Feature How to Defend Yourself Against Scams and Cyberattacks From classics such as embezzlement to the new frontiers of phishing and ransomware, here's what you need to know to protect yourself from people who are trying to steal money, information, and data from you and from your patients and clients. By Katherine Malmo | August 2018 Bank robber Willie Sutton, when asked why he robbed banks, is reported to have said "Because that's where the money is." While the statement's authenticity is uncertain, its lesson is proven: Scammers and thieves follow the money. And there's plenty of money in health care. Many scams, such as embezzlement, aren't new. Any time money changes hands there's a possibility some employees will help themselves. But now, with the Internet changing the way we communicate and share information, a new breed of criminal has emerged. From predatory journals that erode the scientific process to phishing and ransomware, there are plenty of dangers to watch for. Cyber Threats Cyberattacks are becoming alarmingly routine. Prevalent across all industries, they are especially common in health care. Per an American Medical Association report last year on cyber threats in health care, 83% of physicians said they had experienced some form of cyberattack—ranging from a breach of patient health information to a ransomware-related network shutdown.1 In fact, these attacks have become so common that Robert Latz, PT, DPT, says, "The question is less if there will be a breach and more what to do when the breach happens." Latz is the chief information officer of Trinity Rehab Services and president of the technology special interest group of APTA's Section on Health Policy and Administration (HPA The Catalyst). Why are so many cyberattacks aimed at health care? "The important role of information-sharing within clinical care makes health care a uniquely attractive target for cyber criminals through computer viruses and phishing scams that, if successful, can threaten care delivery and patient safety," American Medical Association President David O. Barbe, MD, MHA, noted in a recent statement.2 One type of cyber threat involves data breaches. These happen primarily through theft of devices such as tablets and phones, holes in network firewalls that allow malware to sneak inside, and phishing scams in which employees click on corrupt links or otherwise unwittingly provide critical information. "Breaches are happening everywhere in health care. We know that," Latz says. "But I'm not seeing or hearing about many reported instances in physical therapy. Why is that? It's possible that some practices may not have done all their due diligence. There's a lot of stuff going on that people don't even know is happening." Malware—short for "malicious software"— is any software that brings harm to a computer system. Malware can be in the form of worms, viruses, Trojan horses, spyware, adware, and rootkits, which can steal protected data, delete documents, or add software not approved by a user.3 [See "A Glossary of Hacking Terms" on page 20 for definitions of these and other threats.] The malware can be in place for several weeks or months without being exposed. "Cybercriminals almost certainly are pulling data from networks around the world right now without detection," Latz points out. Another possible reason that he isn't hearing more about data breaches in the physical therapy space, Latz speculates, is that many victims of cyberattacks don't want to share their experiences. Take "Megan Walters, PT, DPT," for example. "Walters" (a pseudonym) works in the Midwest. She was hesitant about sharing her experience with PT in Motion because she didn't want to risk exposing her employer or endangering her job. "I found out a few months ago that some of my coworkers had had tax returns filed fraudulently," Walters says. "I learned of multiple instances and proactively called the Internal Revenue Service. Someone had filed a return in my name, too. At the state level, an official called me because the person who had filed asked for a refund, and I always owe money. They realized that something was owed." "When enough of us had gone to our employer, they sent out a communication that referred to the other employees and said that fraudulent bank accounts had been set up [to receive tax refunds]." The employees were told to be on the lookout, and, if they found something amiss, to notify the police and the Federal Trade Commission (FTC). This type of attack, in which employee records are stolen to divert paychecks or file fraudulent tax returns, is known as a W-2 phishing scam.4 Health care organizations are the largest sector to be hit, accounting for 28% of all targets. Education captures the second spot, at 18%. Victimized companies should respond quickly to this type of attack, Beazley Insurance Services explains in its 2018 Breach Briefing: "A distinguishing feature of W-2 phishing incidents is the speed with which criminals use the information. Because they are trying to file tax returns before the incident is discovered—and before the real individuals file their legitimate tax returns—the criminals begin using the W-2 information within days if not hours of obtaining the documents." This means that a victimized organization has only a short window of time to notify its employees and provide them with the information they need to prevent their information from being misused.4 Walters and her colleagues were referred to a government identity theft website and given a year of free credit monitoring services. Walters doesn't think that's enough. "To say it is an inconvenience is an understatement," she says. "There are the initial ramifications of police and FTC involvement, and the multiple hours required to meet their needs. Then there are the credit bureaus to deal with and the need for additional security for investment accounts. Now I'm getting collection notices from tax preparation services. I've filled entire notebooks." Because the patients and employees whose information has been compromised bear so much of the burden of a cyberattack, Latz says that ensuring good communication is one of the most important things an organization can do. "After a breach," Latz says, "employee anxiety goes up tenfold, and so does the risk of legal action." "I personally, and in discussions with coworkers, feel like communication has been lacking," Walters says. "We don't know if this has been investigated and, if so, how thoroughly. Maybe the lack of communication is due to ongoing investigation and culpability of the parties. But if that's the case, tell us. We don't know how the breach occurred." Usually, according to Beazley, such breaches involve the scammer impersonating a high-level officer at an organization and requesting, then acquiring, copies of the organization's W-2 form by deceiving a human resource or finance department employee into believing the request is legitimate.4 Of course, the cost of a cyberattack also is high for the organization. According to the 2017 Ponemon Institute Cost of Data Breach Study, the average cost of repairing the damage for businesses based in the United States—adding up communication fees, help desk activities, investigation costs, and legal costs—is $225 for each stolen record. The average cost for health care organizations? Significantly more than that—$380.5 More than half the data breaches—52%—are attributable to malicious or criminal attacks, according to Ponemon. System "glitches" and human error each account for 24%. Perhaps this is why—according to Bill Wilson, vice president of sales and marketing for PT One Insurance Solutions—data breaches are the primary concern for chief executive officers in America today across all industries. Furthermore, the cost of such a breach can be so damaging that 60% of small businesses close after a cyberattack, he notes. Ransomware One day in January of this year—with night falling, an ice and snow storm outside, and flu raging—staff at Hancock Health in Greenfield, Indiana, noticed their computers seemed to be running more slowly than usual. A short time later, computer screens flashed a message: parts of the system had been locked and would be unlocked only if a ransom was paid. About 1,400 files were affected. The hackers demanded a payment of about $50,000 to unlock the files.6,7 After consideration, the hospital decided to pay. "We were in a precarious situation at the time of the attack. With the ice and snow storm at hand, coupled with 1 of the worst flu seasons in memory, we wanted to recover our systems in the quickest way possible and avoid extending the burden toward other hospitals of diverting patients," said Hancock Health chief executive officer Steve Long.6 "Restoring from backup was considered, though we made the deliberate decision to pay the ransom to expedite our return to full operations." The hospital made the payment the next evening. Three days later, it was back online. It should be noted, though, that there's never a guarantee the hackers will keep their word to unlock the files. Ransomware is the fastest-growing threat to cybersecurity. According to the Beazley Breach Briefing, such incidents in 2017 rose 18%. And health care was the most frequently targeted sector, accounting for 45% of all incidents. Financial services and professional services, each accounting for 12% of ransomware incidents, held the next 2 positions.4 There are a few key reasons health care is such a popular ransomware target. First, computer systems are critical for daily operation. Second, medical centers and offices often are slow to adopt new technology and security solutions. Their older infrastructures are easier for hackers to penetrate. The WannaCry ransomware attack that occurred in May 2017 sneaked into the networks of many medical centers and clinics through a security hole in outdated Windows systems. On the first day alone, it targeted more than 200,000 computers as hackers demanded money to put systems back online.8 The ransomware that struck Hancock Health—a different program known as SamSam—came through an administrative account for a hospital vendor. What is a practice to do if it's the target of a ransomware attack? Often, prompt payment is the fastest and best course of action. "In my opinion," Latz says, "you pay it, and once it's paid, you go in and clean, wipe, and address the hole as quick as you can. Because if they got in once, they can get in again. There have been situations in which hackers got in once and the hospital paid, I think, a small fee of $1,000. The hospital got its system back. Four days later, however, the same group struck again. This time they demanded $10,000. The attacker basically said, ‘If you don't fix it this time, next time it'll be $100,000.' The thing that's interesting—and sobering—is that they could have charged $100,000 the very first time." Wilson points out that cyberattacks aren't covered as part of general liability insurance. He suggests that physical therapy practices consider purchasing cyber liability policies to cover costs associated with ransomware threats, data breaches, and malware. "Recently," Wilson says, "we were involved in a situation in which somebody experienced a ransomware attack. It was a breach, and the attackers demanded $18,000. In that case, the authorities were notified and the demand for $18,000 was paid for by insurance." Fraudulent Recruitment While data breaches can be broad and damaging, fraudulent recruitment scams are close cousins that also are especially popular in health care. They're often targeted at recent graduates, but some are aimed at workforce veterans. The ones aimed at students and recent graduates often work like this:9 Scammers post online job advertisements. The student is informed that certain purchases are required but that the "employer" will send a check to compensate for the required resources. The student receives a check and is instructed to deposit it in his or her personal checking account. The scammer then instructs the student to withdraw the funds from the checking account and send a portion, via wire transfer, to the "vendor," who purportedly will provide the equipment, materials, or other items necessary for the job. The check sent by the scammer turns out to be fraudulent. However, the student's money has been sent before it's apparent that the check from the "employer" was no good. The FBI warns that the student is responsible for reimbursing the bank the amount of the counterfeit check. The student's bank account may be closed due to fraudulent activity, and a report could be filed by the bank with a credit bureau or law enforcement agency. And the scammers often obtain personal information from the student while posing as an employer, leaving them vulnerable to identity theft. The FBI offers these tips to help identify the scam: Never accept a job that requires depositing checks into a personal account or wiring portions to other individuals or accounts. Many of the scammers are not native English speakers. Look for poor use of the English language in emails such as incorrect grammar, capitalization, and tenses. Some scams add an additional level of sophistication to their efforts. They create fake job listings, websites, and recruitment emails for well-known and reputable businesses. The primary goal, in fact, may be to collect personal data from applicants. These fake listings may request Social Security and banking information, or money for training materials, uniforms, or seminars. Concentra, a national health care company with more than 530 centers in 44 states, issued a warning last year that it had been informed "that scammers are using the company's name to mislead individuals who believe they are applying for an opportunity with Concentra or receiving a job offer from Concentra. This scam and those behind it have even taken images and names from Concentra's recruiting team, and use email addresses that contain the word ‘Concentra.'" It cautioned: "Those behind this may ask job candidates to send money at some point…A legitimate Concentra recruiter or hiring manager will never ask you to send money. Also, you will never receive a job offer from Concentra if we have not verbally interviewed you."10 Kindred Healthcare issued a similar notice, stating in part: "There have been candidates contacted by individuals who are falsely representing themselves as Kindred Healthcare executives and recruiters. The candidates have been contacted from email addresses that do not contain the Kindred.com, Gentiva.com, or RehabCare.com domain and via text messaging stating that they qualify for a position. Upon going through the process, candidates are offered a position and then are being asked to send money to an address in order for Kindred to purchase equipment."11 Kindred continued, "Representatives of Kindred Healthcare, any of its hospitals, nursing centers, Support Center, Rehab Care, Kindred at Home or any of its affiliates will never ask for cash, check, money order, or bank information of any candidate and will not employ the use of third-party domain email addresses (Yahoo, Google, etc) or send personal text messages to communicate or to extend offers." Embezzlement Embezzlement—the act of stealing assets, usually money—is an age-old scam. Frank J. Rooks, PT, who once was a practicing therapist and now works as an attorney providing legal and consulting services to physical therapy and medical practices, caught an embezzler when he oversaw the billing and collections departments of an 18-facility physical therapy practice. "This person was taking cash copayments," Rooks says. "The patient would pay in cash, but the payment never made it to the billing office. We had cash bags. If people paid by credit card, check, or cash, it all went into a cash bag and to the billing office. Then it posted to the system. The person who embezzled from us was unsophisticated. She pocketed the cash, and that triggered a patient balance. The patient would be sent a bill. He or she then would call us to say cash had been paid, but we had no record of it. "It's always possible that things get lost," Rooks continues, "but the billing collector talked to 5 people who said they paid cash at the same practice location, and there were no records of these payments." The company installed a hidden camera that caught the perpetrator pocketing the money. "It was taken little by little," Rooks noted, "not enough to notice all at once." Rooks recommends that every practice take several protective steps. First, encourage payment by credit card or check rather than cash, and make sure all patients are given a receipt for every transaction. Second, segregate billing functions. "You don't want the same person to be able to pocket the cash and then write off the bill so that no open balance exists," Rooks says. "The person we caught didn't have access to billing to cover her tracks." Third, have an employee in charge of billing account balance and reconciliation who doesn't actually do any billing. "If you catch someone, it is a criminal offense," Rooks says. "It depends on the magnitude of the offense if you want to press charges. There are time and aggravation factors in filing a police report, pressing charges, and meeting a court date. It depends on how much is stolen whether the effort is worth it." Predatory Publishing It used to be that research papers would be accepted by scientific journals only after a rigorous and time-consuming peer-review process that often yielded major suggestions and identified areas of weak science or research. It was a process that tested and safeguarded the integrity of public information. With the advent of the Internet and open access, however, a new breed of journal has appeared—the predatory publication. "A predatory publication," says Chad Cook, PT, PhD, "doesn't follow the traditional peer-review process for scientific manuscripts. In essence, it just pushes a paper through, typically for a fee, and without any true scientific oversight." Cook is the program director for Duke University's Doctor of Physical Therapy Program. He also is editor of "Viewpoints" in the Journal of Orthopaedic & Sports Physical Therapy (JOSPT). Questionable publications typically result from open-access publishers using the "gold" (author pays) model. In gold open access, published research is free to readers, with the publishing costs financed by fees charged to authors upon acceptance of their submitted articles. In return for a payment from the authors, a predatory publisher will almost immediately publish the manuscripts in its open-access journal.12 Not all open-access journals, however, are predatory. As Jeffrey Beall, a librarian at the University of Colorado-Denver, explains, "Theoretically, there's nothing wrong with this model (publishers who use open access but require authors to pay once their papers are accepted), especially because it makes published research free to all readers, including those who are unaffiliated with academic libraries and who live in developing countries. In fact, several legitimate journals use an open-access model either exclusively as a publishing method or as a choice within a standard structure [with an associated fee]."11 But, Beall adds, "The quick and easy acceptance that predatory and low-quality journals offer is a threat to medical science." Often these publications have legitimate-sounding names that can fool researchers and readers alike. "Legitimate authors are being conned into submitting their work, but, when it's published," it often goes into a "black hole" where no one ever reads it, Cook says. "Readers, if they do get access to it, will read it as if it's a legitimate scientific paper, when in reality it has had no oversight and no peer review. And the public is duped. People often forget where they receive information. Legitimate sources of information are weighed against these predatory sources." "Clara Patterson, PT, DPT" (again, a pseudonym), practices at a sports medicine clinic affiliated with a university in the southeast US. She is a legitimate author whose name ended up appearing in a predatory journal. Here's what happened: She participated in a study years ago. When it was complete, she and her colleagues submitted their research to a several scientific journals. But their paper was rejected. Then the lead author moved out of state. "I assumed," Patterson says, "that we were going to let it fade into oblivion and not do anything more with it. Then I received an email from a colleague saying he found my name in a predatory journal. I asked, ‘What journal? And what article? What are you talking about?' I really had no idea." Perhaps because of the dubious success of these predatory journals, their numbers are on the rise. According to an analysis cited in JOSPT, they have grown in number by 600% in the last 4 years.13 "What is most astounding," Cook comments, "is that really talented people submit to these publications. The number 1 funding source for publishing in predatory journals, a recent study found, is the National Institutes of Health [NIH]. So, NIH dollars are being spent for authors to submit their work to predatory journals." Cook adds that 1 of his students traced the addresses associated with a few predatory publications and found they led to residential houses. "So, it's not even a publishing company," Cook says. "They're running this fake series of journals out of their home. It really is shady." To avoid such publications, Cook suggests that readers and researchers determine if they are affiliated with a legitimate scientific group or professional society. Second, he advises, researchers should communicate with their well-published peers who can help them navigate the world of peer-reviewed publications. Third, many peer-reviewed publications are accepted into the NIH National Library of Medicine's Medline database, a standard most strive to achieve. Not all reputable journals are indexed in Medline, however, so it is not an exclusive list. The Next Frontier What will be the new frontier for the world of health care scamming, particularly in rehabilitation? "You never know what's going to come next," Wilson says. "A few years ago, when I gave a presentation at APTA's Combined Sections Meeting, we didn't talk about ransomware. Now we do. What's going to be the next thing that scammers are going to go after?" A moment later he answers his own question. "Now they're going after digital medical equipment," Wilson says. "There have been a couple breaches that involved theft of an X-ray machine or CT scan that contained patient information." Latz agrees that this is an emerging front. "One thing that is happening now is that folks are stealing mobile devices," Latz says. "As organizations, we need to have our mobile devices safeguarded with whole-disc encryption. If we don't, and somebody steals the device, they can get in and get any report that's been opened on our computer at any time." New scams also are targeting demographic and regulatory changes. For example, the Centers for Medicare & Medicaid Services (CMS) is issuing new Medicare cards—replacing Social Security numbers with a new Medicare Beneficiary Identifier. CMS says, "The biggest reason we're taking the SSN off of Medicare cards is to fight medical identity theft for people with Medicare."14 However, that's opened up new opportunities for scammers. As the FBI explains, "Of course, with a new system there are always scam artists looking for ways to cash in. If you receive a call, email, or visit from someone asking for personal information about your Medicare number or plan, about your new card, or about your Social Security number, it is likely a scam…You do not have to pay for the new card, either. Another potential twist on this scam: seniors who are told they have a refund due on their old card, which the caller is happy to process as soon as he gets your bank account information."15 Katherine Malmo is a freelance writer. A Glossary of Hacking TermsAdwareA form of malware (see "Malware"), adware is the name given to programs designed to display advertisements on your computer, redirect your search requests to advertising websites and collect marketing-type data about you.BEC (business email compromise)A social engineering attack (see "Social engineering") in which a cybercriminal uses compromised email credentials or spoofing to induce an employee to make a wire transfer or other electronic payment to a bank account controlled by the cybercriminal—or, in some cases, to transfer sensitive data such as W-2 forms.MalwareA malicious piece of software or code intended to steal data or credentials, log keystrokes, enable unauthorized access, or otherwise create a risk to the confidentiality, integrity, or availability of data, a network, or other computer resources.PhishingA form of social engineering in which the attacker, posing as a trusted party, sends an email designed to induce the recipient to share sensitive information such as a username and password, to download malware, or to visit an infected website.RansomwareA type of malware used in cyber extortion that encrypts data so that it is unusable unless the victim pays a ransom for the decryption key.RootkitsA type of malware—either a single program or a collection of software tools—that gives a threat actor remote access to and control over a computer or other system. Most rootkits open a back door on victim systems to introduce viruses, ransomware, keylogger programs, or other types of malware, or to use the system for further network security attacks. Social engineeringTechniques used by attackers to manipulate someone into providing confidential information (such as login credentials) or taking other actions that bypass normal security and assist the attacker in committing theft or fraud. Social engineering may occur in person, but the primary means are by phone and email.SpoofingImpersonating a trusted sender, such as another employee, by modifying the apparent source of an email or other electronic communication.Trojan horsesA form of malware, Trojan horses are software programs that masquerade as regular programs, such as games, disk utilities, and even antivirus programs.VirusA form of malware, a virus is a piece of computer code that is capable of copying itself and typically has a detrimental effect, such as corrupting the system or destroying data.WormsA form of malware that is self-replicating, duplicating itself to spread to uninfected computers. Source2018 Breach Briefing. Beazley Insurance Companies. www.beazley.com/bbr.Tips to Prevent a CyberattackHere is some advice on how to prevent a cyberattack.Training. The Department of Justice's Office of Civil Rights (OCR) recommends training employees to be wary of unsolicited third-party messages seeking information, of messages even from recognized sources, and of clicking on links or downloading attachments.1Multi-factor Authentication. The OCR also recommends using multi-factor authentication for system logins instead of a single, more easily hackable password. This can include physical security (an employee card or token), logical/knowledge base security (often a PIN or password), and biometric security (fingerprints, retinal scan, or voice). Systems requiring only 2 forms of authentication also are termed "2-factor authentication."Firewalls and Anti-Virus Software. Bill Wilson, vice president of sales and marketing for PT One Insurance Solutions, and Robert Latz, PT, DPT, both recommend that IT departments invest in network security—firewalls and up-to-date antivirus software that will scan for known viruses and bugs. Latz says, "The question is less if there will be a breach and more what to do when the breach happens." Latz is the chief information officer of Trinity Rehab Services and president of the technology special interest group of APTA's Section on Health Policy and Administration (HPA The Catalyst).Encrypt. Wilson recommends whole-disc encryption for tablets and mobile devices.Risk Assessment. The US government requires health care organizations to conduct annual security risk assessments. An online template guides users through the process and addresses many of the greatest risks. (www.healthit.gov/topic/privacy-security-and-hipaa/security-risk-assessment) Ransomware Response. IBM's Ransomware Response Guide provides tips for avoiding ransomware attacks. (www-01.ibm.com/common/ssi/cgi-bin/ssialias?htmlfid=SEL03095USEN) System Protection. The Beazley 2018 Breach Briefing includes valuable information on how to protect computer systems. (www.beazley.com/documents/Whitepapers/201802-beazley-breach-briefing.pdf) SourcePhishing. Office for Civil Rights, US Department of Health and Human Services. February 2018. https://www.hhs.gov/sites/default/files/cybersecurity-newsletter-february-2018.pdf. Accessed June 12, 2018.APTA's Integrity in Practice ProgramWhile most physical therapists (PTs) provide high-quality and ethical care, APTA has created a program, Integrity in Practice, to help those who work with ill-informed or dishonest practitioners.1The campaign's mission is "to help physical therapists navigate complex regulations and payment systems by making tools and resources available to encourage and promote evidence-based practice; ethics; professionalism; prevention of fraud, waste, and abuse; and more." "The goal of the program," explains Anita Bemis-Dougherty, PT, DPT, "is to get PTs to think about what is compliant, what the regulations are, how they can be compliant, and how to stand up to administrators who maybe want them to overcharge or overbill for services. Some therapists had been saying they were afraid of losing their jobs if they didn't do what they were told to do, even if it was not ethical. Now members can call APTA and ask for advice. Of course, we can't give legal advice, but we can certainly provide documentation guidelines, regulations, and information on who to contact to do things appropriately." Bemis-Dougherty is APTA's vice president of practice.The Choosing Wisely campaign, a result of APTA's partnership with the American Board of Internal Medicine, provides scientific, evidence-based recommendations to help patients and PTs make smart decisions about care.Preventing Fraud, Abuse, and Waste: A Primer for Physical Therapists is a free guide that outlines laws and regulations, as well as the PTs' proper relationship with payers, referral sources, and patients.2APTA also offers a series of webinars designed to ensure compliance and prevent fraud. Should other efforts fail, whistleblowers can anonymously report fraud to Office of Inspector General's hotline at 800-HHS-TIPS. SourceCenter for Integrity in Practice. American Physical Therapy Association. http://integrity.apta.org/home.aspx. Accessed June 12, 2018.Preventing Fraud, Abuse, and Waste: A Primer for Physical Therapists. American Physical Therapy Association. http://integrity.apta.org/Primer/. Accessed June 12, 2018.