Cyberattacks increased significantly in 2020, amplified by a jump in extortion attempts against healthcare organizations and to acquire information related to COVID-19.
Two spine surgeons discuss recent cyberattack attempts on their practices and the preventive measures they're taking to protect their computer systems from potential hackers.
Ask Spine Surgeons is a weekly series of questions posed to spine surgeons around the country about clinical, business and policy issues affecting spine care. We invite all spine surgeon and specialist responses.
Next week's question: What's your favorite part of the week as a spine surgeon?
Please send responses to Alan Condon at acondon@beckershealthcare.com by 5 p.m. CDT Wednesday, Sept. 22.
Note: The following responses were lightly edited for style and clarity.
Question: Have you experienced a cyber attack? How are you reinforcing cybersecurity at your center?
Robert Bray Jr., MD. DISC Sports & Spine Center (Newport Beach, Calif.): Cybercrime has become a foremost issue for medicine, and, in the wake of COVID-19, it is an ever-expanding threat to our society. It represents a very dark side of society that is taking advantage of international loopholes in laws and vulnerabilities during the fragile time when nations are down from fighting the pandemic.
We have recently been attacked twice, but both attacks were caught quickly, and rapid identification and lockout prevented any significant damage. While we were unable to trace the origins of what appeared to be a password-stealing scheme attempting to gain access to our main network, we sat down with our IT company and did a complete review of our structure to strengthen security.
We have recently updated all firewalls, instituted double authentication for sign-in to all company ports and systematically replaced all routers with Meraki routers and switches updating to the most modern equipment available. All of our non-supported or aging systems were replaced. We reviewed and unpatched all old data ports which were not in use, including old fax machines and lines. We instituted the system with Ironscales' email security systems, which provides us a weekly report and seems to block an incredible amount of malware and phishing schemes at the source before ever coming in. We also began training programs for all of our personnel on threat detection with ongoing updates of how to avoid susceptibility to scams.
We then had an outside review from a company called Frontline Security, a contact from my military days that does a great deal of high-level national security reviews. They reviewed our entire system and found a few further minor residual weaknesses, after which they updated our remote access systems, reviewed any gaps present on the network and established a further ongoing monitor program.
The time and effort spent is obviously paying off already. With the number of block attempts that are ongoing, the protection of medical data (which is quite valuable on the dark web) should be taken very seriously, and we look at the money spent to do so as well-invested if it means avoiding potentially devastating data breaches or lockdowns of our systems.
John Dickerson, MD. Kansas Spine & Specialty Hospital (Wichita): We have had several attempts at cyberattacks, most recently in 2019. Luckily, we had no trace of malware and we did not have any data stolen or destroyed. Based on this, we took several actions: Put in a next-generation firewall and hardened network firewall settings, increased security patches on systems within the environment, increased monitoring of network traffic and increased the amount of training for staff to lessen or eliminate the threat of phishing, etc.