Your Practice Made Perfect
This podcast series provides support, protection, and advice for today’s medical professionals. Brought to you by SVMIC, a mutual insurance company that is 100% owned and governed by our policyholders.
Mar. 15, 2019
Episode 054: Prepping Your Practice for Cybersecurity
Have a question about this podcast? Contact us.
Speaker 1: You are listening to Your Practice Made Perfect, support, protection, and advice for practicing medical professionals, brought to you by SVMIC.
Brian: Hello, thanks for joining us on this week's episode of our podcast. My name is Brian Fortenberry, and joining us today we have a gentleman that is going to help us talk about some issues when it comes to cybersecurity and how that affects physicians and in medicine. Joining us is Chris McCarty. Chris, thanks for being here today.
Chris: Hey, happy to be here. Thanks for having me.
Brian: Well before we really get started in on the topic itself, Chris, why don't you go ahead and tell our listeners just a little bit about yourself, about your background, and your work.
Chris: Sure, yeah. My name is Chris McCarty. I am here at Knoxville, Tennessee, at the law firm of Lewis, Thomason, King, Craig, and Walter. We just usually go by Lewis Thomason, that's a lot less last names. I am originally from Sevier County, Tennessee, home of Dolly Parton, and I take that very seriously as well. I've practiced in the areas of employment law and cybersecurity, and I'm happy to be here.
Brian: Well, Chris, thanks for being here again. We are going to be talking about a subject today that affects really all of us, I guess, regardless if our profession is medicine or not. It can affect us in our personal lives and our professional lives. But really in the last several years now, you've heard more about cyber security issues and the healthcare field. It certainly is something that we have to be conscious of and thinking about. Tell us a little bit more, though, why physicians should worry more about cybersecurity in their role as a physician.
Chris: Yeah, I think the biggest reason is that, and a lot of physicians and a lot of people in healthcare don't know this, but healthcare, over the last few years, according to cyber crimes statistics, has been the number one target area for cybercriminals.
Chris: A lot of people believe that is probably still retail. I think that comes from most ... I shouldn't say most everybody. I certainly got one, and I think a lot of people I know got one, got the letter from Target a few years ago indicating they had the massive breach, and retailers are constantly targets, no pun intended. I think they still are, but I think the thing people don't understand, especially physicians is that that is sort of an antiquated type of cybercrime. Things move fast now, so antiquated can literally mean five years.
When we look at cybercrime, and we look at what people used to like, and when I'm saying people here I'm just talking about criminals, they used to want to get credit card information. But the problem with that is banks and lenders have gotten much better about identifying theft, sending out notifications, which a lot of us have received, saying, "Hey, we think your card has been corrupted. We think somebody's gotten it. Do you want us to turn it off?" That's just very common now. They've all, Citibank, and Chase, and all those people were having to pay those fraud amounts, so it's been in their best financial interest to fix it.
Chris: What's happened is that credit card information in the classic retail theft of that stuff, cyber-wise, has become less beneficial to the criminal. What they're turning to now is why would we go and get the credit card when that's a single, one-stop, and the moment it's off it's worthless, when I can go and get your medical records. They don't really care if you had a knee replacement, they don't care how your kidneys are doing, what they care about is almost every medical record that you ever see, at the top left corner or somewhere on the first page, it's got very important information. It's got your full name, it's got your address, it's got your social security number, it's got your date of birth. With those things, I can go fill out information for tax returns, I can get new credit cards, I can become you. On average, a health record versus a credit card number, one of those goes for 10 times more on the dark web than the other, and that's the health record.
Brian: I had heard some statistics about the dark web, as you were saying, that the amount people are willing to pay for health records is just astronomical, because like you were saying, it's almost a treasure trove of information, and you can do so much with it, right?
Chris: Yeah, absolutely. I think one of the reasons for that is physicians and the way in which we've always done things, and that's not just in the medical field, that's in education, that's in finance, is that we've always thought just by habit, that you have to have all those things everywhere. Those things, what I'm talking about again is your name, your social security number and your date of birth. As long as somebody has those though, you can really pose as anybody nowadays, because you're not going into the DMV and getting your picture made every time. You're literally asking for a mortgage sometime, on Rocket Mortgage, just by your information, not by a photo, not by anything.
We've really got to take a hard look as a society as well, this is gonna go for physicians, about do we really need all that stuff every time?
Brian: I totally agree with that. The point today is not necessarily to scare you, but to prepare you, and to know how you can do differently in day-to-day life, in your medical practice. Really, a person, they don't necessarily have to be a "techie" to assist in cybersecurity. Is that correct?
Chris: Absolutely right. I would say that for the most part, a person needs to be just proactive, and willing to say what their limitations are. If you're not a techie, then you need to make sure you're hiring techies, you need to make sure you've got a good IT consultant that's working for you, or working as the contractor for you. If you're not a techie, then you need to make sure at least you're being proactive with simple things.
I'll give you one easy tip that a lot of people don't do that has nothing to do with being a techie. One of the things that we see in cyber compliance, a very common type of breach is what I call the angry ex-employee. That's gonna be a situation where let's say you fired somebody, let's say they leave on bad terms from your practice. Well, I bet you anything that when they were working for you, you gave them a password that allowed them to get into your portal and your system, and you gave them online access. Maybe they could even log in from home.
Well, very simple question, when they're leaving your practice, who is responsible for making sure that that password is turned off, and they no longer have access?
Brian: That's a great point.
Chris: You don't have to be a techie to know that, you just have to make sure there's somebody in charge that says, "Oh yeah, when employees leave, who turns those things off?" Because I can tell you that we've dealt many times, me and my partner Justin Joy, who's in our Memphis office also does cyber work. We deal many times with when we look into and see what the breach was, it's an angry ex-employee that's just gone online and realized, "Hey, they didn't even turn off my password. I'm gonna log in and dump all this stuff on the internet." That's just an easy fix that a lot of times people just don't take the time to make sure that there's somebody holding the keys.
Brian: There is a component to this that is just common sense thinking, right?
Chris: I'd say 80% of it is just common-sense thinking and being proactive. Very little of it has to do with being an actual techie. In fact, sometimes I wish physicians, and other clients that I have that are professionals would admit, and this goes for me too, I talk about cybersecurity, but I certainly don't know how to code, and just acknowledging that you're not a techie, and acknowledging that you need help is really a big part of this.
Brian: Right. I often say in a lot of things in life, it's not knowing what you know, it's knowing what you don't know, and when to not force yourself into a situation to try to fix something that you don't know and when to get help. In your practice, what are some of the most common cybersecurity issues that you and your partner have come across as it relates to medicine?
Chris: Yeah, I think the big ones fall into three categories. I think even if you have a loose understanding of cybersecurity, you know what malware is. Malware is basically somebody somewhere has gotten onto a website or opened up an email that probably has some type of illicit software that's gonna go into your system through the back door and start pulling out information, or start doing things that you don't want it to do. A lot of times, honestly, almost every one of us has some type of malware on our devices. Usually, it's just for tracking. But what I would call criminal malware, it's stuff that you really want to watch out for. Things like worms, that can be where it's literally going into your financial system and pulling out small amounts of money at times. Things like that. That's very common.
Chris: Ransomware is also pretty common. That's becoming probably more common. That sounds really malicious, and it is. We see that more with large practices. It doesn't necessarily mean that you're a practice in an urban area, we've seen ransomware attack certainly rural areas as well. A lot of times, cybercriminals are gonna attack places that they assume are not gonna have a lot of cybersecurity, a lot of firewall protocol, just bad processes. Ransomware, just in a very basic sense, is literally criminals put in a bad software somehow, and we could talk about that and shut down your system, and basically send you an email that says, "Hey, if you want back into your system, wire this amount of money to the Ukraine or Southeast Asia, and we'll turn it back on."
Brian: That is within itself just terrifying to a medical practice. One, it's a huge interruption in your business, number one. But then number two, there is, as you said, a treasure trove of information that is out there, and then you're into now all these HIPAA violations, and breaches. That's a nightmare to have to deal with.
Chris: Oh, absolutely. When you're talking about breach notification, HIPAA, that's another thing that we didn't talk about at first, that I think also goes to physicians, and it's a good thing to bring up. If you get a cybersecurity breach, under HIPAA you have to notify all your patients of the possible breach. It's like we all said with the Target thing, I guarantee a lot of people changed their shopping habits when they got that letter from Target. I can assure you, if you don't handle that breach right, you're gonna lose patients.
Brian: Yeah. You're dealing with it not only from that standpoint, but then it becomes a whole damage control situation of if they can't protect my information, I'm gonna go to the other doctor down the street.
Brian: It becomes a future problem as well. These can be really, really serious issues. I think one of the things that has bothered me, even thinking about, is often it seems like they are sending out this malware in these phishing scams, and things like that. This is not a person necessarily sitting on the other side of the computer somewhere trying to get information at one particular time, and then turning around and leaving, they're setting up a program that is working constantly in a variety of locations that is just literally bringing the information back to them. It's like a continuous thing, right?
Chris: Absolutely. Phishing is probably the one that we see people mess up the most, honestly. This goes for even not physician practices. If we look at one of the biggest breaches in history, that was the Sony breach a few years ago. They traced that back to North Korea, but at the base level, the Sony breach, and you're talking about a multinational corporation with the best cybersecurity in the world, but if you're not training your front-end employees how to handle email, and how to make sure what they're opening is appropriate or not, then you're still opening yourself up. I don't care how good your firewall is, or your security is. Basically, those employees, when they log in every day are in your system. They can allow people by answer the wrong email, basically a doorway into your protected system. That's where phishing compliance and phishing knowledge really is crucial to really any business today, including physician offices.
Brian: What steps can a doctor take to ensure that not only he, but like you said, the staff that have access to all of this, or not falling into these phishing scams. Do you have some pointers out there that they could take away to train their employees?
Chris: Yeah, really I would break it down in just two things. One is very simple and is just training. Paying somebody, or if you know how phishing works, just taking a 30 minute to an hour session at a staff meeting to go over phishing, and more importantly, to put up on a big screen what does a phishing email look like.
A lot of times, in phishing nowadays, they're a lot of sophisticated. They're gonna use, they're gonna figure out the names of people that work for the company. I'll be honest, this has happened to us this week where somebody was using my name, has tried to send emails to people in our firm to try to get them to open it. They'd just go to our website, and figure out what that is. But if you actually click on the name itself, and look at the underlying email address, you'll see that it's not the right address.
One thing that I always tell people, the easiest way to avoid phishing is never respond to an email unless you've actually looked at who sent it. Not just the name, but the actual email domain, and the email address itself. That's step one.
Step two is, and this is just an easy thing as well, and again it goes back to you don't have to be a techie, if somebody in your office gets a phishing email and they show it to you, that's great. Commend them for the fact that they recognize it, but also, send that out to everyone and say, "Hey, look. Here's an example of phishing. They're trying to do it." That does two things. One it shows people what they look like, which is what we just talked about, and two, it shows people this is not something we're making up. People are trying to do this to us every day, and you need to be constantly aware of it.
Brian: If you fall victim to this, and somebody has clicked on it, and you discover at some point, I as a physician have now had a breach in my system. What do you do next?
Chris: I'm gonna say this with total respect to everyone because I think any business, so this is law firms, this is physician offices, sometimes we get committee obsessed. What I mean by that is, the first thing I want you to do is not form a committee. I don't want you to try to decide that you're gonna have a meeting about this five days from now, 'cause here's why. Under HIPAA and under state breach laws, you have a very short amount of time to make sure that A) what the breach is, B) how widespread it is, and C) who exactly you're gonna notify.
Chris: You have to do that within a short period of time, and that clock starts running the moment you're on any notice of the breach. That is not when you decide you've been breached, that is when it reasonably is clear to anybody that you have. That clock starts the moment you get the email from your IT person that says, "Hey, I think we've got a breach." It doesn't start five days from now when you've all met with your partners and decided, "We might have a breach." That step one, don't form that committee.
Step two is know who your experts are. If that is calling a cybersecurity lawyer and letting us coordinate it, we do that all the time and we're happy to. Some people instead want to call the computer forensic company first. You get them to come in and figure out what is the extent of the breach.
The other type of expert I'm gonna tell people they need here, and again I say this with all due respect, and I'd say the same thing to lawyers, doctors, bankers, whoever, you're gonna need PR firm at some point. Here's why. Under HIPAA, if you have a breach of a lot of patients, then you actually not only have to send a notification to those patients, you have to send notifications to local news outlets. That's gonna be local news stations, that’s gonna be local newspapers. You got to tell them you've had a massive breach.
Again, doctors do a lot of great things every day, more important things than I do, but they're not writing press releases, and neither am I. You need to have somebody in there that's gonna help you with that language, make sure you're saying it the right way because again, your patients are gonna remember this. It's gonna matter to them, and what you say really does count.
Brian: Absolutely. Another option, SVMIC there is part of every policyholder's coverage that has an underlying amount of cybersecurity insurance there. Certainly, that option would be reach out to SVMIC if you're a policyholder or if you have cyber insurance, and let them start that ball rolling as well.
Chris: Yeah, absolutely. SVMIC does a great job of really helping coordinate that process, and also putting you in contact with a lot of people that know what they're doing. That's gonna be lawyers that do it, that's gonna be computer forensic companies that do it, and they do a really great job of making sure you know who to call.
Brian: Well Chris, this has been incredibly informative. It's always good to know there is something that we can do and not have to necessarily be a techie to protect ourselves, and then knowing that there are people like you, SVMIC, and others out there that really can be there to hold our hand and help us through these situations if we are one of those unfortunate victims that fall prey to this. Thanks for taking the time to discuss this with us, Chris. Thank you again.
Chris: Really appreciate it. Thank you.
Speaker 1: Thank you for listening to this episode of Your Practice Made Perfect with your host, Brian Fortenberry. Listen to more episodes, subscribe to the podcast, and find show notes at svmic.com/podcast.
The contents of this podcast are intended for informational purposes only and do not constitute legal advice. Policyholders are urged to consult with your personal attorney for legal advice, as specific legal requirements may vary from state to state and change over time.
The contents of this Podcast are intended for educational/informational purposes only and do not constitute legal advice. Policyholders are urged to consult with their personal attorney for legal advice, as specific legal requirements may vary from state to state and/or change over time. All names have been changed to protect privacy.
About our Guest
Chris W. McCarty is a shareholder in the Lewis Thomason Knoxville office and practices in the areas of employment law, education law and civil litigation. Mr. McCarty handles matters before state and federal courts throughout Tennessee and has argued before the Tennessee Court of Appeals. Mr. McCarty also presents on employment and education law topics. His articles on those topics have been seen in numerous publications, including HR Magazine, the Tennessee Bar Journal and the Knoxville Business Journal. Mr. McCarty is approved as a member of the American Arbitration Association's (AAA) Panel of Employment Arbitrators.
About our Host
Brian Fortenberry is Assistant Vice President of Underwriting at SVMIC where he assists in evaluating risk for the company and assisting policyholders with underwriting issues. He has been involved with medical professional liability insurance since 2007. Prior to his work at SVMIC, Brian worked in the clinical side of medicine and in broadcast media.