- A voice for independent doctors
- Are you prepared?
- How to fill your staffing needs
- The latest on AI and optometry
- More courses, more uses, more impact: Why more AOA member doctors, staff are turning to AOA EyeLearn
- Master paraoptometric certification exam prep with AOA’s study resources
- 5 things every office needs to practice full-scope optometry
- Why thriving practices are prioritizing retirement plans
- What happened to the FTC’s noncompete ban?
- Keeping your practice (and finances) safe
- Is your exam chair ADA compliant?
- 2.9% Medicare cut, broadly panned, looms over 2025 as advocates press Congress
- How to navigate political conversations in your practice
- Making the grade
- Does your malpractice insurance provider measure up?
- The power of delegation
- New technologies shaping optometry’s future
- How AOAExcel makes your life easier
- Next-gen optometry’s focus on independent practice
- Inferiority complexity?
- Is your staff connected? How peer connections benefit practices
- Protecting patient privacy when a clinical observer visits
- Does your practice do in-house billing? Here’s something to know
- Where to start? The tools and resources to leave a positive impact on your patients and community
- AOA boosts support for optometrists rocked by Change Healthcare cyberattack
- Be aware of new classification of employee vs. independent contractor from labor department
- Why optometrists love the AOA Business Card
- Paraoptometric Month
- Patient intake coding for medical diagnoses
- Set your practice up for success
- New federal Corporate Transparency Act
- How to compete with online sellers
- CMS finalizes 2024 physician fee schedule: AOA’s 8 takeaways for optometry
- How do you measure success in your practice?
- 4 tips to elevate the profession and educate the public
- Now we’re talking: Communicating with the public
- Level up your optometric surgical team: AOA launches surgical assistant coursework
- 4 essential personal financial tools for optometrists
- Coding for orthoptic training
- New remote testing option for paraoptometric certification saves time, distance
- Testing 1, 2, 3 … paraoptometric exam handbook, resources for certification testing
- 6 things every hiring practice owner should include in a career center listing
- Now we’re talking: Patient communication
- AOA, leading schools organize to safeguard and expand optometry’s independence
- Co-managed care rife with success stories for patients, doctors
- 3 ways to grow careers and practices at Optometry’s Meeting® 2023
- Why disability insurance is crucial
- Now we’re talking: Interprofessional communication
- Build your practice and protect the planet
- You’ve been served—now what? Where ethical intersects legal
- DEA’s new opioid training mandate: What you need to know
- How to handle bad reviews and ratings
- How the updated position statement can help guide telemedicine in optometry
- 3 questions to ask your malpractice insurance agent
- Optometry’s ‘medical’ eye care opportunity a boon for patients, coordinated care
- AOA Antitrust Compliance Policy
- How the AOA Business Card can benefit your practice
- Combatting inflation
- How to earn an MBA while practicing
- AOA’s new Center for Independent Practice to amplify members-only resources for practice success
- Window Tinting
- The most important thing to know about retirement savings planning
- bolster your cybersecurity
- Identity Theft
- How the HIPAA Privacy Rule applies in a public health emergency
- Partners in care
- 4 tips for handling payer clawbacks: What the experts say
- When patients defect: A case study in emotional intelligence
- A career choice
- Be proactive: Identifying improper sales programs, financial incentives
- Scope of practice and malpractice insurance
- website ADA compliance
- Which retirement plan is right for you
- AOA practice success initiative can help with payer issues
- The most important questions to ask about disability insurance
- audio-only telehealth
- A case study in professionalism
- How to eliminate bias in the exam
- Keeping the practice’s mental health top of mind
- Managing expectations Telemedicines next step
- Optometrys Meeting Surgical Saturday
- 5 ways AOA membership can bring your practice success
- 6 ways to make a job posting pop
- The impact of paraoptometric certification
- AOA EyeLearn revamp improves accessibility of CE resource
- Good faith estimate requirement takes effect
- Optimize your student loan repayment strategy
- How to speak the universal language of care
- How to Obtain Hospital Privileges
- 4 common misconceptions about life insurance
- The privileges of providing care
- How team learning improves doctor-staff coordination
- Pandemic savings strategies
- doctor-patient-communication
- AOA 2021 Virtual Learning Livecast opens for registration
- Virtual interview tips for employers and applicants
- Paraoptometric Exam Materials & Certification
- Keeping the medicine in telemedicine
- Know your options
- Business transition tips for buying or selling
- The wrong patient communication plan could be costly
- New must have resource by AOA for MIPS providers
- AOA faults Ophthalmology journal MIPS study
- Doctors find lessons and success in applying for lifeline PPP loans
- AOA MORE takes yearlong pause
- New rules ahead for patient access to electronic health records
- 7 things to know to protect your future
- PPP Loan Tax Implications
- AOA offers CE-eligible webinar-paraoptometric certification
- 8 lessons the COVID-19 pandemic has taught us
- talking politics keep peace in the practice
- Selling your practice to a private equity firm
- paraoptometric certification
- Life Insurance Awareness Month
- Members support AOA during COVID-19
- VLL courses debut on AOA professional development hub
- Why back to school eye exams are crucial this year
- Protection check-in
- AOA 2020 Virtual Learning Livecast a success
- How to turn your patients into brand ambassadors
- Paraoptometrics have key role in scope expansion
- Communication key unlocking patients virus fear
- lessons from phase one reopening practices
- Report quality measures and MIPS data
- AOA offers guidance for post-COVID-19 reactivation
- How to reduce your carbon footprint
- federal loans ease pain of COVID-19 pandemic
- life insurance questions answered
- ethically providing telehealth services in your practice
- AOA surveys can benefit optometry
- Doctor google web health-related inquiries can cloud care
- AOAExcel GPO Contact Lenses optical products
- How to get the most out of your AOA member benefits
- How AOA MORE can help you
- Co management 4 steps to success
- What doctors need to know about retirement savings
- Crafting a clickable job posting
- health information cyber attack
- Overtime pay labor law
- Service animals vs emotional support animals in the practice
- InfantSEE tips for children eye exams
- Medicare Beneficiary Identifiers and doctors of optometry
- Physician burnout EHR
- Flushing Hazardous Waste EPA
- Ethically incorporating telehealth-telemedicine services into your practice
- Transition Right
- Frequently asked questions about liability insurance
- How good doctors compete with bad companies
- National Life Insurance Day
- Team effort
- National Retirement Week
- How to become a bilingual practice
- Be a social whiz
- How to balance work and home life
- Physician burnout improving, still high comparatively
- What do patients think about the Open Payments program
- Paraoptometric certification can boost a career
- Doctor of optometry diabetes crusade
- How AOA membership helps protect your practice and the profession
- How to optimize diabetic care
- How to improve patient care and practice economics
- Pediatric Exams Kids Fears
- How to retire with confidence
- CMS ONC send message on faxs demise doctors put them on hold
- Data breaches cost insurers big but providers more frequently
- How to start a sports-vision practice
- 4 practice tips when disaster strikes
- Bad hires happen
- AOA MORE reports first patient data_helps MIPS providers attest
- Keeping up with Doctor Jones
- STEM academia no different Women face harassment
- The dos and donts of customer service
- Medicare repeals payment cap for therapy services
- Earned interest
- Optometrys bread and butter
- Disability Insurance
- Sustainable solutions-Focusing on a green future
- Ethics Disabilities
- Flu Epidemic
- CMS-Texting PHI among health care providers OK with caveats
- TaxTips
- AOA tools you need to succeed
- Keeping peace in the practice during the holidays
- Handle with care How to dismiss a patient
- Cybersecurity Awareness Month
- Dont let your nest egg lay an egg
- How to add a subspecialty to your practice
- Disaster Lessons
- 4 things to consider before volunteering
- Go green and save green
- server and protect
- AOA encourages members to protect themselves against cyberattacks
- Credit breach continues grip on doctors
- AOA cautions against email phishing scams
- AOA to CMS Significant changes needed to MIPS proposed structure
- Caution email phishing scam
- EBO Guidelines in Practice
- Aging Eyes
- Sunshine Act-Industry Reports
- the-best-defense-against-office-harassment
- Review practice policies on harassment
- Cybersecurity and Cyber Monday
- Medicare Part D drug costs
- tips to get more pediatric patients through your door
- Windows OS on Life Support
- 9 business solutions for doctors
- Tools of engagement enrolling staff as AOA associate members
- retinol ruses and root veggies-fantastic tale of carrots
- Practice changes can increase office efficiency
- On Employee Appreciation Day show your staff you care
- Data breach implications for tax season
- How to make the most of the media megaphone
- 6 types of photos to share on social media
- Holiday how to gifts goals and goodwill
- Credit freeze hinders PQRS feedback
- Considerations for a comanaged care strategy
- Whats your plan 4 tips for emergencies
- AOA US Postal Service raise awareness on eye health
- 3 solutions for noshow patients
- MACRA final rule offers flexibility
- In case of emergency
- 3 actions to help staff grow
- AOA tool helps solve social networking dilemmas
- AOA asks NBEO for assurances on data
- How to prevent theft
- How to fund a retirement program for your practice
- Not meeting attesting to MU Hardship exceptions available
- Malpractice insurance Ensure coverage even after retirement
- Does the white clinical coat matter to patients
- HIPAA Then and now
- Doctors of optometry can play a role in erasing health disparities
- Credit breach continues grip on doctors, students
- AOA member feedback impacts Medicare valuations for services
- How a strong doctor office manager relationship can grow your practice
- Share questions and comments in Ethics Forum
- Think About Your Eyes campaign continues to raise public awareness
- Be prepared for more patients requesting to access their health records
- Medicare Supplier Program Requires Fingerprint based Background Checks
- 4 ways to protect your patients and practice from cyberattacks
- When doctors become patients
- The benefits of a bilingual practice
- Harmed by contact lenses Report now
- Medicare Part D prescribing data offers insight
- AOA nets 2016 Medicare fee schedule wins
- 9 member benefits through AOAExcel
- Health centers to expand services with 500 million grants
- Doctors Are you covered
- Tax law change could impact doctors
- Why doctors of optometry should seek hospital privileges
- CMS issues EHR Incentive Programs final rule
- Cybersecurity Is your patient information practice protected
- Create a space for kids in your office
- Prepare for a shift in credit card fraud liability
- Significant policy change in post-op co-management
- How to go the distance
- Accommodate aging eyes in your practice
- CMS tests Medicare Advantage plan benefit designs
- Get your practice noticed online
- Protect your practice from copyright infringement
- New reports AOA members tally higher incomes
- Position your practice for aging eyes
- Survey Vision insurance sales increase
- 4 paths to practice protection
- Improving patient care with certified paraoptometric staff members
- How to successfully navigate Medicare Advantage plans
- AOA releases directory of accountable care organizations
‘Nobody is safe from this’: Cybercrime in health care
June 8, 2021
One misstep is all it takes to expose your practice’s essential data and protected health information to a costly cyberattack. The threat to health care is growing exponentially as is the sophistication of attacks, and your practice could be next.
Excerpted from page 28 of the Sept/Oct 2019 edition of AOA Focus.
Flip on the lights, hang the "open" sign and boot up the computers: This is the ordinary, day-to-day of optometry practices in Anywhere, USA. It was such an ordinary day, in fact, when an unfamiliar, blinking message scrawled into view at one of the Kentucky practices of Joe Ellis, O.D., that it almost could've gone unnoticed.
Almost.
Reality came crashing down on every blue-screened computer ... along with any peace of mind. One by one screens flickered to life with a stark message: You've been hacked. The managing partner wasted no time getting Dr. Ellis on the phone.
"What the hell is a bitcoin?" Dr. Ellis recalls his colleague asking. "And where do you get one?"
Ransomware. It had locked users out of the practice's computers, and hackers were now requesting two bitcoins—cryptocurrency that's exchanged digitally, peer-to-peer—to regain access and control of their terminals. For a day and a half, the practice debated whether to pay the ransom before ultimately contacting experts as far away as New York.
They agreed to pay the ransom: two bitcoins at $750 apiece. The arduous and cryptic process of sending the bitcoins held everyone in suspense that perhaps it wouldn't work, or worse, they'd be gouged for more. They finalized the transaction.
"We got an immediate response with a code to break the encryption that was about two feet long," Dr. Ellis recalls.
That's when the real work began: IT dove into every nook and cranny of the network, searching for any trace of latent malware or a secret backdoor. Passwords and logins were changed. Records were pored over for signs of breach—there weren't, fortunately. And a sonic wall was installed to monitor how many times hackers tried to crack the system: over a thousand times a day.
So, too, IT sleuthed out the breach vector. An employee downloaded items off the internet and onto their work terminal, one of which covertly gifted ransomware access to the computer. All told, the fiasco cost more than just two bitcoins; it all but shuttered the office for nearly two days.
Beyond sobering, the experience opened Dr. Ellis' eyes to the omnipresent cybersecurity threat that's increasingly plaguing health care. By one report's estimate, the health care industry is expected to suffer 2 to 3 times more cyberattacks this year alone than other industries. Moreover, ransomware attacks on health care are predicted to quadruple between 2017 and 2020, and quintuple by 2021.
"I don't think Americans truly understand this threat and how commonplace it's really become," Dr. Ellis says. "Nobody is safe from this."
Health care needs a security booster
Health care spending in the U.S. accounts for 18% of the nation's gross domestic product, or about $3.5 trillion, the Centers for Medicare & Medicaid Services estimate. By and large, the tantalizing target on health care's back is attributable to outdated IT systems, fewer cybersecurity protocols and IT staff, valuable data, and the pressing need for practices or hospitals to pay ransoms quickly to regain data, per cybercrime magazine Cybersecurity Ventures.
It's a simple formula: low effort, high reward. Stolen protected health information (PHI) can be a dozen times more valuable on the black market than credit card information. While the latter goes for less than $5-followed by institutional login credentials ($1) and Social Security numbers ($1)—the former reportedly fetches upward of $60 per record or more, CNBC reports. However, Shaji Khan, Ph.D., director of the cybersecurity institute at the University of Missouri-St. Louis, a National Security Administration/Department of Homeland Security Center of Academic Excellence in Cyber Defense Education, says it's even more basic than that.
"As I always say, attackers are target-agnostic," Dr. Khan quips. "They'll take anything that can be taken from anyone who can be attacked; there are some 'hacktivist' and political attacks, but the vast majority is simply motivated by money. Indeed, the term cybercrime is apt."
Far smaller than headline breaches—such as Yahoo's 3 billion accounts or Equifax's 143 million-attacks against health insurers, hospitals, medical practices and their business associations are far more common and on the rise.
As threats go, ransomware remains popular if only for its ease and effectiveness as a cyberthreat. In fact, the tools used in these attacks have "morphed," becoming ever more sophisticated to the point that "ransomware as a service" is a new, maturing model, Dr. Khan says. Less technically adept attackers can employ advanced ransomware for a thieves' agreement share in the take.
"However, it's important for small and large companies to take seriously the not-so-glamorous side of security, too," Dr. Khan says. "Sure, ransomware is the coolest threat, but it's the simple things that often land organizations in trouble. For instance, poor configuration of systems, password re-use, poor management of paper records, not understanding how vendors of all types of products and services may pose a risk to the clinic.
"Additionally, [Internet of Things (IoT)] devices in the clinic connected to local networks and the internet must be carefully configured and managed. This goes for any device, be it clinical to the cool new thermostat or coffee maker."
This last point is particularly prescient. In an IoT world that tracks users' online habits with devices that make behavior-based decisions and actively listen for cues, medical practices have exponentially more IT to consider.
In April, Amazon announced six new HIPAA-compliant Alexa skills designed to allow PHI transmission without violating the HIPAA Privacy Rule. While Alexa's still far from being able to handle anything expressly clinical inside the practice, these new features do allow patients to schedule appointments, find urgent care centers, receive provider updates, access blood-sugar readings and check the status of their prescriptions. Only time will tell what's next.
In the cat-and-mouse of cybersecurity, IoT, like the threats that could come to plague it, is always in flux. There's no staying ahead of it; rather it's about ensuring a good faith effort.
"We are still catching up, and I cannot foresee a time when we are ahead of the threats, and more importantly, ahead of vulnerabilities in our systems and people," Dr. Khan says.
"Clinics should really think about basic security hygiene as their best defense."
Back to basics
The first line of defense includes strong passwords or passphrases; restricting unnecessary access or user privileges (not all staff need admin privileges); keeping anti-malware or anti-viral software up to date; filtering spam and attachments (.exe, .zip), and showing file extensions (consider a .exe file could be masked as a .PDF); running the latest version of Windows and being mindful of Microsoft's end-of-support schedule; discussing safe email and online use protocols with staff; planning and enacting a foolproof backup plan for speedy recovery; and, last but not least, ensuring you're HIPAA compliant. It's a list that Marc Haskelson, CEO of Compliancy Group, an AOAExcel® Endorsed Business Partner, reinforces with every AOA member exploring HIPAA compliance.
"You don't have to be an advanced IT person to do this," Haskelson says. "Most people have encountered this on their computer before."
That said, there's a slight but important distinction to be made when it comes to good data security and HIPAA compliance. The two run parallel, Haskelson says. HIPAA compliance goes beyond commonsense security and involves providers analyzing, assessing and demonstrating their adherence to security every year. Succinctly, it involves action.
HIPAA requires yearly policy and procedures training for all employees. They must acknowledge their understanding and compliance. Moreover, providers must demonstrate they've done their good faith effort to protect PHI. And, should an incident still occur, providers must investigate, remediate and report. Haskelson says providers' biggest mistake is often performing only one component of HIPAA compliance: a Security Risk Assessment. In addition, providers must collect business associate agreements as part of their technical due diligence and follow through on those privacy and security measures.
"The two big defense strategies that everyone should be doing are encryption and backup," Haskelson says. "If your data was encrypted correctly and ransomware did hit it, those actors can't use it anyway so it's not a breach and your patient records are safe. Now, if you didn't back it up correctly, you can't serve the patient who walks in Monday morning.
"If you were encrypted and backed up correctly, then there was no breach—it didn't happen."
Still, providers' greatest failing when it comes to cybersecurity?
"This belief that what providers have is good enough is a very risky proposition."