Cybersecurity has been a game of cat and mouse for years. The goal 15 years ago was to stay a step ahead of the “bad guys,” but then the tide changed. The new goal was to try to be as responsive as possible to the changing landscape of threats and newly uncovered weaknesses. The realization set in that although preventive measures can and should be taken, there is no way to entirely stop identity theft from occurring. Traditional cybersecurity policies were struggling to respond to risks from cloud computing, human behavior and the massive growth of the Internet of Things (which is estimated to top 40 billion devices within just 5 years1). Then came the COVID-19 crisis, and the problems got worse—much worse.
During this pandemic, the problem has exploded compared to other years. The bad actors thrive on chaos; they love distractions. They love to use low-tech scams to reach into people’s pockets or lives, and they thrive in an environment where people let their guard down in some areas of personal security when they’re looking at other issues. As we collectively were looking out the front door trying to guard against COVID-19, we didn’t realize that there was no security at the back door. People migrated to their home offices, and that may have opened up many additional areas for breaches and compromises in the basic connection systems across the country.
Identity Theft: The Most Common Type of Cyberattack
Identity theft is at the root of many cyberattacks. In general terms, there are more than 31 different flavors of identity theft or identity fraud. Most people think this kind of cyberattack primarily affects credit or bank accounts, but that couldn’t be further from the truth.
Statistically, identity theft affects about one out of three U.S. citizens.2 According to the 2019 identity fraud study by Javelin Strategy & Research, the number of consumers who were victims of identity fraud totaled 14.4 million in 2018.3 However, the Federal Bureau of Investigation and the U.S. Department of Homeland Security estimate significantly higher numbers of identity theft occur each year. It is difficult to pinpoint the exact numbers, because identity theft is insidious. Victims often retreat or blame themselves. Therefore, they don’t report or address the issues as directly as you might think.
According to the Federal Trade Commission, the Consumer Sentinel Network took more than 3.2 million reports in 2019 from consumers about problems they experienced in the marketplace in 2019. These reports included 1.7 million reports of fraud and 650,572 reports of identity theft.4 Consumers filed more reports about identity theft, in all its various forms, than any other type of complaint. Of particular note, the emotional ramifications of identity crimes leave victims negatively impacted well beyond the initial incident, impacting how they manage their daily lives forever.5
Medical Records Fraud
The vast majority of identity theft involves medical information. Bad actors use medical files or medical information to obtain medical services or fraudulent prescriptions and as a gateway to other fraudulent events. Medical records are a prime target because they hold so much information about a person, including medical, personal and financial data. Additionally, one individual’s medical files are typically stored in numerous places, including hospitals, medical practices and dental practices, which may have varying degrees of security. This duplication of your records increases the likelihood your information will be stolen.
Unemployment Identity Fraud
Unemployment fraud increased about 2,000 percent between June 1, 2020, and September 30, 2020, in the LibertyID call center compared to the previous year. When the credit bureau Equifax was breached in 2017, the company lost vital information on most U.S. citizens, including data such as Social Security numbers and email addresses.6 Social Security numbers are the gateway for fraud. Numbers were originally created only for use as identifiers for the Social Security program. Social Security cards used to say, “Not for identification or security purposes.” Today, we use our Social Security numbers for everything in our lives—from banking to business to healthcare. When those numbers were stolen en masse, the bad actors took their time selling and reselling them. They waited for an opportunity, such as COVID-19, to pounce.
The unemployment offices are typically a very busy, very bureaucratic environment to begin with. When COVID-19 hit, waves of traffic and information hit the unemployment program to begin with. The bad guys knew they could take advantage of that chaos to file fraudulent claims. They have, complicating the lives of innocent individuals who have no idea fraudulent claims were filed and no way to prevent them. People only learn about this fraud when they get a notice from their state unemployment benefits office or their employer about their supposed application for benefits. If this happens to you, it means someone is misusing your personal information, including your Social Security number and date of birth.
IRS Tax Identity Theft
Another example of the insidious nature of identity theft is Internal Revenue Service (IRS) tax identity theft, which is widespread. For criminals, IRS tax fraud is very easy. They can easily get your Social Security number and information on where you work and live. Then they apply for a fraudulent IRS tax refund, and often get it. There is no way of preventing or monitoring an IRS tax breach.
The only way you know you’ve had your identity stolen is when you receive a letter from the IRS. They don’t call; they don’t email. They send you a letter, typically when you have submitted your tax returns, stating that a duplicate return was already filed. At that point, the IRS opens an investigation, and it becomes your problem to resolve the issue within the IRS bureaucracy.
The typical time frame for the IRS to assist you with the problem is about 355 days, and then it takes another 180 days for them to process your case. Then, there is the time you have to spend reviewing and responding, which can sometimes feel like a full-time job. Working with the IRS to correct a tax identity theft issue—something you had nothing to do with—is very time-consuming, and can take one to three years to resolve.
Children and Identity Fraud
A study conducted by the Carnegie Mellon Institute found that children are 51 times more susceptible to identity theft through Social Security fraud than adults.7 One reason is the age at which we now get a Social Security number. In the past, applications for a Social Security number were submitted when someone wanted to get a job, perhaps around age 14. Today, Social Security cards are essentially waiting for the baby in the mailbox before the family even gets home from the hospital.
Child identity theft is an enormous issue that begins in various ways. The theft might start when a stranger guesses a Social Security number, or it could start with a family fraud issue—a member of the family using the child’s Social Security number to start over or do something nefarious, or from many other sources. Unfortunately, there is no way of detecting when there is an issue until it is too late. We see young people come of age at 16 or 17, apply for an apartment, a car or a college loan, and find out that they have a completely destroyed credit file, one that has foreclosures and repossessions going back years.
Preventative Strategies
To protect yourself from identify theft and increase your home and office data security, the following actions can help.
Keep Your Software Up to Date
Ransomware attacks are a major issue for medical practices and individual healthcare providers. One of the most important actions you can take to mitigate ransomware is patching outdated software, your operating system and applications. Doing this helps remove critical vulnerabilities that hackers use to access your devices.
Use Strong Passwords
You have probably heard that strong passwords are critical to online security. The truth is that passwords are very important for keeping hackers out of your data. According to the National Institute of Standards and Technology’s (NIST) most recent guidance,8 you should consider the following advice:
- Length—8 to 64 characters are recommended.
- Character types—Nonstandard characters, such as emoticons, are allowed when possible.
- Construction—Long passphrases are encouraged. They must not match entries in the prohibited password dictionary.
- Reset—Required only if the password is compromised or forgotten.
- Multifactor—Encouraged in all but the least sensitive applications.
The most recent best practices suggest that password changes are not required unless there is evidence of a compromise, and strict complexity rules have been replaced by construction flexibility, expanded character types, greater length and the prohibition of “bad” (i.e., insecure) passwords.
Consider this frightening statistic: About 70 percent of people use the same password for their online banking accounts, social media accounts and office security.9 It is never recommended that you use the same passwords for work and personal use. In fact, it is best to never use the same password twice.
Back Up Your Data
The odds are that your practice will be hit by ransomware. It’s happening to more and more small medical offices across the country. These attacks are difficult to prevent and a nightmare to recover from—unless you regularly back up your information. If your IT professional cannot provide a seamless backup, cleaning and storing protocol, hire a new one.
Train Everyone on Data Management Practices
Employees (full- and part-time) do not have to be your weakest link in data security. With proper training, they can be an added line of defense in the battle to protect your data. With the explosion of phishing attacks, your plan must be ongoing, active and customizable to the ever-evolving threat landscape.
Hold Your Employees and Vendors Accountable
Data security and security hygiene are everyone’s responsibility. You must make it a life-and-death priority, because a breach can do irreputable harm to your business reputation and value.
Data security and privacy should be a top-down priority. Without accountability, however, you will simply have words. Bad judgment is correctable; malicious activity is unforgivable. As a business owner, you must realize that the threats can be internal as well. For example, in 2016, a former IT administrator was given prison time and nearly a million-dollar fine for purposely damaging a former employer’s computer system.10
Do Not Use Public Wi-Fi
Do not use public Wi-Fi without using a virtual private network (VPN). By using a VPN, the data traffic between your device and the VPN server is encrypted. This means that it is much more difficult for a cybercriminal to obtain access to your data on your device. Use your cell network if you do not have a VPN. Also, do not offer Wi-Fi in your patient waiting room—unless you are 100 percent certain it is on a platform completely separate from your practice’s system.
Have a Plan
Be honest with yourself: What is your plan for handling a cyberattack? If today, you learned your data or systems had been breached, damaged or stolen, what would you do? Who would you call? Would that breach close your office for a day, a week, months? If your answer is that your plan involves calling your IT administrator, your attorney or your religious leader, well then you need a real plan, and you need to develop one now.
When the inevitable data breach does affect your practice or home, do not run, hide or ignore it. The reality is that these breaches happen more often than people admit. Although your patients may forgive you for being a victim of a medical practice data breach, they will judge you on your response to such an attack.
Have an Identity Theft Restoration Service in Place
With so many data breaches happening, it is more critical than ever for medical care providers (physicians, physician assistants, nurses, certified medical assistants) and their support staff to have an identity theft restoration service in place. A recent study that examined data breaches that occurred in 2019 found that, on average, a U.S. citizen has had their personal information leaked to the public at least four times.11 This rate is based only on publicly reported data and omits hundreds of other breaches that may have occurred behind closed doors.
Identity theft restoration services are designed to help those who have fallen victim to the crime of identity theft. Contrary to popular belief, identity theft is more than something one can see on a credit report. Many of the 31 forms of identity theft are never found on a credit report.
When a service that specializes in fully managed identity theft restoration helps a victim, the service performs all the actions necessary to get the victim’s identity back to pre-event status no matter where the theft happened. The service reverses all incorrect information, transactions and misuse of official documentation by going to all of the relevant entities, including the Social Security Administration, the U.S. Postal Service, the Department of Motor Vehicles (DMV), banks, creditors, utility companies, leasing agents, medical facilities, healthcare providers and health insurance companies.
The Future of Cybersecurity
The future of cybersecurity is difficult to predict because the industry is constantly evolving in response to the shifting behaviors of cybercriminals and the new attacks they develop. Although organizations are more aware of the importance of cybersecurity, most are still struggling to define and implement the required appropriate security measures. A new whitepaper by Osano confirmed what many experts already suspected: Companies with poor privacy practices are 80 percent more likely to suffer a data breach.12
One thing is clear: Cyberattacks will continue to increase. Consider all opportunities to protect yourself and your reputation. Select IT security professionals who can assist with setting up the best practices in preventive strategies, and have a solid plan in place for handling incidents once they have occurred.
