Cybersecurity Lessons Learned from a Hacked Doctor

Cybersecurity Lessons Learned from a Hacked Doctor

Written by Artur Gevorgyan, MD, MSc, FRCSC. Head, Division of Otolaryngology – Head and Neck Surgery / Rhinologist. Lakeridge Health Corporation. Clinical Adjunct Lecturer. Department of Otolaryngology – Head and Neck Surgery. University of Toronto.

In today’s fast-paced world of technological change, where digital innovations are woven into our everyday lives, it’s easy to become lax on the importance of safeguarding our personal information. Many of us think—or hope—a privacy breach will never happen to us. This becomes all the more concerning in our role as doctors, as we are obligated to protect the privacy and security of our patients. But anyone is susceptible. As I found out firsthand, without precaution and vigilance, being hacked is bound to happen.

It was in March 2020 when I fell victim to a phone-porting scam. I had received an urgent text around midnight from Rogers, my service provider, to contact them immediately, otherwise my phone number would be ported (transferred to another provider).

When I spoke with Rogers, they explained that my number had indeed been transferred to Bell—apparently, I’d only had 30 minutes from the time of their text to respond, and I was late by 15 minutes. My number was completely inaccessible. I had no more phone service, and was blocked from receiving phone calls and texts, so I couldn’t verify my passwords either. This also meant my accounts were vulnerable to being accessed by the hackers, who could authenticate my identity with a verification code sent to my now stolen number.

As one could have guessed, I was unable to access my email. When I attempted multiple times to reset the password using a secondary email, I kept getting locked out. I realized that hackers were simultaneously changing my password during my futile log-in attempts. They had my phone number and a direct line to the verification texts.

I was in a whirlwind of panic. It felt so invasive. It wasn’t until I deleted my phone number from my email account that I was able to reclaim control of it. The culprits were able to exploit my phone number for at least eight hours, during which time they got a hold of my PayPal account, as well as my Rogers account, on which an order for a costly iPhone had been placed.

My number was officially returned to me more than 12 hours later, the following day. Luckily, I’ve had no issues with financial or credit agencies, and Rogers covered the hefty bill for the iPhone. So the only real damage was to my time and the stress involved. But it was a rude awakening.

After this incident, I became motivated to learn all about cybersecurity. As a repeat offender of recycled usernames and passwords, I realized just how poor my online security practices had been for the last 22 years, and it eventually caught up to me.

Credential stuffing attacks happen because we tend to use duplicate username/password combinations for different sites. When organizational data breaches expose personal data like login credentials on the dark web, we are left vulnerable to hackers to access our accounts.

I’ve since tightened up my security measures—and everyone should. In this ever-growing digital world it’s become increasingly important to learn more about cybersecurity, as being hacked is nearly inevitable. It’s happened to Facebook, Google, Elon Musk, and German, U.S. and U.K. hospitals, and it can certainly happen to you too. Clinics, hospitals and health care organizations have become prime targets for ransomware attacks.

Also concerning is how much of our information is stored with our professional organizations. Data breaches at our provincial medical associations or regulatory bodies would expose valuable information about us. Anyone with unauthorized access could misuse the information in a social engineering attack, putting us at risk of identity theft. Recent high-profile breaches of health care organizations in Canada and across the globe demonstrate that this risk is very real.

We must all enhance our cybersecurity knowledge to mitigate this sizable risk.

These are my top 5 cybersecurity best practices:

  1. Software updates: Perform these updates when your device notifies you. This will employ security fixes and patches to software vulnerabilities, safeguarding you against hackers.
  2. Passwords: This is a crucial step. Recycled passwords, if leaked, can be used in credential stuffing attacks. Strong passwords are long, complex and unique. Using a password management system like Last Pass or Bitwarden to generate and remember complex passwords for each account means you’ll only have to remember one password.
  3. Check if your passwords have leaked: Enter your email or phone number at haveibeenpwned.com to see if your personal information has been compromised in a data breach. If so, change your passwords (this should be done periodically regardless of a data leak).
  4. Two-factor and multifactor authentication: This requires verifying your log-in with authentication factors in addition to a password, such as through a phone app or text message, security key, etc. Enable this as an added security measure.
  5. Security questions: These should also be complex and unique, and stored separately from your passwords.

More can be discussed about each of these recommendations, along with a breadth of other critical topics, including browsers, encryption, phishing, social media privacy and security, and more. This is just a ‘starter list’ for a physician realizing their own cybersecurity gaps.

Want more tips and tricks on how to protect your practice and patient data? Dr. Gevorgyan will be presenting on cybersecurity best practices at the OntarioMD Digital Health and Virtual Care Day Conference on September 30th. Learn more and register today.

This piece was adapted from the April 2021 article ‘My top 10 cybersecurity tips’ in the Medical Post by Dr. Artur Gevorgyan.

Share your thoughts with us!