The healthcare sector—and ophthalmology and optometry in particular—are increasingly in the crosshairs of ransomware.
Cyberattacks are on the rise—and nowhere more so than the medical world. Ransomware attacks, where hackers lock away critical patient information and other data until being paid off, is the weapon of choice.
An increasingly sophisticated contingent of big game hunter cyber criminals are targeting larger organizations and reaping heftier ransoms than ever. In the worst hit industries, like healthcare, 50-80% of firms are attacked annually.1 In 2023 alone, malware caused system crashes and/or data blackouts at 46 US hospitals, resulting in patient volume reductions as high as 25%.2
Ophthalmologists and optometrists in particular are starting to come under heavier fire from these damaging and highly sophisticated attacks. Perpetrators and their tactics are evolving. The good news, however, is that the defensive measures available to eye care practitioners are evolving along with them—and understanding the nature and scope of the threat is key.
Information super…highway robbery?
Day 3 at ASCRS 2024: an afternoon symposium on eye care in the digital age. Experts have gathered to discuss everything from modern digital productivity solutions to artificial intelligence and the blockchain. But one particular topic dominates the discussion—cyber security.
One of the presenters is Dr. Sydney Tyson, the founder of Eye Associates & Surgery Center of Vineland (New Jersey, United States). His practice is part of a larger, thriving regional enterprise spanning 60 offices and 180 doctors, and a robust, dedicated IT team guarding its network.
He got hacked anyway.
“I know what you’re thinking–that I clicked on an attachment from my long lost Nigerian uncle who wanted to send me millions of dollars, right?”.
“It all started as a quiet, regular day: March 22. My company used a particular software that has EPM (electronic practice management) connected to EHR (electronic health records) together–not separate,” he began.
“We started noticing some latency issues. Logging in was a little difficult. We opened a ticket. IT acknowledged, ‘We’re on it. Don’t worry: you’ll be fully restored by EOD.’ The next day the EPM/EHR went dead. We had to pivot to paper.”
What followed was a simultaneously raucous and nightmarish tale of insurance companies, cyber forensics, and fear for his patients and the future of his practice—and one that mounting numbers of Dr. Tyson’s colleagues are starting to find all too familiar.
Cybercrime, evolved
Wes Strickling, CEO of codexIT, a healthcare cyber solutions company, has seen his fair share of such scenarios. We asked him to explain how most firms get hacked.
“The most common threat vector is email. I would say 90-95% of these are set up through an initial exploit vector that is a phishing email–usually a bogus invoice or tracking link,” he said.
As evidenced by Dr. Tyson’s tale, phishing has come a long way from the Nigerian uncle or prince scams of old. “You used to be able to spot a phishing email by the bad grammar, misspellings or awkward sentence structure,” Mr. Strickling said. “That’s just not the case anymore. They’re even tailored to individual departments,” he added.
According to Mr. Strickling, today’s bogus emails and related strategies are the handiwork of organized, professional cybercriminals. They work in groups with management structures that more resemble a modern corporation than a crime syndicate. And as they leverage powerful technologies like AI and spoofing to elude spam filters and design custom exploits to infect phones and tablets as well as computers, more and more victims are being forced to pay up.

Health scare
Ransomware has become the malware du jour. It doesn’t cripple systems or turn them into zombies like the hacks of yesteryear. Instead these programs lock vital software, operating systems and data behind a wall of encryption then fire off a friendly ransom note: pay up if you ever want to see your data again.
So why healthcare?
The key is the nature of the data. “Our data is twenty times more valuable to a criminal than any other because it’s non-fungible,” said Dr. Tyson. “It’s not like a credit card where you can just shut it down–and we’re legally liable for it.”
Mr. Strickling sees this value combining with a special kind of vulnerability to make healthcare practices the perfect target. “It’s the least guarded of the most valuable data,” he said. “ You’ve got social security numbers, drivers licenses, pictures–all potential fodder for insurance or identity fraud.”
In no other industry does control of privileged information offer greater leverage over the target. Like hospitals, no small practice can operate effectively without it.
Exfiltration attacks, which smuggle data off the host network, are even more problematic. Although unusable, encrypted data retained on site is still technically in a firm’s possession. If data is spirited away, however, the United States Department of Health and Human Services (HHS) considers the attack a breach.
In the event of an exfiltration attack, the possibility of malicious actors selling the data for even more profit adds a new level of danger to an already volatile situation. For such breaches, all medical practices, regardless of size are liable under HIPAA legislation for any and all PHI losses. Penalties range from $1,000 to $50,000 per violation–even if the breach is not found to have resulted from willful neglect.
Thus medical practices are uniquely incentivized to pay the ransom. By Strickling’s estimate, almost all—if not all—do.
Dr. Tyson’s case is the exception that proves the rule. By unilateral decision, his practice’s IT provider chose not to pay. The resultant loss of files triggered a protracted round of investigations, hearings and bad PR before the matter was finally settled—a significant loss compared to the initial ransom amount.
Eye care more
Unfortunately for ophthalmologists and optometrists, attacks on eye care practices like Dr. Tyson’s are heating up—even compared to the already oft-targeted healthcare space. According to Mr. Strickling, the ‘why’ is in the singular nature of the specialty.
“In eye care, even a small office is going to have maybe five or six pieces of diagnostic equipment–each of which is connected to the network and creating PHI. No other sub-specialty has so many moving parts,” he said.
From OCT machines to slit lamps, biometers and more, there are few, if any, other branches of medicine with so many discrete yet interconnected devices. According to Mr. Strickling, the preponderance of such machines in eye care explains why even comparatively larger practices–like Dr. Tyson’s–are actually more vulnerable.
“They don’t have all of their machines documented and backed up, so there are these little pockets of protected health information and islands of non-compliance floating around their practice,” he said.
This all adds up to one thing. Mr Strickling believes that no other medical branch is more exposed to cybersecurity threats. This large number of highly connected devices, most of which are in office settings with limited resources compared to large hospitals, creates a perfect storm of sorts with eye care at the center.
Taking action
Ransomware attacks are not going away anytime soon, and especially not in the eye care realm. As yet no technical solution has been found to defeat an attack without loss of data.
It’s not all doom and gloom, though. There is plenty that can be done, and Mr. Strickling was candid about measures that eye care practitioners and their staff can take.
The first is simple. “Do you have an air gap—a backup system beyond the reach of the malicious threat actor? Have you kept it up to date?,” he asked. “If so, you can just delete and reboot,” he recommends.
This is just one of many things that can be found in an external tech audit, according to Mr. Strickling. ““The number one thing is to have a thorough security risk assessment done by an external company. You can do them in house, too, but every so often you should have a new set of eyes,” he said, noting that as a full-service digital services provider with top-shelf cybersecurity offerings, he even recommends such measures regularly to his own clients.
Aside from the gaggle of interconnected devices typical in eye care practices, Mr. Strickling believes that staff are another major source of vulnerability. “You should also have security trainings with a regular cadence to create a culture of awareness,” he recommended.
One exercise in particular stands out to him. “Simulated phishing exercises are crucial,” he said, referring to an exercise in which a practice itself will create fake emails to put staff to the test.
As for eye care-specific advice, Mr. Strickling stresses diligence in leaving no open access ports. The latest software updates and security patches should be installed on all computers and diagnostic machines on the network.
To limit exposure to exogenous threats, he advises vigilance from the very beginning of the cybersecurity journey. “Only deal with publicly traded security vendors with large R&D budgets,” he stressed. “Avoid small and medium-sized business tools. Invest in EDR (endpoint and detection response) that does more than keep out known bad actors.
One advantage of larger vendors is leveraging some of the same advanced technologies that hackers do to turn the tables. He pointed to advanced artificial intelligence-based algorithms as one example. “If your billing manager is logging in with the right credentials but from Estonia at 3AM–that’s aberrant behavior. [Services from larger vendors] will flag that,” he said.
Making one’s own luck
Ultimately, these measures are made all-the-more necessary based on the structure of liability and the large amount of it the practice itself must bear. Help is not exactly on the way, either. Mr. Strickling believes relaxing HIPAA regulations in no-fault cases would offer some relief but admits the issue has little traction in the present Congress.
Fair or not, eye care practices are largely on their own in the current ransomware landscape. It thus remains critical for health care firms to remain abreast of best practices and stay one step ahead of would-be malicious actors. And thanks to a new wave of technology and a blossoming marketplace full of firms like Mr. Strickling’s the upper hand against ransomware has never been easier to gain.
Editor’s Note: The 2024 Annual Meeting of the American Society of Cataract and Refractive Surgery (ASCRS 2024) was held from 5 to 8 April in Boston, Massachusetts. Reporting for this story took place during the event.
References
- Kilday, Colleen. “Ransomware Attacks Target These 5 Sectors Most.” Drata, January 23, 2024. Available at: https://drata.com/blog/ransomware-attacks-target-these-sectors-most Accessed on May 1. 2024.
- Adler, Steve. “At Least 141 Were Hospitals Directly Affected By …” The HIPAA Journal, January 4, 2024. Available at: https://www.hipaajournal.com/2023-healthcare-ransomware-attacks Accessed on May 1, 2024.