As state and federal officials implement increasingly stricter mandates for non-essential workers during the COVID-19 pandemic, dental practices must adapt. Often, this means that employees, especially administrative staff, are transitioning to working from home. With this change comes a new slew of cybersecurity concerns that must be addressed to ensure the protection of private practice and patient data.
If your practice is closing physical operations and moving to a remote workforce, it is imperative that you follow proper safeguards to create a safe digital environment. Government agencies are issuing warnings specifically regarding businesses and practices that are turning on remote access to their systems to assist with business continuity, as cybercriminals are now launching COVID-19 specific cyberattacks.
Once hackers gain access to your network through a remote connection, they can easily deploy ransomware and/or steal valuable patient data, resulting in a breach and loss of business operations. To protect all employees, as well as the sensitive patient data that they are accessing remotely, be sure to follow best practices for remote access.
Setting Up Remote Work Access
Arranging safe and effective ways for dentists and team members to access the office from home safely is a crucial first step. It is important to consider:
- Unless your IT personnel clearly understand the risks associated with using Remote Desktop Protocol (RDP), do not allow them to install it. RDP is a highly exploitable technology that is a primary target of cybercriminals.
- Utilize a remote control software that allows you to “log in” to a computer at your office.
- Make sure the remote control software utilizes multi-factor authentication (MFA), which makes it more difficult for a cybercriminal to hack into your system. MFA sends a text message to your cell phone or an app on your phone to authenticate your login.
If your practice requires assistance in setting up a safe remote access network, consider working with an experienced cybersecurity company (remotely). Cybersecurity experts can advise if your software and encryption tools are up to date and even attempt to safely break into your network to expose any vulnerabilities that should be addressed.
Adding Essential Cybersecurity Protections
Something as basic and simple as implementing strong passwords (those that incorporate multiple words, numbers, and special characters for authentication) into both your remote control software and remote and host computers can make a big difference when it comes to cybersecurity. You can take these and other small but important steps to add extra layers of protection to your remote setup:
- If you’re using a virtual private network (VPN), confirm that your IT vendor has updated all the VPN software. As of just a few months ago, many VPNs had vulnerabilities that could allow a breach to occur.
- Double check to ensure that all remote and host computers are running the latest versions of Windows 10 or MAC.
- Make sure all remote computers have antivirus software installed and the virus definitions are up to date.
- For Wi-Fi enabled devices, use the strongest encryption protocol available. WPA3 is the newest. At a minimum, you should be using WPA2.
- Do not allow family members to access any device that is used to remote into a work computer.
- Make sure you lock the computer before you walk away from it. On a Windows computer, this can be done by pressing the “Windows” key and the letter “L” at the same time.
Don’t Back Out of Backing Up
Having a complete and valid backup during a crisis is the first step of a disaster recovery plan. Way too frequently, practices find themselves in a precarious situation when they try and recover their data from a cyberattack or computer system failure and realize the backup data is missing or incomplete.
Work with your IT vendor to ensure that all your data is being backed up and that recovery of the data is possible. It is also essential to make a backup of all existing data before closing the practice’s physical location, including x-rays and imaging, patient databases, attachments, and financial systems. This information should be saved to an encrypted external hard drive that is stored offsite for additional security.
Be Aware of Phishing Attacks and Social Engineering
Cybercriminals are now leveraging the current COVID-19 crisis as a methodology to attack systems. Be extremely careful when receiving any emails related to the COVID-19 infection, as they rely on human error to launch a harmful cyberattack and download malicious code onto the device and/or network. These phishing emails are designed to lure the recipient into clicking on links or attachments that may seem relevant to the current situation.
Signs of a COVID-19 phishing email may include:
- A link to a “heat map” showing infection areas or rates
- A link to a fake government or state agency designed to look real
- A link to a government or state agency with a legitimate name but a fake hyperlink
- A warning to download a document related to COVID-19
- A link to a hospital or other healthcare institution
Use extreme caution when you receive these types of emails, and always use the link-hovering technique to verify its final destination. Link hovering allows you to place your mouse over the link or image and look at the bottom left corner of your screen and validate the URL (web address) without clicking it immediately. If you think the URL doesn’t appear legitimate, don’t click it, and delete the email immediately.
Protect Your Practice and Patients Proactively
During these unsure and stressful times for your dental practice, it’s easy to overlook details that may seem smaller or insignificant. By taking proactive measures to protect your practice and patient data, you will have a smoother transition to a remote workplace while protecting your practice’s reputation for the future.
Mr. Salman is CEO of Black Talon Security, a company in Katonah, New York, specializing in cybersecurity solutions and HIPAA compliance for dental and healthcare companies. He has more than 28 years of experience in dental information technology and software design. He also lectures locally and nationally on the topics of cybersecurity and HIPAA.