Cybersecurity expert and CEO Gary Salman explains how to keep a dental practice from being an easy target
A practice is a perfect target
It seems that you can’t turn on the TV or visit your favorite news website without reading about how cyberattacks and ransomware are crippling businesses and health care entities across the United States.
Unfortunately, dental practices are now becoming the victims of similar attacks. We often hear dentists say, “Why would they want to come after my practice?” Your practice is being targeted because of the vast amount of data you store; practices store a wealth of very important information that can be used for identity theft and blackmail purposes—things like patient names, addresses, dates of birth, Social Security numbers, names of family members, scans of driver’s licenses and insurance cards, health history forms, 2D and 3D images, and lab reports. To hackers, this information is a treasure trove of data and easily allows them to perform identity theft on your patients or sell the data on the dark web (the black market of hackers).
In addition, we’re now seeing scenarios where dental practices are targeted because their IT company or even their accountant’s office was hacked, and the criminals then use this data to attack or target their practices. It’s important to understand that the days of simply relying on firewalls and antivirus software to keep hackers out of your network are over. If these devices were so effective at protecting data, there would be no data breaches. With the continued sophistication of hackers, they can now deliver payloads that completely disable your antivirus software and allow unauthorized access to your network.
Cybercriminals are targeting practices through phishing or spear-phishing campaigns; the hackers will send blanket or targeted emails to you and your staff with the intent of getting someone to either click on something or give up the credentials to your network or email system.
Our company has seen many instances where a practice’s email system gets hacked and the hackers then send out emails to the practice’s patients with malware attached to them. Hackers are getting very creative to trick you into opening emails or attachments, aka “hacking the human.”
Keep an eye out
For example, they will send an email that appears to be from someone you know, but change the letter L to the numeral 1 (and it can be difficult to spot the difference between “l” and “1”!) or use a “0” instead of an “O.” They’ll send attachments with an “.exe” attachment instead of a “.doc” attachment, or they’ll steal your username and password by sending you a “password reset” email that appears to be legitimate.
When an office is busy, the doctor or staff member may not pick up on these small changes, but if they click on the emails and open attachments, it can lead to disastrous results.
The debilitating effects of a cyberattack can include loss of productivity and business continuity, a lack of trust by your patients, a loss of referrals, and negative PR in the community where you worked so hard to build your reputation. Imagine patients opening an email and clicking on what appears to be an invoice, but then getting hit with ransomware or malware. (Ransomware is malicious software designed to block access to a computer system until a sum of money is paid. Malware is software specifically designed to disrupt, damage or gain unauthorized access to a computer system.)
Hackers are also breaking into your network through vulnerabilities (“unlocked doors and windows”). They can gain access to your data through any type of device with an IP address—not just workstations and laptops, but also servers, printers, digital picture frames in your office, VoIP phone systems, smart TVs and security cameras.
Do your due diligence
Even worse, sometimes they might hack your IT vendor: Remember that IT companies are not cybersecurity companies. You often need the knowledge and expertise of a specialist in cybersecurity to help ensure the security of your network. Hackers can scan your network for vulnerabilities in a matter of minutes, then identify and exploit these vulnerabilities in order to gain access. This approach in the dental space is much more common than you may imagine.
The FBI and Department of Homeland Security posted a bulletin in the fall of 2018, warning IT vendors that advanced persistent threat actors—often known by the initials APTs—are targeting IT firms to exploit their information to attack their clients. Because IT vendors typically store their clients’ IP addresses, usernames and passwords in their databases, a breach could give cybercriminals the “keys to your castle.”
Make sure to take defensive measures to help protect your network and critical patient data. It’s important to work with a qualified cybersecurity company that can:
- Perform an audit of your existing policies and procedures.
- Provide you with quarterly vulnerability scans of your network.
- Conduct live employee training to educate your staff on the latest threats and learn how to prevent them.
- Have penetration testing conducted on your network.
The good news: If you take action now, you can reduce the odds of being the next victim of a cyberattack.