It's getting increasingly more difficult to defend your practice from cybersecurity threats. Here’s what you should know to help you keep your patients’ private information private.
It is happening right now to a practice just like yours. Hackers are detecting vulnerabilities in a dental practice’s IT system and setting loose software that would destroy their business.
It already happened in Oregon, Wisconsin, and Texas, and that was just in the past few months. One medical practice in California is closing its doors because of a cyberattack that destroyed their data and backups. Another healthcare practice in Michigan decided to take early retirement instead of starting over after a data breach and ransomware attack.
Is your practice next? According to our experts, it might be. The threats to your dental practice data are real-and your defenses should be, too.
Per the California Dental Association, the most common threats are a data breach, malware, and Ransomware. Each threat has unique characteristics and consequences for your dental practice.
Continue reading on the next page...
Data Breach
A data breach describes when unauthorized people access your patients’ protected health information (PHI) without authorization. In general businesses, a data breach is designed to steal personal information, e.g., full names, credit card numbers, and Social Security numbers. However, in dental practices, hackers have access to PHI and financial records.
John Flucke, DDS, and Technology Editor for DPR says that when he talks about Cybersecurity, people who are not convinced of the threat think the data in a dental practice isn’t valuable. He says that one person rolled his eyes and said, “Do you really think anybody cares that Mrs. Brown had a crown done on number 30?”
“And I said, no, really nobody does,” Dr. Flucke says. “But they do want all of Mrs. Brown's demographic information, her home address, her cell phone number or landline if she has it, her Social Security number, her birth date, and credit card number, and those are all in her record, too.”
What is sitting in your network is a tremendous amount of money for nefarious people, Dr. Flucke says. Experian, one of the three credit bureaus, estimates that medical records can be sold for up to $1,000 on the dark web.1 That is why the dental practice should take better care of the information because there is a lot in there that could wreak havoc in your patient’s lives, according to Dr. Flucke.
“Morally and ethically, you don't want to be responsible for that. But the other part of it is you don't want Health and Human Services getting involved in the fact that you didn't do what you're supposed to do. They're making a big deal about that, and they're assigning six-figure fines,” Dr. Flucke says.
Continue reading on the next page...
Malware
Malware is a nickname, short for “malicious software.” It is designed to do things in your system that you do not want it to do, like damage your patients’ PHI or steal it, hold in ransom, or crash your system. It can also be spyware or a virus. Some malware known as Trojans create backdoors in your system for other malware to get in.
Here’s a quick guide to what you need to know about malware:2
Most malware gets into your system from emails, phishing scams, and shady websites. Experts agree that the best way to protect yourself is to be vigilant about whom you interact with online and what you click, what you download, and where you surf.
Continue reading on the next page...
Ransomware
Ransomware is a serious and increasingly common dental practice threat. A
fact sheetfrom the US Department of Health and Human Services (HHS) defines ransomware as malicious software that denies access to your data by encrypting it with a key only the hacker has.3 The hacker then offers you the decryption key, but only if you pay the ransom to get it back. The hacker can also use ransomware that destroys or extracts your data.
Steve White, vice president of sales and marketing for DDS Rescue, says ransomware attacks have hit 700 offices since July 4th because of a forced hack of a managed service provider.
“We know of and have been involved with three sizable attacks, ” White says. “The first attack was in Oregon and impacted 80 offices. The second that we learn of was an MSP [managed service provider] in Wisconsin and that impacted over 400 offices. The third attack was in Texas and another 70 or so offices were caught up in it.”
White says that these are only the attacks where DDS Rescue have dealt with offices involved. He has heard of at least two other sizable attacks within the same timeframe of July through September this year.
White says that the Oregon hack victims lost records when their IT provider shut their doors. Hackers know if they can get into the MSP, then they get access to the servers of all the clients.
Continue reading on the next page...
Wood Ranch Medical in Simi Valley, CA used a backup system that most dental offices use (and have used for the past decade). They lost their backup and other data to a ransomware attack in August, and as a result, are closing their doors next month because they can’t recover from the hack.4 Another practice in Michigan, Brookside ENT and Hearing Center, was the victim of a similar attack, and the owners decided to retire rather than rebuild.5
It can happen to any dental office because the most common backup system is attached to the same Windows operating system (OS) that is compromised in the attack, White says. Despite these facts, he says many practices have taken the “this won’t happen to me” attitude to these increasing threats.
“The majority, meaning easily 80 to 90 percent, are still employing the same type of security they were ten years ago. But the threats ten years ago weren’t like these; the threats five years ago compared to now are totally different,” White says.
There are three reasons that dental practices are not proactive about cybersecurity, according to White. First, practices don’t know the questions to ask. Second, they don’t know who to ask. Third, ransomware attacks are an underreported crime, so practices are not hearing about peers that have had an attack. As a result, practices don’t understand the magnitude of the threats and therefore don’t see the need for additional protection.
However, that thinking is short-sighted as these attacks may constitute a major data breach under the HIPAA regulations, White says.
Continue reading on the next page...
“A HIPAA major data breach will cost-in the first four to six months just to recover, with no federal fines or settlement, or anything else-over $100,000,” White says. “That’s a hard number. We have not seen a single office report or an article that said anybody got out it for less than $100,000.”
Moreover, the impact on the practice is significant when patients learn their PHI was compromised. The loss of trust is very difficult to rebuild, White says.
Two New Threats You Should be Aware of
In the Spring 2019 newsletter, the Office for Civil Rights (OCR), which is the enforcing authority for HIPAA compliance for the HHS, explains two new threats dental practices face: Advanced Persistent Threats and Zero-Day Exploits.
Advanced Persistent Threats
When it comes to cybersecurity attacks, the Advanced Persistent Threat (APT) might be described as the hacker’s “long game.” An APT isn’t necessarily advanced or highly technical, but it is a persistent and continuous effort to find vulnerabilities in your system. The end goal is to steal information or disrupt operations.6
Continue reading on the next page...
Attackers employing an APT will often change tactics to avoid detection, which the OCR says makes them a formidable threat. Healthcare services are a target because the data they have is valuable on the black market and can bring in top dollar to the person who has it through corporate interests in innovation, identity theft, and even blackmail in some cases. APTs have been part of many cyberattacks in the U.S. and around the world.
Zero-Day Exploits
The OCR describes the Zero-Day exploit as
“one of the most dangerous tools in the hacker’s arsenal.”7 A Zero-Day Exploit is when hackers learn that developers have discovered a new weak point in their security, and hackers take advantage of it before developers publish the fix in an update.
The nature of the attack is more difficult to detect than the standard attacks, according to the OCR. As a result, they emphasize the importance of a security management process of an organization with PHI to protect. Encryption and access controls could also prevent these vulnerabilities from becoming a breach.
These two threats resulted in some billion-dollar infections of malware. One of the most significant victims was the United Kingdom’s National Health Service (NHS). The NHS had 70,000 devices infected with malware, and it disrupted patient care and other services.8
Regarding threats, it is time for dentists to pay attention, White says. These threats are not getting any easier to deal with, and it’s only going to get more complicated.
Continue reading on the next page...
“The types of defense used ten years ago, or five years ago won't defend against the threats of today, much less tomorrow. You have got to review all aspects of your cybersecurity, of your data protection, and you have to take it seriously, because it is extremely damning when you get hit,” White says. “If you don't believe me, ask the 80 offices in the Portland area that just went through a very difficult couple of months.”
Sources:
[1] Stack, Brian. “Here’s How Much Your Personal Information is Selling for on the Dark Web.” Experian.com. 6 December 2017. Web. 6 November 2019. < https://www.experian.com/blogs/ask-experian/heres-how-much-your-personal-information-is-selling-for-on-the-dark-web/>.
[2] Regan, Joseph. “What is Malware? How Malware Works & How to Remove It.” Avg.com. 11 July 2019. Web. 6 November 2019. https://www.avg.com/en/signal/what-is-malware
[3] “Fact Sheet: Ransomware and HIPAA.” Hhs.gov. Web 6 November 2019. <
https://www.hhs.gov/sites/default/files/RansomwareFactSheet.pdf?language=es>.
[4] “Wood Ranch Medical Announces Permanent Closure Due to Ransomware Attack.” Hipaajournal.com. 30 September 2019. Web. 6 November 2019. <https://www.hipaajournal.com/wood-ranch-medical-announces-permanent-closure-due-to-ransomware-attack/>.
[5] “Michigan Practice Force to Close Following Ransomware Attack.”hipaajournal.com. 2 April 2019. Web. 6 November 2019. < https://www.hipaajournal.com/michigan-practice-forced-to-close-following-ransomware-attack/>.
[6] “Spring 2019 OCR Cybersecurity Newsletter.” Hhs.gov. Web. 6 November 2019. <
https://www.hhs.gov/sites/default/files/spring-2019-ocr-cybersecurity-newsletter.pdf>.
[7] Ibid.
[8] Ibid.