Dental practices are typically busy, small businesses, with limited time to focus on cybersecurity. Yet along with all those fluorides that do not taste as advertised, they manage and store personal and sensitive information. This is exactly the type of Information cybercriminals desire. For today’s dental practices, cybersecurity can be challenging, but it is essential. This article examines top threats and best practices to strengthen security posture.
The dental office that thinks “we’re too small” or “no one would want to hack us” is mistaken. Consider these three examples:
- A ransomware attack at Southeastern Minnesota Oral & Maxillofacial Surgery (SEMOMS) last September risked data for an estimated 80,000 patients.
- A Delta Dental of Arizona employee fell victim to an e-mail-based phishing scam that compromised nearly 13,000 people’s identifying information.
- Affected clinics of an Alabama not-for-profit provider of children’s optical and dental services were closed for two weeks after a ransomware attack exposed more than 390,000 patient records.
Ultimately, dental practices face several types of cyber vulnerabilities. Here are key trends to watch.
Cyber Risks for Dental Practices
Email fraud is always a problem. For example, members of the American Dental Association were targeted in 2019 by a sophisticated phishing campaign designed to appear as if the ADA President was personally contacting them. The email included an attachment with the official ADA logo, and closely mimicked communications members were used to receiving.
The motivation behind many cyberattacks? Profitable gains for the criminals. Therefore, ransomware continues to be an ongoing concern. Following a disruptive 2020 for dental practices, with revenue declining , businesses cannot afford to have to pay for access to their own data and systems.
Dental practices also rely on many networked devices. The practice management software, electronic medical records, digital X-ray machines and other technology in the office are all possible points of exposure. Additionally, staff may use their personal devices onsite, which presents another source of compromise.
Driven by the pandemic and the need for “work from home” solutions, cloud computing and remote work stations gained momentum. Yet, some of the biggest breaches of 2021 have been tied to third-party vendors offering cloud platforms (e.g. Ubiquiti or SolarWinds breaches) or remote access through Microsoft Exchange’s server.
Suffering an information system security breach exposes a dental practice to health compliance regulatory fines and litigation risks. Downtime is costly, and notifying patients that their private, personal data is at risk can damage business credibility. The good news? There are actionable best practices businesses can take to harden their cybersecurity, today.
Best Practices to Mitigate Cyber Risk
My surgeon father often shared with me the importance of patient compliance. In dentistry too, successful patient outcomes require adherence to the professional’s recommendations. Similarly, cybersecurity depends on best practices and disciplined adherence.
Successfully securing IT, like healthcare, requires support from everyone connected to the system. Make cybersecurity a personal matter, and thus a priority, by connecting it with the mission to deliver patient care. A cyber breach could wreak havoc on a practice, threatening job security and stability.
Educating employees about cyber risks can reduce exposure to email scams or ransomware attacks. Staff should be encouraged to fortify their personal passwords, too. Users are still repeating access credentials across accounts or employing obvious passwords such as “letmein” or “12345678.” No kidding.
If an office offers patients guest Internet access, that network should be separated from secured business systems. For those who do have access to a secure network, take a least privileged access approach. This means only allowing people access to the tools and technology needed to do their jobs. For instance, an office administrator does not require access to the patient X-rays. Restricting access on a needs basis can limit the reach of an attack if breached.
One of Calyptix’s partners, CompuCarolina, which provides IT services to dental practices, recently shared a case where a dental customer had such high levels of virus activity that its Internet service provider suspended its access. Further exploration revealed the practice was using an unprotected, off-the-shelf router.
And last, but certainly not least, make cybersecurity a routine habit. This should include changing the default passwords for all connected office devices, and consistently upgrading and patching systems and software. Software patches correct security flaws in the software called vulnerabilities, the primary vector hackers exploit to steal data, inject ransomware and compromise systems. Software vendors are tasked with fixing discovered vulnerabilities just like dentists discover and fill cavities. Some vendors provide automatic patching while others require customers to install them manually. Patching software and filling cavities may be annoying and periodically time consuming, yet that inconvenience and modest cost of prevention pales in comparison to the ultimate consequences of leaving a software vulnerability or cavity unattended.
Protect Your Practice with an IT Partner
Dental practice owners and administrators are busy trying to improve patient outcomes and drive the business bottom line. However, cybersecurity can’t be a “nice to have” that keeps getting pushed down the practice to do list. With HIPAA compliance and business reputation on the line, dental practices should not overlook the importance of securing networks and systems.
Partnering with an IT services provider or setting up a purpose-built all-in-one solution for network security and management can help block threats like hackers, spam, and malware while keeping connections fast and reliable.
Working with an IT expert can also help differentiate the importance of various types of data. For instance, patients’ feedback survey responses are not as critically important to secure as personally identifying information and credit card account numbers.
The ADA reports that more than one in five adults have not seen a dentist in several years. Don’t give them another reason to fear the dentist. Protect your practice from cybersecurity attacks.