Healthcare organizations, including dental practices, have become the targets of choice for cybercriminals. It was the second-leading industry attacked by ransomware in 2018, it's expected to nab the top spot in 2019, and the number of strikes is projected to quadruple in 2020.
Of the 172 breaches reported at healthcare organizations, about 5% affected dental practices, according to a review of by pro-consumer research company Comparitech. The healthcare industry, including dental practices, need to step up their cybersecurity measures.
"Cybersecurity is now an absolute must," Steven W. White, vice president of sales and marketing at dental practice compliance, recovery, and consulting company DDS Rescue, told DrBicuspid.com.
The cost of cyberstrikes
Attacks cripple offices, holding crucial patient data hostage and preventing practices from communicating, treating, and billing patients. Organizations only find relief when they pay ransoms or IT specialists remove the malware. These assaults leave practices paying exorbitant ransoms, and they lose other money when their practices are down for hours, weeks, or even months.
Businesses that don't protect themselves can expect to pay big bucks. In 2017, healthcare organizations in the U.S. reported paying $5 billion in ransom to cyberattackers. That figure soared, more than doubling to an estimated $11.5 billion, in 2019, White said.
However, these figures may be scratching the surface. The FBI believes ransomware attacks are grossly unreported, he noted. Additionally, the U.S. Department of Health Services only keeps records of those attacks that affect more than 500 people.
An ounce of prevention worth a pound of cure
Knowing how cybercriminals attack is one of the ways organizations can protect themselves, according to White.
They attack via phishing emails and force hacks of managed service providers (MSPs).
Phishing emails remain the most common method, he said. Attackers use hacked email address books to blast out numerous emails. These strikes are random and aren't aimed at anyone specific. The emails are disguised as coming from trusted companies, like Bank of America and Amazon, or even a patient, and they prompt the recipient to click a link or download a file. The click or download launches ransomware software into an office network and then the server.
"The sophistication of the camouflage continues to improve on a daily basis. As a result, so do the number of attacks," White warned.
In 2019, White said his company began getting reports of ransomware being delivered to its servers through its IT managed service provider. Cyberattackers have figured out that hacking into MSPs gives them remote access to many of their clients' servers.
"Healthcare MSPs have become the target of choice as healthcare providers are willing to pay faster and larger amounts," White said.
The best example of this new type of attack is from August 2019 when hackers infiltrated an MSP in Wisconsin.
When PerCSoft of West Allis, WI, was attacked, it deprived about 460 dental practices around the U.S. access to electronic files. PerCSoft told victims that it had obtained a key to decrypt the ransomware, indicating that it likely paid a ransom.
Though phishing emails are the most common, strikes on MSPs are increasing, according to White. DDS Rescue was involved with its first MSP hack in July 2019. From July 2019 through December 2020, its company has been brought in on about one MSP attack per month. It's seeing an average of one MSP hack per week since the start of 2020.
"All indications are that the frequency of MSP hacks will continue to increase throughout the year," White said.
Get defensive now
No single solution exists for this very real threat, but a practice needs to take logical steps to limit its chances of falling prey to hackers.
The simple answer is to engage the assistance of a cybersecurity company, preferably one that focuses on the healthcare or dental industry. The company should provide assessments and more, according to White.
An enterprise-level, HIPAA security risk assessment should be completed and delivered to comply with the law. If done properly, this assessment will identify areas where the security of a practice's computer data can and should be improved.
Surveys are the most frequent HIPAA assessments. However, the Office of Civil Rights, which enforces HIPAA rules, found that these types of assessments are "woefully inadequate," White noted.
The best cybersecurity partner will take it a step further than a HIPAA risk assessment and provide best practices on the following:
- Staff training in ransomware/malware avoidance
- Firewall selection and management
- Antimalware/antispyware selection
- Secure email provider selection
- Data management
Though taking these steps will greatly reduce the chances of a practice getting attacked, it does not eliminate risk completely.
In addition to creating a HIPAA-required disaster recovery program, a cybersecurity company should provide a full backup, disaster, and recovery program that provides the following:
- Data backup of the full server that is done multiple times a day
- Daily validations of backups
- A system that lives outside the Windows network
- Full recovery of everything on the server within minutes
"As complicated as the above may appear, it is simple and cost-effective, while preventing costly downtime due to a ransomware attack or a server failure," White said.