As computer technology advances, so do data breaches. Breaches happen all over the country to various government entities, organizations and business. Over the past three years, health care data breaches have doubled, and the average cost to repair damages and recover from a breach in the health-care industry has grown from $9.23 million in 2021 to $10.1 million in 2022.¹ The health-care sector is the most targeted by these attacks, with reports citing 76.59 percent of data breaches in the United States between 2015 and 2019 involved various health care service providers.² With a growing trend in data breaches, how can ophthalmology practices prevent future cyberattacks?

Why Worry?

“Unfortunately, the number-one reason why health information is stolen is for some financial gain,” says Kesa Bond, PhD, an associate professor for the Health Services Administration and Policy at Temple University. “Bad actors can take the data that they gain, and they can either sell it on various black markets, they can commit medical identity theft, or they can commit fraud and abuse. For example, they may use the information that they gain in order to submit it for various claims and reimbursement, and it often takes a long time for insurance companies to catch up with the error. By the time they perform their audit and realize what has happened, those bad actors are already long gone with the money they’ve made, and they’ve done the damage that they wanted to do.”

What Dr. Bond is alluding to are ransomware attacks, or data breaches with an expected ransom for the stolen data. Ransomware attacks are prevalent for larger health-care organizations. In a 2022 cohort study examining the trends of ransomware attacks on U.S. hospitals and clinics, researchers noted 374 ransomware attacks between 2016 and 2021, which exposed the personal health information of nearly 42 million patients.³ Almost half of these attacks disrupted the delivery of health care (44.4 percent), with electronic system downtime being the leading issue caused by these breaches.³ 

The Department of Health and Human Services Office of Civil Rights reports most health care data breaches, with the exception of smaller, independent practices. According to their website, all breaches of unsecured protected health information affecting 500 or more individuals will be reported to their database. Due to this limitation, the aforementioned cohort study couldn’t provide statistics for ransomware attacks on smaller practices. Although smaller practices aren’t as closely investigated and publicized like larger practices, hackers and scammers are still incentivized to attack. 

“For the larger practice, of course, bad actors are going to get a bigger bang for their buck, but they also have a greater potential of bumping up against a lot of barriers which are going to stop them, at least that’s what I’d like to believe,” says Dr. Bond. “Whereas the smaller facility likely doesn’t have the budget or capabilities necessary to hold up their front end and keep those bad actors out. So, it’s really a game with these cyber adversaries of going for the low hanging fruit, no matter where that low hanging fruit is. For example, it was a myth that no one could break into an Apple computer. People believed the security system was so robust that it couldn’t happen. It’s not that it doesn’t happen, it’s that there’s so many layers, barriers and obstacles that the bad actors have to go through that they would rather go for the easier target rather than the harder target.”

The ways in which these bad actors infiltrate a system are simple, and it’s really easy to fall victim to their attacks. “The number one way that these actors are getting into our systems is through phishing,” says Dr. Bond. “Phishing is one of the direct paths into the system and in order to get into the system, you need an individual to complete an action. So, a phishing attack is coming by way of email, but in the phishing email, once the individual has clicked on the link or has given their information to the actor who has ‘socially engineered’ them—which is using information that they know in order to manipulate or trick the individual into thinking that the actor is who they say they are—then that’s when that attack is successful.

“Other ways that bad actors can get into the system is by penetrating the system itself. If a health-care organization isn’t implementing strong security practices—firewalls or encryption—this leads to wide open information,” continued Dr. Bond. “And then a smaller method is through either lost or stolen devices. I personally don’t see bad actors going out of their way to steal a laptop, but they will. Just like any other crime—crimes of opportunity—if the information’s there, then they’re going to use it for their own good.”

On a larger scale in eye care, there have been major cyberattacks on electronic health records and insurance companies. In December 2021, Eye Care Leaders, a provider of electronic health records and patient management software solutions for eye-care practices, was attacked by hackers. They stole information from Eye Care Leader’s myCare Integrity EMR as well as deleted databases and files. A report from November 2022 noted that 3.6 million patients had their information exposed and 41 eye-care providers were affected.⁴

Another incident in eye care also occurred in 2021, involving the 20/20 Eye Care Network, a health-plan provider. Now, in 2023, 20/20 Eye Care Network has reached a $3 million settlement to resolve claims from individuals affected by its data breach. Although the scale of the attack couldn’t be determined, the company notified 3,253,822 individuals who were potentially affected by the attack. The attack was linked to the network’s Amazon Web Service cloud storage, where hackers were able to download protected health information including names, Social Security numbers, health insurance information and more. The lawsuit filed against 20/20 Eye Care Network alleged that this was a failure to comply to HIPAA guidelines and adhere to cybersecurity standards.⁵

Preventing Data Breaches

It’s good to be prepared for potential data breaches, and it comes down to how willing the practice is to invest in their security system. “It takes a significant amount of money to implement security tools, train individuals on the tools and hire IT professionals who have the skill set and the knowledge to continuously monitor this,” says Dr. Bond. “The organization should take the time to investigate what software would be best for them, and it’s important to note that this isn’t prescriptive, meaning there’s no such thing as a one size fits all. The organization has to invest in IT professionals who would be able to propose the best systems based on their unique situation.” She goes on to mention that not all IT professionals understand HIPAA guidelines, so it’s best to hire someone who is knowledgeable about health-care privacy and safety.

Phishing emails, as explained before, pose a major threat to personal health information, but there are ways to mitigate this. “An important tactic that some clinics have found success with is simulated emails,” says Dr. Bond. “A simulated email is when an employer intentionally sends a phishing email to one of their employees, and it’s a test to see if they follow through with it, if they report it, if they ignore, and what they click on. It’s OK for them to fail. We want them to fail on this safe environment, but we don’t want them to fail when it’s real.”

Retraining to train employees on the proper response to phishing emails can be an issue for some clinics since training can be costly. “Organizations aren’t willing to give their employees paid time to do this training and they’re also not willing to fund the training period,” says Dr. Bond. “We must conduct routine training. If we don’t train our employees, then we’re just waiting for the breach to happen.”  Training doesn’t need to be a financial issue as the Cybersecurity and Infrastructure Security Agency (CISA) offers free tools and extensive guidelines on how to train employees to avoid phishing emails.

“Every clinic should have a baseline security risk assessment,” continues Dr. Bond. “In the assessment, you’re making an accounting, almost like an inventory, of every place within your workflow that protected data exists.” Other tactics that can be implemented are cyber incident response plans.

CISA has laid out basic steps to prevent ransomware attacks. One of those steps is to establish a basic cyber incident response plan. According to CISA, this plan is a written document approved by senior leaders of an organization that provides detailed steps for before, during and after a confirmed or suspected security incident.⁶

To avoid a breach and then having to use a cyber incident response plan, CISA recommends mitigating vulnerabilities by employing best practices for Remote Desktop Protocol (RDP) and other remote desktop services. Also, conducting regularly scheduled vulnerability scans and software updates can help reduce exploits and future attacks. Additionally, disabling or blocking the inbound or outbound Server Message Block (SMB) protocol, a client-server communication protocol used for sharing files and other resources on a network, and ensuring all security features are enabled can further mitigate attacks.⁷

If a data breach occurs, then the cyber incident response plan should be enacted. Dr. Bond explains the basic protocol necessary if an incident occurs: “Any time an organization has 500 or more incidences from a data breach, then they must firstly notify the Office of Civil Rights who will begin an investigation. In addition to that, they must notify the media within 60 days. And, of course, you have to notify the patient that their information either was compromised or potentially compromised. The quicker you respond, the better off you’ll be.”

There are tons of tactics that can be implemented to strengthen cybersecurity, but as Dr. Bond mentioned earlier, there’s no such thing as one size fits all. “We must establish a budget for cybersecurity, we must hire skilled IT professionals and we must conduct routine training,” she explains. “It’s very cliché, but we’re only as strong as our weakest link.”

Dr. Bond has no financial interests to disclose.

^{1. 2022 Healthcare cybersecurity year in review, and a 2023 look-ahead. OIS, HC3 2023. https://www.hhs.gov/sites/default/files/2022-retrospective-and-2023-look-ahead.pdf.} 

^{2. Seh AH, Zarour M, Alenezi M, Sarkar AK, Agrawal A, Kumar R, Khan RA. Healthcare data breaches: Insights and implications. Healthcare (Basel) 2020;8;2:133.}

^{3. Neprash HT, McGlave CC, Cross DA, et al. Trends in ransomware attacks on US hospitals, clinics, and other health care delivery organizations, 2016-2021. JAMA Health Forum 2022;3;12:e224873.}

^{4. Alder S. Eye Care Leaders hack impacts millions of patients. The HIPAA Journal 2022. https://www.hipaajournal.com/eye-care-leaders-impacts-millions-of-patients/.}

^{5. Alder S. $3 million settlement proposed to resolve 20/20 Eye Care Network data breach lawsuit 2023. https://www.hipaajournal.com/3-million-settlement-proposed-to-resolve-20-20-eye-care-network-data-breach-lawsuit/.}

^{6. Incident response plan (IRP) basics. CISA 2023. https://www.cisa.gov/sites/default/files/publications/Incident-Response-Plan-Basics_508c.pdf.} 

^{7. Protecting sensitive and personal information from ransomware-caused data breaches. CISA 2021. https://www.cisa.gov/sites/default/files/publications/CISA_Fact_Sheet-Protecting_Sensitive_and_Personal_Information_from_Ransomware-Caused_Data_Breaches-508C.pdf.}