Steve White discusses the No. 1 threat to your patients’ data—cyberattacks—and how to tell if your practice is protected.
Q: Are dental offices at risk of ransomware?
A: Yes, dental offices and all healthcare providers are under cyberattacks, and the rate and sophistication of these attacks are rapidly increasing!
Healthcare was the No. 1 industry attacked in 2019. In 2020, the number of successful attacks more than doubled, and 2021 is on pace to again more than double the number of episodes before the year’s end.
Yet, at this point, the most frequent comment we hear from offices is, “I’m just a single practitioner, too small for anyone to bother with.” If this is you, please take note: No healthcare provider, large or small, is exempt from these attacks.
Cyberattacks are executed by sending very sophisticated emails to thousands of providers at a time. These phishing emails are camouflaged as a company or individual that you trust. They frequently disguise themselves as your bank, a referring office, a trusted patient, or even your local police department.
In each case, the emails give you a motivating reason to click on a link or download a file. Once you do either, you will have launched a ransomware attack into your office network that will encrypt key files and prevent you from being able to work. You won’t even know who is scheduled to walk through your door.
Ransomware is the largest and fastest-growing threat to the security of your patients’ data. The FBI and Office of Homeland Security have sent out alerts regarding the significant increase in ransomware attacks on healthcare providers this year.
Q: How has this impacted dental offices?
A: It is conservatively estimated that more than 50% of all breaches reported over the past 2 years were due to hacks by ransomware.
A ransomware attack will cost you days in downtime and a possible loss of patients’ data if your office is not adequately prepared. Even if you agree to pay the ransom, which is now running $10,000 and up, you can expect to be down for several days.
You still may not be out of the woods even if you successfully get the key to unencrypt your data. A significant percentage of offices hit by ransomware find a second and even a third layer of encryption that will require an additional ransom to be paid before your data is entirely freed and usable.
Recently, the crooks have added a new twist. They extract patient files and use them as leverage to motivate you to pay more and pay quickly. Additionally, there are multiple reports of medical offices that have had their patients contacted directly by the criminals in an attempt to extort money from the patients as well as from the doctor.
You may be thinking that as long as you have your data backed up, you can avoid having to pay the ransom. The criminals know this and have developed their software to include your backups in the attack. They search your Windows network, looking for attached hard drives, network-attached storage (NAS) units, and even mirrored servers and attack them with the same encryption as your server. Seventy percent of the backups for small and medium businesses hit by ransomware failed, according to a report done by IBM.
Also, reporting a breach to the US Department of Health and Human Services is only part of the HIPAA Breach Notification Rule. If you are not familiar with this rule, you should be. A major HIPAA data breach is costly to your practice in time, money, and reputation.
Q: What can a dental office do to prevent becoming a victim of ransomware?
A: The first thing that one needs to know is that there is no magic bullet, no single step that can be taken to protect against a ransomware attack.
To build a successful cyber defense, you need to utilize a layered security approach that begins with your email provider, includes a number of technical and administrative safeguards, and ends with a recovery system that does not get caught up in the attack.
Q: Where do I begin?
A: First, find out what security you presently have on your network and where there are areas where security is lacking and may need to be improved. Then, develop a plan on how to accomplish good, sound cybersecurity.
Q: How can I get this done?
A: Simple—have a third party run a proper risk assessment on your office network. It should answer what security you presently have, where it is lacking, and provide a management plan on how to deal with any and all areas of deficiencies. A proper assessment would also take care of the HIPAA requirement that a risk assessment is run on your network at least once every 12 months.
This assessment can be done remotely to avoid disturbing any work being done on your computers. The results of the assessment should be reviewed with you in detail to ensure that you understand the findings and the options available to address any and all deficiencies. A copy of the risk assessment and the management plan must be provided to your office to be HIPAA compliant.
You can properly protect your patients’ data easily and cost-effectively. You simply need to follow the cybersecurity process: assess, adjust, monitor, repeat.
Take your first step to cybersecurity. Get a proper HIPAA risk assessment now!
DISCLOSURE: Mr. White is vice president, sales and marketing at DDS Rescue. He can be reached at ddsrescue.com.