Imagine arriving at your office ready to start the day, booting up your computer to check the schedule and then … nothing. There’s a blank screen or, worse, a message stating that your system has been locked along with a demand for a payment to gain access. When a cyberattack hits, your practice could come to a screeching halt. A compromised system can mean no access to schedules, billing, or patient records.
Shelli Macaluso.
From insurance carriers, retailers, and financial institutions to the U.S. military, all organizations that have an online presence are subject to cyber-related risks and the reputational damage and loss of consumer trust that follow. The healthcare industry is especially vulnerable to cyberattacks, as hackers know they can access both protected health information and financial records for patients. Even if your practice does not own a website or make financial transactions online, you can still be at risk simply by using the internet and working in a digitally connected office.
Cybercriminals have been leveraging healthcare practice disruptions to launch ransomware attacks in skyrocketing numbers. One recent study reported that attacks on healthcare delivery organizations more than doubled from 2016 to 2021, exposing the protected health information of almost 42 million patients. Another report found that small businesses are three times as likely to be targeted by cybercriminals, with malware emerging as the most common form of attack.
Cybercrime in a dental office
In one cybercase handled by The Dentists Insurance Company (TDIC), the total costs to conduct a forensic information technology (IT) investigation, get systems back online, and cover lost business neared $100,000. When the dentist could not access his files, it soon became clear that the system had been hacked and the practice was a victim of ransomware. Because patient data was stored in the cloud, the dentist didn’t believe that a data breach had occurred, but his practice’s operations were still paralyzed from doing business because his systems and files were locked.
By the time a forensic IT firm was engaged to regain access to the system, get it back online, and unlock the data, the dentist had already paid a $25,000 ransom demand. The insurance claim reflected more than $70,000 in costs due to the amount of time the practice operations were down plus the expertise needed to investigate and reconcile the records and data.
In cases like this, recovering data and reimbursement for the associated financial loss is crucial to practice sustainability. But investigating how the system was accessed can be priceless in helping to support and train the practice team in mitigating future crises. In today’s high-risk climate, everyone on the team should understand the potential implications of clicking on an attachment from an untrusted source or opening a malicious email.
Protecting your practice from a cyberattack
While cybercriminals are becoming more aggressive and infecting more computer systems, simple human error and misplaced trust are still the leading factors in many data breaches. Fortunately, you can take steps to help protect yourself and your practice from cyber-risks.
- Strengthen passwords. Make sure each employee has a unique password that contains a combination of lowercase and uppercase letters, numbers, and special characters to deter potential hackers from gaining access.
- Back up your data. You can back up your files and data on a network-attached storage device; portable hard drive; USB flash drive; or online through sites like Google Drive, Dropbox, and Mozy. It’s a good idea to back up files daily, which will make recovering data easier in the case of cyberattacks or computer system damage. “Dentists with up-to-date backups can be back to work within a few days,” notes Brad Reager of claims and risk management at TDIC. “Those without can spend weeks trying to get up and running again.”
- Use safety features. Install antivirus and antimalware software for all your devices and update when available. Use an encrypted virtual private network when connecting to an unfamiliar Wi-Fi network to ensure a secure connection. These measures will help prevent your data from being compromised.
- Initiate cybersafety protocols. Educate your staff on the latest cyberthreats, and include your practice’s cybersecurity policies and training protocols in your employee manual. Employ a multiuser system for the release of sensitive information. For example, make it a policy that two employees must sign off before providing anyone with secure information, such as passwords or file access, to prevent falling victim to a cyberscam and jeopardizing your computer system.
- Invest in cyberliability insurance. A proactive approach to preventing cyberattacks means having the right type and amount of insurance coverage in place. To keep pace with today’s evolving risks, owners -- regardless of practice size -- need insurance that goes beyond a data breach. Look for a policy that covers the costs of breach of information, unauthorized intrusion or interference with computer systems, damage to data and systems from computer attacks, and related litigation. TDIC’s Cyber Suite Liability policy provides this robust coverage and is focused solely on the protection of dentists, so its service is designed to serve the unique needs of dental practice owners.
Responding to a cyberattack
While every incident is different, the following six steps are sound guidance to support you in the event of a cyberattack:
- Don’t pay a ransomware demand until you consult a professional.
- Contact your IT provider right away for assistance. Let an expert assess the situation.
- Document without clicking on links or deleting information. Take a picture of the screen, and note what it said at the time of the incident. Capture when the incident happened and how it occurred, if known.
- Save network security logs that indicate the date, time, and device used. Collect facts, and gather information from your staff and IT provider.
- Call your professional insurance provider, or log in to your account to report the incident as soon as possible and initiate a claim.
- Report a data breach to the appropriate agencies:
- For ransomware: Federal (the Federal Bureau of Investigation) and state law enforcement agencies
- The Internet Crime Complaint Center
- Security breach notifications required by law in your state
- For data breaches: U.S. Department of Health and Human Services
Preventing cyberattacks is the first step in protecting your practice. The second step is to be prepared. Stay informed of cybercrime trends, and reach out to the experts at your professional insurance company for guidance on setting up prevention plans to reduce the risks of future incidents.
Shelli Macaluso joined The Dentists Insurance Company in 2018 as a risk management analyst. She speaks nationally representing the company at risk management seminars, dental conventions, and participating dental society events. Macaluso advises dentists in the areas of professional and employment liability, property, and cyber-risk management. She can be reached at [email protected].
The comments and observations expressed herein do not necessarily reflect the opinions of DrBicuspid.com, nor should they be construed as an endorsement or admonishment of any particular idea, vendor, or organization.
