Cybersecurity is always a concern for health care practices, and several cyberattacks have directly or indirectly affected retina practices specifically. For example, Change Healthcare, the Ascension Healthcare System, and Cencora each had significant data breaches in 2024.^1-3 Hackers are always lurking, trying to take advantage of any network vulnerabilities.

In a 2023 report, the FBI Internet Crime Complaint Center (IC3) reported that companies have lost $37.4 billion during the past 5 years because of complaints—and health care and public health are the industries that are most frequently hit by ransomware attacks (Figures 1 and 2).⁴ Practices must be aware of these dangers, and practice leaders must ensure that their data and infrastructure are constantly monitored and updated to stay ahead of threats from the dark web. This article shares what can happen if you do not.

THE ATTACK

Our practice was the target of a ransomware attack in April 2019. It started when staff who were working from home told our administrators that they were unable to access our system remotely. In-office staff noted that our practice management (PM) and electronic health record (EHR) software were not working. Our email was down, and files we normally access were gibberish text files when opened.

We discovered that our practice had been hacked by a Russian group that had installed the Gandcrab V5.2 ransomware on all servers and some workstations. Our EHR and PM software, email, and other files were inaccessible, and our backups had failed. Each affected folder contained a text file with detailed instructions on steps we had to take to recover our data (Figure 3). The hackers demanded payment for the decryption key for each server and computer affected.

First Steps

Immediately, we contacted the FBI, our health care attorney, and our malpractice carrier for guidance. The FBI recommended that we not pay the hackers but understood if we decided to pay the ransom to recover our data. We fortunately located a company that said they could decrypt our data. Because we felt that paying the ransom to the hackers was no guarantee that we would have our data decrypted, we elected to use the company for decryption.

During this time, our practice continued to see patients. We were able to use our medication inventory system, our OCT and fundus review software, and other tools necessary for our daily operations. Ambulatory surgery centers were able to send us operative reports, and referring doctors helped by resending information for new patients. Our doctors documented examination notes on paper, with the understanding that we would enter examination information into the EHR once our systems were back online.

By the second day, we had started data decryption on our servers and mission-critical computers. After 2 weeks, our data had been completely recovered, and we had started the long process of returning to normal.

The next step in our recovery process was determining if our practice’s data had been encrypted only, or if personal health information had been compromised. We hired an information technology security and compliance company that investigated the data breach. They found that a brute force attack had been launched on an old Windows account to gain access to our servers. Sixteen different executable files were loaded into our system, which allowed the hacking of our administrator account and installation of ransomware on our devices. Thankfully, the company determined that our data had been encrypted only and no personal health information had been exfiltrated.

Providing Disclosures

As standard procedure, we were required to report the incident to several groups, including the Health and Human Services (HHS); the Office of Inspector General (OIG); the Attorneys General (AGs) in Indiana, Illinois, and Kentucky; the media; all our referring doctors; and all patients in our database. The information that we reported to the HHS, OIG, and AGs included our HIPAA policies and procedures, password management policies, previous risk assessments and penetration tests with our responses to them, and the security steps that we had taken since the attack and recovery. The letters to our patients discussed what had happened and included steps that they could take to protect themselves. The letters also had contact information to our practice if they had any questions. We prepared our staff members for the onslaught of incoming calls and requested that their responses remain consistent with the letter we sent out. If patients had additional questions, they were directed to administration.

The HHS, OIG, and AGs determined that the steps we took after the incident were appropriate and that our security improvements were sufficient to discourage future attacks. They did not assign any fines or penalties from this incident, but they did reserve the right to follow up with us to make sure that we continued to be vigilant with our cybersecurity practices.

The Cost

Our practice paid the data recovery company $167,000 for decryption, and they included stronger antivirus and antimalware software as a part of their services. The company that determined if data had been exfiltrated charged $20,000, and our legal fees totaled $35,000. Our information technology company acknowledged some blame for our backup failure and did not charge us for their work to recover our data. Thankfully, we had increased our cybersecurity insurance coverage a few months before the incident. All costs incurred were covered by this policy.

Ongoing Changes and Improvements

We back up data from our servers and mission-critical workstations every hour. These data are loaded to a local appliance (something akin to a server) and moved offsite where the data are tested and encrypted. The backups are air-gapped (ie, no connection between the backup and our network). We obtain appropriate penetration tests, vulnerability tests, and risk assessments. The results are discussed in board meetings, and we document our responses. All staff undergo annual HIPAA training and regular cybersecurity awareness training. We regularly discuss cybersecurity in staff meetings. Our passwords have complexity standards and are changed every 90 days, and we use multifactor authentication whenever possible.

We received a notification from the HHS Office of Civil Rights 4 years later, inquiring if we had continued these ongoing improvements. Because of our increased cybersecurity efforts, we were able to demonstrate that we were following the policies and procedures and that we continued to be diligent about our practice’s cybersecurity efforts. The Office of Civil Rights determined that our security efforts were appropriate, but they still reserve the right to check in periodically to ensure our efforts are ongoing.

WHAT CAN YOU DO?

Cybersecurity is an ever-changing landscape. Hackers discover new ways to breach security systems and wreak havoc on unsuspecting businesses every day. There are several things you can do to protect your practice.

Performing annual risk assessments as a part of your ongoing Medicare Access and CHIP Reauthorization Act of 2015 and Merit-based Incentive Payment System requirements is the first step. In addition, periodic vulnerability testing of your internal and external networks is crucial for ongoing diligence. It is not enough, however, that you simply perform these assessments. Your practice must review and implement changes in response.

Whenever possible, use multifactor authentication to prevent unauthorized access to your practice’s network. All passwords should be complex, with a minimum of 10 characters and a required combination of upper- and lower-case letters, numbers, and symbols. Staff who work offsite should go through a secure virtual private network application with multifactor authentication. Any user account that is no longer used should be removed or deactivated.

Antivirus applications must use endpoint detection and response or extended detection and response protection. Data backups must be offsite, air-gapped, and tested regularly.

Using a security information and event monitoring system to monitor your network can help your practice identify and respond to potential security threats.

Finally, regular security awareness training with staff is one of the best ways to ensure security. This can be done via monthly training videos, email phishing security tests, and regular cybersecurity discussions in staff meetings.

STAY VIGILaNT

Although it is impossible to make your network hack proof, making it one that is difficult for hackers to crack can help steer them away from your practice.

1. Bose D. A large US health care tech company was hacked. It’s leading to billing delays and security concerns. The Associated Press. February 29, 2024. Accessed September 4, 2024. apnews.com/article/change-cyberattack-hospitals-pharmacy-alphv-unitedhealthcare-521347eb9e8490dad695a7824ed11c41

2. Harris D. Ascension data breach: health system says clinical operations disrupted. CRN News. May 8, 2024. Accessed September 4, 2024. www.crn.com/news/security/2024/ascension-data-breach

3. Becker Z. Data breach at pharma partner Cencora puts sensitive patient information at risk. Fierce Pharma. May 28, 2024. Accessed September 4, 2024. www.fiercepharma.com/pharma/data-breach-pharma-partner-cencora-leaves-sensitive-patient-information-more-dozen

4. Internet Crime Report 2023. Federal Bureau of Investigation. www.ic3.gov/Media/PDF/AnnualReport/2023_IC3Report.pdf