Cybersecurity in the Dental Office: A Holistic Approach

Gary Salman

Over the past 20 years, an evolution in computer technology has taken place in the dental practice. In the beginning, computers were used simply for recordkeeping and billing. Then came the progression from billing to appointment scheduling, digital radiography, EMR/EHR, and now, digital dentistry. As the amount of data stored in systems has increased, so has the frequency and sophistication of cyber attacks. The days of simply relying on a firewall and antivirus software to protect the practice's network and patient data are over. The reality is, if these devices were so effective at protecting networks from breaches, there would be no data breaches.

The technology landscape has shifted dramatically in the past 12 to 18 months, and hackers are setting their sights on healthcare entities, now more so than ever before. Practices across the country are being impacted by ransomware and malware attacks that shut down and compromise networks. To combat these sophisticated attacks, practitioners need to take a holistic approach to cybersecurity.

The first step in reducing exposure and threat risk is to carefully evaluate the practice's systems. These systems are not just IT-related; they also include dentists and staff, policies and procedures, and training. Having a holistic approach enables careful analysis of every aspect of the practice's infrastructure and identification of risks and vulnerabilities that might enable a hacker to gain access to the practice's systems. Implementing effective security measures requires buy-in from all the practice stakeholders, including the dentist.

Cybersecurity Audit

The holistic concept entails various components. The first is a cybersecurity audit. During this audit, a cybersecurity company works closely with the practice and its IT company to understand the complete landscape of the practice's IT footprint. The cybersecurity company asks questions regarding where and how data is stored, what protocols are in place to protect the data, and how it is accessed. Are there remote team members? Does the practice contract with a billing company that "logs into" the practice's network? Do doctors leave the office with devices that store ePHI (electronic protected health information) leaving the practice exposed if the device is stolen or lost? Is ePHI transmitted and stored using encryption technologies to protect the data?

Perhaps the most vulnerable components of a network are the people using it-the dentist and staff. Social engineering, often referred to as "hacking the human," is the most prominent threat vector impacting practices and is often the least discussed. As advancements are made in security, hackers begin to rely increasingly on humans making mistakes. For example, most ransomware attacks are initiated via spear phishing, which is designed to fool an email recipient into opening an email that appears to be coming from someone they know or trust. An email may be sent to the staff, purporting to be from the dentist, asking them to open an attachment or click on a link to update or download something. Once they initiate the action, an executable file may run, which is a ransomware attack. The ransomware typically encrypts the current computer and then searches the network for other machines. Once it finds the server, depending on the complexity and lethality of the attack, the ransomware will encrypt most or all of the files on the server. This results in the files becoming inaccessible to anyone, unless you pay the ransom to the hackers to have the data decrypted. This is typically done using a cryptocurrency such as Bitcoin or Monero. Often, however, you may not get the files back anyway, and if they are returned a timebomb attack may be set up that will impact the files again shortly thereafter. The hacking should be reported to law enforcement authorities.

As part of the HIPAA Security Rule, covered entities (ie, your practice) are required to undergo cybersecurity awareness training to help mitigate the risk of human mistakes and minimize the chances of being exposed to an attack. Recent data points to a 50% to 75% reduction in cyber attacks against healthcare entities that properly train their staff.

For a ransomware or a network breach to occur, a network typically needs to have vulnerabilities. Examples of vulnerabilities include unpatched operating systems, outdated equipment, weak passwords, open ports on computers or firewalls, unsecure network protocols, and improperly configured firewalls. Cybersecurity firms search for "open doors and windows" on your network that hackers use to exploit. Hackers utilize various technologies and payloads to find weaknesses in your network and then execute attacks against them. Cybersecurity companies can deploy tools on your network that scan every single device with an IP address for known vulnerabilities. These tools quickly gather information on your network and run tests against the devices searching for vulnerabilities. This data is then turned over to the practice's IT company for remediation purposes, and the IT company can effectively lock the "doors and windows." Cybersecurity companies invest heavily in best-in-class vulnerability scanning technologies that can detect thousands of vulnerabilities on a practice's network. Testing should be performed quarterly or whenever network devices are upgraded, modified, or added.

Penetration Testing

The next step of the holistic cybersecurity approach is penetration testing, which utilizes a "white-hat hacker" (ie, an ethical hacker) who uses the same tools, techniques, and protocols that a cyber criminal would use to try and "break into" your network. Unlike a vulnerability scanner, an ethical hacker has the capacity to problem-solve during the testing. For instance, a vulnerability scanner will get to a locked "window" and not know how to progress. Essentially, it stops and moves on to something else. A hacker, based on his/her experience, will see that the "door" is locked but may run a certain script to pop the door open. Ethical hackers use their experience to exploit networks in a way an automated tool simply cannot. After ethical hackers finish their testing, they turn over all of their findings to your IT company so they can mitigate the risks.

Another critical component of cybersecurity is having (and being able to implement) a disaster recovery plan. If your practice management and imaging servers are disabled in either a ransomware attack or a natural disaster such as a fire, a plan should be in place to bring the critical servers back online. This is not as easy as simply pressing a button and restoring the data. It may take a long time to order a new server, and still more time to configure the server, install the practice management and imaging software applications, and then restore the data. If a practice is running 3D imaging solutions, its data is probably substantial and may require more than a few hours to restore.

In addition, performing a simulated disaster recovery means taking the server offline, bringing in a new server, and restoring the data. This process usually takes 3 to 7 business days, which would certainly disrupt the continuity of a dental practice. Fortunately, your IT company can provide a device that backs up your data locally and to the cloud and can perform this backup multiple times throughout the day. Thus, from a restoration standpoint, data may be able to be accessed quickly in the event of an attack; however, for catastrophic events such as fires and floods, a cloud restoration may be needed.

The Cost of a Breach

The US Department of Health and Human Services has strict guidelines in place regarding what needs to be done to protect your patient's records. In the event of a data breach, the Office of Civil Rights will be notified and will conduct an investigation into the breach. It will want to see proof that the practice has complete HIPAA documentation in place and has provided HIPAA and cybersecurity training, and will ask what has been done to harden the practice's network. Also, 49 states now have their own breach notification laws, some of which are more stringent than the federal government's.

The cost for mitigating a breach can run into the hundreds of thousands of dollars and may result in a significant loss of patient trust. Fortunately, if a practice implements sound cybersecurity solutions, trains its staff, and puts a hyper focus on security, almost all attacks can be thwarted.

About the Author

Gary Salman
Chief Executive Officer, Black Talon Security, Katonah, New York; Former US Director, Oral & Maxillofacial Surgery, Carestream Dental, Atlanta, Georgia