You have spent many years training to become a dentist, growing your practice, building your reputation, and developing a loyal patient base. It is now imperative that you take steps to protect your investment of time and money. Mitigating a cybersecurity breach -- an occurrence that has become increasingly more frequent and severe for healthcare entities over the past year -- can cost your practice hundreds of thousands of dollars and a loss of patient trust.
As more hackers seek to exploit the weaknesses in dental practice networks and target the significant amount of data and patient information that dental practices store, being proactive to protect your data has become more critical than ever. Hackers use stolen records for identity theft and blackmail purposes and sell them on the dark web. During an August 2019 ransomware attack, approximately 400 dental practices had their data encrypted and are now facing lengthy, costly, and complicated processes to restore these encrypted files.
If your practice has a data breach, the Health Insurance Portability and Accountability Act (HIPAA) Breach Notification Rule requires that you notify every patient of record by sending a first-class letter, offer identity theft monitoring, and set up call centers. During this disruption, you may not be able to access your patient files, and it will be extremely difficult to keep your practice running smoothly. In addition, data breaches will affect patient trust, which is very difficult to regain.
It is crucial to understand that the scope of an information technology (IT) company is not the same as a cybersecurity firm. Your IT company typically sets up your computers, installs your software, and handles your basic IT needs. You will also need the knowledge, expertise, and advanced tools of a specialist in cybersecurity to help ensure the overall security of your network.
The FBI and the U.S. Department of Homeland Security warned IT vendors in 2018 that so-called advanced persistent threat actors were targeting them to attack their clients. Since your IT vendor typically stores your IP address, user name, and password, a breach of its system will give cybercriminals the keys to your castle.
While many dental practices work with an IT company, they can be unaware that IT companies should not audit their own work. You should always have an independent audit of your network performed by a cybersecurity company.
4 steps to take
To secure your network and combat against sophisticated attacks, the following are four critical steps that dental practices need to take.
1. Cybersecurity audit
During an initial cybersecurity audit, the practice will work closely with the cybersecurity team to understand how data are stored and accessed. They will also inspect the protocols in place to protect the data. The cybersecurity firm will also inquire about any remote employees or contractors with the ability to log into the network.
2. Awareness training
The HIPAA Security Rule requires that covered entities (such as your practice) undergo cybersecurity awareness training to mitigate the risks of human error and chances of being exposed to an attack. Recent data indicate that there is a 50% to 70% reduction in cyberattacks when staff members are appropriately trained.
Social engineering (known as hacking the human) is the most common threat impacting practices. Most ransomware attacks are initiated via spear phishing, which is an attempt designed to trick a user into opening a seemingly harmless email. These emails may even appear to come from a familiar name or email address but contain attachments or links that can trigger a ransomware attack, affecting a single computer and then searching for other machines on the network to target.
3. Vulnerability scanning
Networks that have vulnerabilities such as unpatched operating systems, outdated equipment, or weak passwords are more susceptible to ransomware or breaches. Hackers can also gain access to your practice's data through any device with an IP address, such as laptops, workstations, printers, or security cameras. Cybersecurity firms can deploy sophisticated tools and technologies to search for these types of vulnerabilities. Vulnerability scanning should occur quarterly or whenever network devices are upgraded, modified, or added.
4. Penetration testing
Cybersecurity firms will often utilize "white-hat" (or ethical) hackers to attempt to (safely) break into your practice's network. This allows cybersecurity firms to detect any weaknesses in the network directly. Once testing is complete, the results will be turned over to the practice's IT company to mitigate the risks.
Gary Salman is the CEO of Black Talon Security.
The comments and observations expressed herein do not necessarily reflect the opinions of DrBicuspid.com, nor should they be construed as an endorsement or admonishment of any particular idea, vendor, or organization.