The recent hacking of a Gold Coast practice’s medical records highlights the growing need for cyber security and insurance
It began as a small annoyance. Opening up early one Saturday morning last December, the receptionist at Miami Family Medical Centre found that the busy Gold Coast clinic’s front-desk computer wouldn’t connect to the server.
She moved to the back of the practice where the server was kept to fix the problem.
And that’s when it became obvious that it was something much more serious.
The server screen was locked and, amid an array of gobbledegook, was displaying a message demanding $4000 for the return of access to the business’s files.
It wasn’t a virus. It wasn’t a theft. It was ransomware.
Someone sitting at a screen — most likely in Russia — had identified a vulnerability in the practice’s operating system. Using a sophisticated code, they had reached around the globe and hacked into the suburban medical centre’s computer network, encrypting its files as well as what the owners, general practitioner Dr Ramira Butt and her husband David Wood had thought was a secure backup system.
In an email to Dr Butt, the hacker/s said they would provide the key to the encryption if the ransom were paid.
Ransomware has existed for a couple of years, but it is only recently that it has been refined to the point that it has become a real challenge for small business.
And medical practices are clearly among those being targeted.
Miami is the only practice to have gone public about the crime, but 2012 saw at least one other Queensland clinic and three in Melbourne affected by similar attacks.
It’s not just happening in Australia. In the United States a Washington Post investigation recently identified the health care industry as one of the most vulnerable to cyber attack due to complacency about online security and delays in remedying flaws.
The cost of an attack or cyber security failure, whether it’s ransomware or data theft, can be severe.
There is the expense involved in contacting all the clients affected, the expense of contracting information technology (IT) experts to identify and remedy the fault, as well as possible liability for what is done with any data taken. It’s also potentially a significant blow to a practice’s reputation and goodwill.
The Miami practice was able to recover all except the last 12 months’ data thanks to backups, but Mr Wood says he still shudders to think what the final cost will be.
Electronic data theft is normally excluded from insurance policies, but coverage for incidents such as ransomware is available under new cyber security insurance policies offered by Chubb and Zurich.
It is early days, however, and such coverage remains prohibitively expensive for the vast majority of medical practices, according to Brisbane-based broker with AMA Queensland Insurance Solutions, Stewart Scott.
As an example, Mr Scott said a cyber security policy for a practice with a turnover of up to $5 million still costs as much as $13,000 per year.
“The problem is, like any new product, they don’t know the risks yet. And it’s a pretty broad cover so it’s not affordable yet in the medical context”, he says.
If, as expected some time this year, the federal government follows its US and United Kingdom counterparts in making it mandatory for all data breaches to be reported, even such expensive protection may become more attractive for practices when compared with footing the estimated $1–2 per head bill entailed in contacting every client.
Beyond the ransomware attacks, IT security experts say medical clinics remain relatively low-value targets for hackers compared to banks and online retailers.
While a clinic’s electronic files contain substantial personal information, their monetary value to strangers is small without any great financial detail.
A practice may still be hit with the costs of liability if patient privacy is breached online, however.
Unlike cyber security, insurance for cyber liability is already widely included as part of practice indemnity policies.
This provision recently saw a practice make a successful claim when a receptionist inadvertently emailed confidential information to a third party pretending to be a client, with the third party going on to post that information on the internet.
As always, prevention is the best defence. While it can eat up precious practice time and money, experts say owners need to take it much more seriously.
Dr Trish Williams is senior lecturer in computer and information security at Edith Cowan University in Western Australia.
A specialist in cyber security in the health care industry, she is currently helping to update the Royal Australian College of General Practitioners’ Computer and Information Security Standards (CISS).
“Practices don’t take security seriously enough. Often people will make the comment, ‘well, nothing has ever happened’ or ‘why does anyone want the information’. But it’s vital today”, Dr Williams says.
Given that even the Central Intelligence Agency can’t defend itself against the most sophisticated hackers, however, good security can be difficult to achieve. Other than via a secure firewall and antivirus software, doing regular backups and keeping those backups separate from the network is the most important guard against critical loss, she says.
“Some of these types of attacks are very specialised and are very sophisticated and clever”, Dr Williams says.
“Unless you have a completely ironclad system, you’re never going to stop all of this. You can never have 100 per cent security.
“And if hackers can get into one
part of the network, they can get into all of it.”
Hence the need to ensure that backups are up to date and not accessible online.
When the revised CISS standards are released in June they will have a new emphasis on maintaining backup systems completely segregated from a practice’s network.
There will also be a recommendation that practices make greater use of technical assistance in setting up and maintaining IT networks.
It is recognition of the difficulty of negotiating the fine line between what tech-minded practice owners and managers are capable of doing themselves and when a clinic needs to spend the money to have IT security specialists ensure a robust set-up.
“For a lot of practices, that’s a very difficult balance to get”, Dr Williams says.
Looking to the future, Dr Williams and others in the IT security field warn that the increasing use of mobile IT devices in medical practices poses a further serious risk for data management.
They say that similar to (the attention paid to) in-practice IT, rigorous precautions should also be applied to the tablets and smartphones staff use to exchange important information. These also need to be configured for maximum security.
“Some of these breaches occur because people don’t configure the external settings correctly”, Dr Williams says.
Back on the Gold Coast, these are all lessons Mr Wood and Dr Butt have learnt well.
After two weeks as a paper-only operation, they switched their IT system back on just before Christmas.
In addition to purchasing a new server and having it professionally configured, they are now employing independent IT security consultants to audit the entire network for any potential vulnerability.
Mr Wood says he’ll also be looking at cyber security insurance when he next renews his policies. The option had been available before but they didn’t take it, he says.
“I’ve tended to shy away from what I would call ‘esoteric insurance’ because you have to look at the fine print of how you qualify.”
In the end, they chose not to pay the ransom — fearful of follow-up demands and of sharing any sort of financial information with the extortionists.
And nearly three months after discovering the breach, Mr Wood is now in email correspondence with a Romanian IT expert who managed once before to decipher the encryption key used on a clinic this way.
“You can’t put too much faith in this”, Mr Wood says.
“But he’s been working on it and his most recent email was ‘I’m halfway there’. And this sort of stuff is just his hobby!”
Publication of your online response is subject to the Medical Journal of Australia's editorial discretion. You will be notified by email within five working days should your response be accepted.