No patient is immune to cavities, and no dental practice is safe from cybervulnerabilities. Dentists manage and store personal and sensitive information about patients -- exactly the kind of data that criminals want.
Just as your teeth need regular flossing, cyberrisks require daily attention too. Yet most dental practices are too busy to drill down into cybersecurity. To help, Ben Yarbrough, CEO of Calyptix Security, and Stephen Goss of dental IT firm CompuCarolina recently discussed the cyberenvironment for dentistry.
An edited transcript of the conversation follows.
Yarbrough: CompuCarolina is focused on dental IT services in upstate South Carolina. What do you see as the primary vulnerabilities or cyberthreats for dentist offices?
Goss: One of the primary threats is email phishing. Small businesses often lack the resources to offer comprehensive cybersecurity training that larger organizations can. Additionally, because dental practices are primarily focused on supporting patients' needs and running their businesses, issues such as cybersecurity are often a lesser priority. Since there is an education gap, part of my job is informing my clients about ongoing threats.
Yarbrough: Education is so critical. Do you remember that breach at Dental Delta of Arizona? An employee unintentionally clicked on a phishing scam that gave the attacker access to an email account. An estimated 13,000 people were affected.
Goss: Most of the threats I see come from two sources: email and social media. Often, when staff have extra time on their hands, they will spend time checking personal email or browsing websites that can compromise their network security.
Yarbrough: Do most use their own personal devices?
Goss: Most of our clients provide systems and devices for their employees, although smartphones will always pose a risk to networks.
Yarbrough: Is connecting to the public internet a concern?
Goss: Connecting to the public internet is certainly a concern. We usually set up a guest or public internet access on a local area network (LAN) that is separate from the office LAN and encourage staff to connect their personal devices to the public network.
Yarbrough: What are some of the reasons dental practices, in particular, are at risk of cyberattacks?
Goss: Budget is one reason dental practices are at greater risk. They are usually more focused on investing capital in projects that enhance their ability to provide high-quality care, but often overlook IT security needs. Second, many clients falsely assume that cybersecurity risks only impact larger organizations.
Yarbrough: We see that too. I've said it before: The dental office that thinks "we're too small" or "no one would want to hack us" is mistaken. What are some best practices you recommend?
Goss: Dental practices need to adhere to HIPAA guidelines as much as possible. Also, they need to diligently monitor any websites they visit. Plus, again, be alert for email phishing attempts.
Yarbrough: HIPAA privacy and security rules are strict about protecting client information. How do you recommend your customers protect their dental patients' records?
Goss: We believe the best method of protection is a thorough backup strategy. The utilization of a hybrid backup scheme (onsite and cloud) gives redundancy to backup locations. In addition, continuously monitoring the network for vulnerabilities and unusual activity will help to prevent breaches and interrupt inappropriate access.
Yarbrough: I'm curious -- did the COVID-19 pandemic impact how your dental clients used technology and IT infrastructure?
Goss: There were a few months at the beginning of the pandemic that really impacted my clients. Most dentist offices were closed for several weeks. Many asked for assistance getting set up to work remotely from home. While unable to see patients, they were still able to manage some of their business activities.
Yarbrough: We saw that too. Though, so did the bad guys. We are continuing to see new attack attempts on remote desktop protocols and virtual private networks.
Goss: Cloud-based practice management is becoming more common. The major challenge with cloud-based programs is internet availability. Having a router that can support failover wide area network (WAN) connections is critical. If the internet goes offline, the office is offline. When practice management software is run from onsite servers, the risk of downtime from outages is reduced.
I had one dental practice contact me because their Internet had been disabled by the internet service provider due to heavy virus activity coming from their office. When I visited, I noticed they had an off-the-shelf home router with no protections. So, my first step was to install a network security router (AccessEnforcer) in their office. We successfully stopped the virus traffic, tracked down the source of the activity, and corrected the problem.
Yarbrough: That's good to hear. A few clicks can help stop malicious traffic, plus having an activity log of traffic can help businesses more easily identify if their systems have been compromised.
Goss: Additionally, my clients have to pass Payment Card Industry (PCI) scans each year by their credit card processors. I have found that AccessEnforcer passes straight out of the box with no modifications from the defaults. To make it more secure, I have begun pushing out an in-bound network shield.
Yarbrough: Yes, a tool like Geo Fence is purpose-built to shield networks from inbound malicious foreign actors. Dental practices already have enough on their plates, especially with the additional protocols due to the pandemic. Small businesses need simplicity when it comes to stopping adversary reconnaissance, attacks, probes, and scans.
Yarbrough: You mentioned continuous monitoring and backups. We also talked about securing remote access. Other best practices include allowing least privilege access and using at least two-factor authentication. All of that can sound intimidating to someone who isn't in IT.
Goss: That's why it's a good idea to work with a managed service provider (MSP) to protect the dental office. An MSP provides experience and resources that many dental offices do not have access to with in-house personnel. The MSP can harness expertise and relationships with vendors to provide support unavailable to the dental office otherwise. It allows the dental practice to focus time, energy, and resources on service delivery rather than IT.
Yarbrough: Thanks for all the helpful insights and tips. Always great to compare notes as we work to stay one step ahead of today's cyberthreats.
The comments and observations expressed herein do not necessarily reflect the opinions of DrBicuspid.com, nor should they be construed as an endorsement or admonishment of any particular idea, vendor, or organization.
