You have a full day ahead of you, patients scheduled back-to-back, and your assistant has already called out. It’s going to be a tough day, but not unlike others you’ve had. Or is it?
Imagine walking into your office and being met with chaos. Your staff can’t open your practice management program…or your images, or email, or anything at all for that matter. There must be a simple explanation. Then you see it: a message on all the computers demanding money to get your data back.
This. Is. Ransomware.
It’s not a joke or an ethereal idea that only happens to other organizations. It’s real, and it’s an imminent threat to all dental practices.
How is dental information worth anything to cybercriminals? Dental practices have a treasure trove of information. Think about the information you collect from your patients; name, birthdate, social security number, insurance information, address, email–and that’s just to open a patient chart and bill. What about everything else–health history, medications, and medical conditions. Then the patients’ private information such as divorce or personal struggles, the clinicians’ documents to help the team interact appropriately with the patient or family members? Cybercriminals are like modern-day pirates; they can and will sell anything.
How do I know?
Why should you believe me? Besides the fact that I have person- ally managed the aftermath of almost 150 data breach investigations, I have also been the victim of identity theft and understand firsthand what happens when someone undervalues dental x-rays.
A decade ago, I had orthognathic surgery. With all that fun, I also received a letter stating that the imaging center that took my panoramic images was involved in a data breach. I later learned the front desk person was nervous about some changes and made an unauthorized copy of all X-rays saved to an unencrypted thumb drive and lost it. More than a decade ago, cybercriminals wanted this information. Can you imagine what they are doing with that same information now? All these years later, my jaw has healed, but my identity is still for sale.
Two types
While my identity was compromised because of human error, most data breaches are now caused by ransomware. This type of computer malware locks your files by encrypting them, giving you two choices–if you’re smart–either revert to a back-up or pay the ransom. This ransomware encrypts data in place, meaning the data remains in your system. If you revert to a back-up or pay the ransom–no harm, no foul, as the cybercriminals never “took” your data.
Unfortunately, as we get wiser and increase our standard of care, so do the criminals. Newer versions of ransomware extract the data out of your office. You can still revert to a back-up to get your practice up and running quickly, but the cybercriminals now have your data in their possession and will sell it on the dark web without the extortion payment. BAM! Immediate Data Breach and a call to government agencies. Crazy, right?
On top of all the madness during the last 18 months, hackers took full advantage of the chaos the pandemic brought and attacked healthcare like never before. It worked–more data breaches, especially ransomware, happened in 2020 and 2021 than previously in the healthcare sector. Our business personally saw a 600% increase in attempted attacks on secured dental practices amongst our clients. Six hundred percent! Let that sink in. Fortunately, nothing got through on our client’s systems, but the sudden increase caused many sleepless nights.
What should I do or rather not do?
How does ransomware get in? The answer is People. Whether intentional from a cybercriminal, accidental from a vendor, or unknowingly by someone else, it’s always people. The majority of ransomware is from emails. Phishing emails (no, not fishing; but similar and not as enjoyable) attempt to trick you into opening a link that will run the ransomware program.
Gone are the days when you could quickly identify scam emails. No more “I’m a Nigerian prince and need to get millions out of my country” emails.
Now they are cleverly crafted and mimic places you interact with, such as your bank or Amazon. I recently received one from “Amazoon” with a link for returning an item. I was speeding through my inbox in my hurried state of life and stopped because the spelling wasn’t correct.
I did have a return to Amazon pending, but that is not how Amazon returns work.
These Phishing emails could also use a tactic called “Spoofing.” This means the name shown in the email could be correct, spelled correctly, and have a valid address, but it isn’t from said person or entity. So how do you know what you can trust and what you can’t? Simple, be studious. Make sure everything is accurate, and when it appears correct, make sure the phrasing in the email ‘sounds like’ that person. If there is a question, call them; and don’t open an attachment if you aren’t expecting anything from the sender.
Frenemy?
As if these weren’t enough, additional threats could come from vendors. Dental software has come a long way but still has so very far to go regarding security. Many programs leave back doors open to allow third-party vendors to provide their services. This is a red-carpet invitation to cybercriminals.
Unfortunately for the practice, this is extremely difficult for you to diagnose and treat. This is one of those situations in which you need to have a sit-down conversation with your IT management team. If they can’t, or don’t know how, to protect you, find one who can.
Frenemy: an oxymoron term described as “a person who combines the characteristics of a friend and an enemy.” Sadly, this could be one of your vendors. I have repeatedly seen vendors use their access, cause an incident, and don’t tell you they had a breach.
How are you supposed to manage something you don’t know? What about your BAA? You know, your Business Associate Agreement? The agreement you should have for all entities that have access to your ePHI. It describes in detail what is expected of each entity when, or if, a breach happens. If your vendor causes a breach and you don’t have a BAA, or worse, you signed one that doesn’t hold the vendor accountable; you are on the hook for everything.
Everything falls on you; the mitigation of the breach, the investigation, the patient lawsuits and in worst case scenarios, fines.
Bottom line, you need to vet your vendors, ask the hard questions, and hold them accountable. If you don’t know how or what questions to ask, engage your HIPAA Consultant and Managed Service Provider (MSP); that’s what they are there for–to help you! If they don’t know, or won’t help, find one who will. (Seeing a pattern?)
Clear as mud
You are now further educated, but my guess is you have more questions than answers.
That is OK! It means you are aware, and that is the first step. What are the other steps? First, grasp the idea you can simplify security with the concept of People, Process, and Technology. Next, educate yourself and your staff, secure your infrastructure, utilize basic business best practices, institute a standard of care (just as you do with patients), and review and revise your insurance.
A wise colleague and dental consultant talks about “courageous conversations”. This is one of those. Have these courageous conversations with your MSP or IT person, your vendors, and your team. Find out if you are employing Basic Business Best Practices: Antivirus/Malware, Patching, Firewall, and Back-ups. Of course, there is so much more: Wifi security, the Internet of Things, Two-Factor Authorization, and business-grade encrypted email, to name a few. Keep in mind that anything less than the Basic Business Best Practices is considered negligent by the Health and Human Services (HHS) and the Office of Civil Rights (OCR). This could mean potential fines, yes, but worse, mitigation costs and furious patients would severely impact the operation of your practice. Many consultants and educators focus on fines, which is always a possibility, but in my experience, that’s the least of your worries. Mitigation costs–notification letters, attorneys, and computer forensics along with patient lawsuits–quickly overwhelm.
Predictable failures
In the event you do everything right, an accident could still happen, and you might find yourself in the middle of a breach investigation. This is why I say we must predict failures. Not that we plan to fail, but accidents do happen–that is why they are called accidents. The goal is to make a plan for the failures you expect and minimize the fallout by putting a bubble around how bad it could be. The old adage “Hope for the best, but plan for the worst” comes to mind. Now, instead of a worst case scenario, you have an actionable plan and your incident is a minor inconvenience rather than a major catastrophe.
Your last line of defense is cyber insurance; this is NOT your General Liability or Malpractice Insurance. Cyber Liability Insurance is a standalone policy covering significant costs associated with the aftermath of a cyber-attack. Depending on the policy, it may include attorney’s fees, investigation costs, government fines, credit card company penalties, notification costs, consumer credit monitoring services, repairing IT equipment, restoring data, and more. It is important that this policy covers cyber crime and cyber extortion.
While this coverage is great, don’t treat it like a get-out-of-jail card. The industry has changed due to the number of breaches in recent years. Carriers have higher barriers to entry and many ways to exclude claims from being paid out. If you are doing less than Basic Business Best Practices, expect to pay through the nose or get denied.
Lastly, don’t freak
You didn’t sign up for this as a dental professional. It was never in your job description to now have to be a quasi geek. The reality is that cybersecurity is here and it’s a problem for dental. The good news is that you can do something about it.
Amy Wood, HSCISPP is CEO of Copper Penny Consulting, LLC and President of ACS Technologies, LLC. She is an educator and consultant specializing in HIPAA, Data Breaches, and Cybersecurity for the dental community. She maintains multiple certifications and association memberships, actively working with groups to continue improving the standard of care for dental practices, IT Providers, and the healthcare industry in general. Working alongside her husband (the geek behind the scenes), they juggle two businesses, three daughters, two cats, and a lizard.
Amy can be reached at education@copperpennyconsulting.com