Cybersecurity in the Dental Practice

You've just been hacked.

Cybersecurity in the Dental Practice 1

BEEP! Your alarm clock sounds. Initially it rings intermittently and gently, gradually working its way to the five-beep, get-out-of-bed-now sound needed to finally grab your attention. Your day is beginning like every other day. 

Your shower is hot. Your coffee is hot; and as always, you lack the patience to let it fully cool before taking that first sip … ouch! Your commute is as normal as it has ever been. The parking spot you always park in is open (let’s be honest, we’re all creatures of habit!), and your day serving patients is about to begin. Everything is unfolding just as it should. Now, fast forward 12 minutes, since that’s the amount of time you need to begin your work process. You jiggle your mouse to wake your sleeping computer, still smiling while exchanging morning pleasantries with your office staff. One glance back to your monitor, and … Boom! Your computer is down. No programs load. Everything is locked up. You hear your coworkers outside your door echoing the same thing you just mumbled in your head, “My computer won’t work; something’s wrong!” It’s like a scene from a bad movie. Your worst imagined fears suddenly realized. As you contact your IT vendor in an attempt to bring your system and network back to life, the clock is ticking. Patients are arriving for appointments scheduled months in advance. 

Finally, your IT person shows up. You’re saved! Well, actually there’s bad news. After attempting to get your computer system back in operational mode, your IT professional informs you, “You’ve been hacked, and those data backups you’ve been running? Yeah, well they haven’t been working! However, there is an option to access your data.” “At last!” you say. “Some good news on this already horrid Monday. What is it?” “There’s an option,” your IT pro responds, “to pay a ransom to decrypt and access your data, and the fee will likely be just a bit over $10,000 … but the process will take at least a week.” Now, if your IT specialists are worth their salt, they’d also know an instance like this one requires paying another seasoned professional to conduct a forensic analysis to assess if an actual breach occurred. But just as you’ve heard on those late-night infomercials, “But wait, there’s more!” Yes, in fact, there’s much, much more. The financial impact from this incident stretches far beyond the ransom and breach analysis. Expenses resulting from downtime and lost production may be far bigger burdens. According to an IBM-commissioned report, the average cost to recover from a breach is $380 per patient. So, for a 2,000-patient practice, that’s $760,000. Cyberattacks happen very regularly. In fact, over the course of the last three years, the frequency has increased exponentially. Just how frequent are they? One occurs every 39 seconds to be exact. So, by the time you have finished reading the next few paragraphs, another cyberattack will have been executed. 

Cybersecurity in the Dental Practice 2

So, the big questions are these:  

What can you do to prevent such attacks? How does your practice function during the recovery process? 

And the bigger—and immensely tougher—question:  

What do you tell your patients? Light at the end of this tunnel 

Believe it or not, there is some good news that can come from a situation like this. The best news? 

It was completely preventable. 

In this case, a properly configured secure network would have decreased by tenfold the likelihood of this incident happening. Having the proper security measures in place to thwart would-be attackers takes care of the vast majority of attacks. On the off-chance an attack was successful despite your existing defense system, an off-site, monitored backup or disaster-recovery system would have allowed for the restoration of all of your data based on a snapshot taken just before the attack occurred. Let’s say your last backup was successfully completed on a Sunday morning at 2:00 am, and the attack was made at 11:00 pm Sunday night. Everything that was saved during that 2:00 am backup would be stored in the off-site backup location, and this process would ensure total recovery of everything up to that point. 

You’re not off the hook 

While multiple types of IT failure may create an environment which results in significant disruption that impacts your office routine, the responsibility and downtime are yours. It’s your name on the practice. The patients are your patients. It’s your duty to own whatever mistakes occurred. While it’s a bitter pill to swallow, accepting responsibility for the disruptive issues and being 100 percent transparent with your patients is imperative. Not only does this allow your patients to be clued into what has happened, but it also helps you maintain the credibility you’ve worked so hard to build up to this point. One of the most effective ways to rebuild the patient practice trust is by communicating your plan to correct the issue which caused the situation. Your first corrective step should be to find a more reliable and effective IT vendor that has expertise in working with dental practices. 

Don’t be a victim— Correct common IT issues 

Let’s face it. You’re a practice owner not an IT professional. You’re not expected to be privy to all of the intricacies of the IT world. However, you are expected to—and absolutely must—know the basics in order to make an informed decision regarding the IT vendor best suited to protect your practice. 

Here is a list of items to include on a cheat sheet to help you avoid IT disruptions to your practice: Frequent backups 

As we outlined earlier, backups can be lifesavers, or, in this instance, data savers. Having a regularly scheduled backup system in place is an essential tool in keeping yourself protected. It doesn’t stop there, though. Knowing (and having a say in) what data is being backed up, where the data is being backed up to, and how long it will take to be restored are the crucial pieces of information you need to know. Think of a backup as being your practice treasure. You wouldn’t want to bury your practice treasure somewhere without knowing where to find the X which marks the spot you can recover it. 

Windows updates 

Security vulnerabilities are being discovered all the time. This means if you’re not keeping your operating system up-to-date, you’re harboring big-time risks. Current security updates must be installed on all workstations and servers. Taking this precaution is critical. 

Side note: For any of you still running Windows 7 and/ or Windows Server 2008, your hourglass is quickly emptying. Come January 2020, support for these systems will be discontinued, and no further patches or security updates will be released. Your practice will be non-compliant. Antivirus/antimalware 

No free solutions exist to combat these threats. Plain and simple. Enterprise-grade antivirus and antimalware software programs are the only acceptable way to equip your practice for best protection. Find a reputable enterprise-grade provider that runs at least daily updates. The normal antivirus applications designed for home use that you’re likely accustomed to are unacceptable options for use in protecting your practice. Choosing one of these options is basically like arming your practice with Swiss cheese—there are just too many holes. 

Staff training 

Having the peace of mind that your employees—you know, the people who are using your network on a daily basis—are properly educated in keeping your systems safe is invaluable. Cybersecurity training should be given annually at a minimum, but the ideal timeframe is quarterly. Keeping up with new threats, trends, and techniques goes a long way in helping protect your practice. Two big pieces of advice I always give to practices I assist are: 

1.  Don’t get click happy; slow down when browsing anything online and do not click without reading. Don’t open email attachments unless you are 100 percent certain of who the sender is, AND that you’re expecting an attachment from them. 

2. Don’t open email attachments unless you are 100 percent certain of who the sender is, and that you’re expecting an attachment from them. 

Secure firewalls 

Having a firewall is your first line of defense against internet malice. However, don’t be fooled. Your practice needs much more than just a firewall, but a firewall is equally important as antivirus/antimalware protection. A practice without a firewall would be like playing chess without pawns acting as the initial barrier, blocking access to your royalty. You may be thinking, “Managing each of those big-ticket solutions sounds great, but how can I accomplish all of them?” That’s a perfect question to ask, and the answer has several components. But it starts by understanding the importance of this short and simple quip, “Not all IT is created equal.” Just as in the dental profession, specialties exist in IT. One company that’s great at solving problems may not have a security focus or may not have experience in that field at all. In many cases, general IT companies are far less equipped to protect your practice than a dental-specific IT company. 

Even then, just because a company identifies as a “dental-specific” IT vendor, it doesn’t automatically mean they’re experts in the security field. Identifying a dental-specific IT vendor that is a known expert in practice security is essential. They’re like a rare four-leaf clover, and you’re lucky when you find one. 

While their fees may be more than those of the run-of the-mill local general IT company, there’s a reason— the expertise and quality they provide. Protecting your practice means protecting your patients. Patients who have placed their undivided trust in you deserve the best protection possible. Being proactive rather than reactive in protecting your practice and patient data can save you more than just the thousands of dollars in recovery costs and fines. Doing so will also save you unneeded stress, headache, and—maybe most importantly—your reputation. Having premier IT support should not be looked at as an expense, but rather as an investment … and even as insurance to an extent. Find an IT partner who sees themselves as an extension of your practice, not just a vendor who sees you as “just another number” on their bottom line. 

When it comes to finding the IT vendor that is the best fit for your practice, always keep in mind these words, spoken by the brilliant Benjamin Franklin, “An ounce of prevention is worth a pound of cure.”