The Cyber Threat Landscape for Optometrists – It’s Not Looking Good

The Cyber Threat Landscape for Optometrists It’s Not Looking Good

In today’s digital age, the healthcare industry, including optometry practices, relies heavily on electronic systems for patient management, record-keeping, and service delivery. While this digital transformation is beneficial, it also brings about significant cybersecurity challenges. Because optometrists handle sensitive patient information, it is crucial for them to prioritize cybersecurity to protect their practice and patients from potential cyber threats.

Optometrists may not immediately come to mind when thinking about prime targets for cyberattacks. However, healthcare data is incredibly valuable on the black market, making all healthcare providers, including optometrists, attractive targets. Cybercriminals seek to exploit vulnerabilities to gain access to personal health information (PHI), financial data, and other sensitive information.

One of the most common cyber threats facing optometrists is phishing attacks. Cybercriminals use deceptive emails to trick staff into revealing sensitive information or clicking on malicious links. These attacks can lead to unauthorized access to systems and data breaches. Another significant threat is ransomware, a type of malware that encrypts a practice’s data, rendering it inaccessible until a ransom is paid. Ransomware can disrupt operations, lead to significant financial losses, and damage the practice’s reputation.

Insider threats, where employees or associates with access to sensitive information inadvertently or maliciously compromise data security, are also a concern. This includes mishandling PHI or falling victim to social engineering attacks. Additionally, weak passwords are an easy target for cybercriminals. A lack of robust password policies can lead to unauthorized access to sensitive systems and data.

A cybersecurity breach can have severe consequences for an optometry practice. Financial losses can be substantial, including fines, legal fees, and the cost of restoring systems and data. Moreover, patients trust healthcare providers to protect their sensitive information. A breach can erode this trust and lead to a loss of patients. Cyberattacks can disrupt the daily operations of a practice, leading to lost revenue and decreased patient satisfaction. Furthermore, failure to comply with regulations like the Health Insurance Portability and Accountability Act (HIPAA) can result in significant penalties.

Hack at Services Firm Hits 2.4 Million Eye Doctor Patients

In excerpts from an article by BankInfoSecurity, they wrote, “An Arizona firm that provides administrative services to about a dozen ophthalmology practices in several states is notifying nearly 2.4 million patients of a November hacking incident that may have compromised its sensitive information.

The data theft is among the latest major hacking incidents reported to regulators by HIPAA-regulated business associates. Last year, 4 in 10 hacks involved a third-party vendor providing one or more of a wide range of services – from bill collecting to transcribing notes – to scores of healthcare organizations.

Medical Management Resource Group, which does business as American Vision Partners, works with – and “shares” a management system, IT, and infrastructure with – 12 practices, according to its website. The incident involved the hack of a network server and affected more than 2.35 million individuals, the company said in a Feb. 6 report to the Department of Health and Human Services.

The Tempe, Arizona-based firm said that on Nov. 14, it detected unauthorized activity on certain parts of its network. MMRG said it promptly took steps to contain the incident, including isolating the affected system and engaging assistance from outside cybersecurity firms. The company also notified law enforcement and has taken additional actions to further secure its IT systems.

The compromised information varies among patients but may include names, contact information, birthdates, and medical information, including services received, clinical records, and medications. For some individuals, the hack also affected Social Security numbers and insurance information.

In a breach notice, MMRG advised affected individuals to take “certain steps” to help protect their sensitive information in the wake of the incident, including keeping a close eye on their credit reports and reviewing their account statements. MMRG is offering affected individuals two years of complimentary identity and credit monitoring.

MMRG did not immediately respond to Information Security Media Group’s request for additional details about the incident, including how many of its ophthalmology practice clients had been affected.

Vendor Risk

The MMRG incident is one of the latest major health data breaches involving third-party services firms. In 2023, business associates – including bill collection companies, practice management firms, and medical transcription services – accounted for nearly 40% or 275 of the 734 major breaches reported to HHS.

Those incidents affected nearly 90.3 million people, or about two-thirds of the 135.3 million individuals who were victims.

The largest of those incidents was reported by medical transcription services firm Perry Johnson & Associates. The breach has affected several large healthcare entity clients and about 14 million people so far.

PJ&A initially reported the incident in November to HHS as having affected nearly 9 million individuals. But in recent months and weeks, several subsequent breaches involving the hack and affecting additional PJ&A clients and millions of their patients have been reported to regulators.

Vetting Vendor Risk

Healthcare organizations should talk about these recent incidents with their vendors and third-party providers to inquire about the controls and options they have in place, said Dustin Hutchison, vice president of services and CISO at security consulting firm Pondurance.

“The threat landscape and vulnerabilities are constantly changing, so an ongoing examination of how to improve to better serve patients is important,” he said. Vendors and business associates that provide critical services are targets for attacks because they handle large volumes of data, “so the expectations of controls and the ability to demonstrate those controls should be higher.

“Organizations are going to have different requirements, but establishing a strong program baseline for all of their clients should be the norm. Being able to demonstrate an aggressive vulnerability management program with appropriate access controls, auditing, and proactive detection and response goes a long way.”

Even smaller medical practices should not be at the mercy of their third-party providers when it comes to security and compliance, especially when they have other options in the market, according to Hutchison.

“Practices of any size should focus on ensuring the security controls they need are available prior to purchase by having the conversation with the vendor and including those requirements in the contract,” he said. Vendors that focus on smaller practices should have a clear understanding of shared responsibility, and why their solution is appropriate for the practice, he added.

“Medical practices should focus on understanding third-party risks by establishing their risk tolerance based on regulatory requirements and necessary security controls to protect their data and environments. The best time to ensure a vendor meets security and compliance requirements is prior to purchase by reviewing the vendor’s processes and controls available and alignment with the practice expectations and needs.”

As Vendor Breaches Surge, Medical Practices Need 20/20 Visibility on Third Parties

In excerpts from an article by, The Record, they wrote, “Colorado-based Panorama Eyecare told regulators in Maine and Massachusetts that 377,911 current and former patients and employees had data stolen — including names, Social Security numbers, dates of birth, license numbers, financial account information, dates of service and medical provider names.

Panorama Eyecare owns or provides services to dozens of optometry or ophthalmology offices in the Rocky Mountain region. Its systems manage IT departments, HR, payroll, marketing, and capital improvements for equipment and facilities.

Attacks on third-party service providers have been a thorn in the healthcare industry’s side recently. Administrative services provider WebTPA revealed recently that an incident last year potentially affected 2.4 million people. This week, a cyberattack on pathology services company Synnovis resulted in the suspension of operations at London hospitals.

Panorama Eyecare said it first discovered the attack on June 3, 2023, and an investigation revealed the hackers had access to the company’s network as far back as May 22. The company claimed its investigation into the incident concluded nearly a year later, on May 9, and revealed the hackers “may have accessed and removed certain files” from their network.

According to the FBI, the healthcare and public health sector was the most common ransomware target of any critical infrastructure sector in 2023.

In the wake of a ransomware attack on Change Healthcare, a pivotal U.S. company that handles pharmaceutical operations, Senate Finance Committee Chair Ron Wyden (D-Ore.) published a letter on Wednesday urging the Department of Health and Human Services (HHS) to immediately mandate systemically important health care companies to improve their cybersecurity practices.

“The current epidemic of successful cyberattacks against the healthcare sector is a direct result of HHS’s failure to appropriately regulate and oversee this industry, harming patients, providers, and our national security,” Wyden said.

“The agency’s current approach of allowing the health sector to self-regulate cybersecurity is insufficient and fails to protect personal health information as intended by Congress. HHS must act now to address corporations’ lax cybersecurity practices, which have enabled hackers to steal patient health information and shut down parts of the healthcare system, causing actual harm to patient health.”

Eye Care Leaders Hack Impacts Millions of Patients

In excerpts from an article by The HIPAA Journal, they wrote, “Unauthorized individuals have gained access to the systems of Eye Care Leaders, a provider of electronic health records and patient management software solutions for eye care practices. Hackers gained access to its myCare Identity solution and deleted databases, systems configuration files, and data.

Eye Care Leaders said its incident response team immediately stopped the unauthorized activity when the breach was detected and launched an investigation into the security breach. The investigation is ongoing, but notifications have now been sent to affected ophthalmology and optometry practices.

The types of information that have been exposed included patient names, dates of birth, medical record numbers, health insurance information, Social Security numbers, and information regarding the care received at the affected eye care practices. The breach was confined to the myCare Identity solution. The systems of eye care providers that use the solution were not compromised. It is currently unclear how many individuals have been affected by the breach. The Eye Care Leaders website states that it provides software solutions to more than 9,000 ophthalmologists and optometrists.

The number of eye care providers affected by the breach has been growing over the past few weeks, and it is now known that the protected health information of more than 3.6 million patients has been exposed and potentially compromised.”

To safeguard their practice and patients, optometrists should implement comprehensive cybersecurity measures. Regular employee training on cybersecurity best practices is essential. This includes how to recognize phishing attempts and handle sensitive information securely. Enforcing the use of strong, unique passwords and implementing multi-factor authentication (MFA) can add an extra layer of security. Ensuring that all sensitive data, both in transit and at rest, is encrypted is also crucial to protect it from unauthorized access.”

Summary of Incidents

In today’s digital landscape, optometry practices, like many healthcare providers, heavily depend on electronic systems for managing patient information, record-keeping, and delivering services. While these digital tools enhance efficiency, they also pose significant cybersecurity risks. The sensitive nature of healthcare data, which includes personal health information (PHI) and financial details, makes optometrists prime targets for cyberattacks.

Optometrists face various cyber threats, with phishing attacks and ransomware being the most common. Phishing attacks involve deceptive emails that trick staff into revealing sensitive information or clicking on malicious links, leading to unauthorized access and data breaches. Ransomware, a type of malware that encrypts data until a ransom is paid, can severely disrupt operations, incur financial losses, and damage a practice’s reputation. Additionally, insider threats and weak password policies further compromise data security.

A cybersecurity breach can have dire consequences, including substantial financial losses, legal repercussions, and damage to patient trust and satisfaction. Non-compliance with regulations like the Health Insurance Portability and Accountability Act (HIPAA) can also result in severe penalties.

The recent hack at an Arizona administrative services firm, impacting nearly 2.4 million patients, highlights the significant risks posed by third-party vendors. Similar breaches at other third-party service providers underscore the need for robust cybersecurity measures and thorough vetting of vendors. As cyberattacks on the healthcare sector, particularly on third-party services, continue to rise, optometry practices must prioritize cybersecurity to protect sensitive patient information and ensure compliance with regulatory requirements.

Cyber Security – The Minimum Requirements

The importance of cybersecurity for optometrists cannot be overstated. With the increasing reliance on digital systems and the high value of healthcare data, optometry practices are at substantial risk of cyberattacks. Implementing strong cybersecurity measures, including robust password policies, regular staff training on phishing and social engineering threats, and thorough vetting of third-party vendors, is essential. Additionally, practices must stay compliant with regulations such as HIPAA to avoid severe penalties and maintain patient trust.

Keeping all software, including electronic health record (EHR) systems, up to date with the latest security patches is vital. Regularly backing up data and having a comprehensive disaster recovery plan in place to quickly restore operations in case of a cyberattack can mitigate the impact of potential breaches. Implementing strict access controls to ensure that only authorized personnel have access to sensitive information is another important measure.

As optometry practices continue to embrace digital tools and technologies, the importance of robust cybersecurity measures cannot be overstated. By prioritizing cybersecurity, optometrists can protect their patients’ sensitive information, maintain their practice’s reputation, and ensure the continuity of their operations. In an era where cyber threats are ever-evolving, staying vigilant and proactive in cybersecurity practices is essential for every optometry practice.

Finally, it’s important to remember that cybersecurity is not a one-time effort but an ongoing process that requires constant vigilance and adaptation to the evolving threat landscape. By prioritizing cybersecurity, optometrists can safeguard their practices, protect sensitive patient information, and ensure the continuity of their services in the face of potential cyber threats.

At Adaptive Office Solutions, cybersecurity is our specialty. We keep cybercrimes at bay by using analysis, forensics, and reverse engineering to prevent malware attempts and patch vulnerability issues. By investing in multilayered cybersecurity, you can leverage our expertise to boost your defenses, mitigate risks, and protect your data with next-gen IT security solutions.

Every device connecting to the internet poses a cyber security threat, including that innocent-looking smartwatch you’re wearing. Adaptive’s wide range of experience and tools fills the gaps in your business’s IT infrastructure and dramatically increases the effectiveness of your cybersecurity posture.

To schedule a Cyber Security Risk Review, call the Adaptive Office Solutions’ hotline at 506-624-9480 or email us at helpdesk@adaptiveoffice.ca

Categories
Archives