacking us. It’s insanity.