Cyberattackers target physician practices, specialty groups
Ransomware groups have targeted hospitals for years, but they are also going after outpatient facilities and smaller providers.
While hospitals have endured the threat of attacks from ransomware groups for years, other providers are targets for attacks.
Ransomware groups are going after ambulatory surgical centers, physician practices and specialty care groups, says Steve Cagle, the CEO of Clearwater, a cybersecurity firm.
“We’ve seen this trend for some time now,” Cagle tells Chief Healthcare Executive®. “It’s more attacks on specialty or ambulatory …. physician practice management, specialty care groups.”
Radiology centers, imaging centers, health clinics and dental clinics are also being targeted for attacks, Cagle says. More than 300 breaches of health data have already been reported to the Department of Health & Human Services in the first half of the year.
While they lack the size of a large hospital or health system, physician practices and outpatient clinics still have a great deal of private health information, which can fetch high prices for sale on the dark web. Imaging centers possess a wealth of data on patients being screened for cancer.
“In some cases, with imaging centers, they can really ransom that information for a lot of money because that’s some very sensitive data,” Cagle says.
Many multi-practice groups have grown in mergers and acquisitions, which can also lead to some vulnerabilities.
“They've got a lot of disparate technologies that may not have been consolidated. They're going through a lot of change,” Cagle says.
Cybersecurity analysts say that hospitals and large health systems will always be the targets of attacks, but they also say that smaller hospitals, rural hospitals and federally qualified health centers have the attention of ransomware groups.
Greg Garcia, executive director of the Healthcare and Public Health Sector Coordinating Council’s Cybersecurity Working Group, talked about the risks to health providers, including smaller facilities, when he testified before the Senate Health, Education, Labor and Pensions Committee last week.
“This threat is particularly acute for small, rural, critical access and underserved, under-resourced health providers that are operating on razor thin or negative margins and haven’t the capability to make sufficient investments in cyber preparedness and response programs,” Garcia testified.
The Cybersecurity Working Group highlighted those threats in a May report sent to the White House and the U.S. Department of Health & Human Services.
Jennifer Stoll, the chief external affairs officer of OCHIN, a collaborative of hundreds of safety net organizations, said more rural hospitals and federally qualified health centers need more support to defend against attacks.
“We're the least funded section of the delivery system, and we are the most vulnerable when it comes to cybersecurity,” Stoll told Chief Healthcare Executive® in a recent interview.
Outpatient facilities, physician practices and smaller hospitals may not yield a big payday for attackers, but ransomware groups view them as easier targets because they lack the money and manpower to invest heavily in cybersecurity, industry experts say.
For some smaller providers, they have to decide between putting more money in cybersecurity and buying equipment to help them care for patients, and potentially bring in some more revenue.
“We see this every day with some of our smaller clients that have less budget or funding, and they have to make very hard choices,” Cagle says.
In his testimony before the Senate committee last week, Garcia called for a rapid response force that could use government authority to declare a “national cyber emergency,” including offering swift financial support and providing more capability to providers in crisis.
“This need is particularly important for the ‘target rich, cyber poor’ small, rural, critical access, Federally Qualified Health Centers and other resource-constrained health providers across the nation,” Garcia said in his testimony.
Retired Army General Paul Nakasone, the former leader of the U.S. Cyber Command, talked about the growing risk of cyberattacks aimed at rural hospitals at the HIMSS Global Health Conference & Exhibition in March.
“These rural hospitals have limited funds, have limited capabilities, and they are often the target of ransomware actors,” Nakasone said.
