EyeWorld is the official news magazine of the American Society of Cataract & Refractive Surgery.
Issue link: https://digital.eyeworld.org/i/129516
Malware is a short piece of quaternary code that inserts itself into your software, usually the operating system. It can be difficult to detect and can depredate your practice. For example, a malware-compromised computer can record and transmit credit card numbers from your dispensary to a "broker" in Houston who then sells this information in blocks to a buyer in Moscow. Although the going rate for a stolen credit card number can be as low as $1, American Express cards are especially prized at $30 each because they usually don't have a preset spending limit. Credit card numbers are sold in blocks of 1,000. In the U.S., the average credit card breach involves 10,000 numbers. The sale of PHI is a fast-growing black market; $50 per record is the current rate. Your office phone rings. Using electronic and procedural metrics, the bank explains it has detected suspicious activity on their credit cards. By tracing "commonalities," e.g., points of purchase, the breach is linked to your dispensary. Within hours, people with business-serious IDs visit your clinic. Your clinic's computers are disconnected from the internet and the forensic work to detect the source of the breach is begun. They look for a "skimmer," a small device that can be attached to a computer surreptitiously. It costs $25 on the web. Finding a skimmer, the fraud investigator's job is done. But was this an internal, i.e., a staff person's malfeasance, or an external attack? No skimmer? A system-wide audit is performed to identify malware, calculate the number of cards compromised, enumerate the events that occurred, and delimit their time interval. Resources and money are consumed. Your office may use credit cards but phone lines must be employed. If the breach is large in terms of numbers and dollars, the bank is required to involve the Secret Service. Domestically, the Secret Service can be effective; internationally, it must rely on other law enforcement resources. According to the Centers for Medicare and Medicaid Services website, credit card transactions are apparently exempt from HIPAA regulations. HIPAA notwithstanding, other penalties and fines can be ruinous if the theft exceeds 10,000 card numbers. The clinic is charged $3.00 for the replacement of each compromised credit card. It can be liable for all fraud losses. These currently average more than $2,000 per card number. Depending on breach complexity, the cost of the audit can approach six figures. Credit card companies can levy additional fines on the practice. If satisfied with compliance remedies, credit card use may be allowed but the cost of each transaction increases. The loss of patient goodwill, damage to the practice's reputation, and the effect on staff, especially if an inside job is suspected, are inestimable. It is not if but when your system will be breached. In next month's column, I will address steps to help prevent and mitigate damages. EW Editors' note: Dr. Noreika has practiced ophthalmology in Medina, Ohio, since 1983. He has been a member of ASCRS for more than 30 years. Contact information Noreika: JCNMD@aol.com A. John Kanellopoulos, MD, discusses with Josh Young, MD, the risks and benefits of using high fluence collagen crosslinking as compared to standard collagen. Go to ewreplay.org/ASCRS2013/saturday or scan the QR code above to view video. SYMPOSIUM & CONGRESS 2014 APRIL 25–29 BOSTON Additional Programming Cornea Day ASCRS Glaucoma Day ASOA Workshops Technicians & Nurses Program Book Early for the Best Rates Housing is Now Open www.ascrs.org/gethousing