What is Cybersecurity?
The US Department of Homeland Security’s Cybersecurity & Infrastructure Security Agency (CISA) defines cybersecurity as “the art of protecting networks, devices and data from unauthorized access or criminal use and the practice of ensuring confidentiality, integrity and availability of information.” In other words, it’s anything that prevents cyberattacks or mitigates their impact.
What’s the Top Cybersecurity Threat Faced by Dental Practices?
Challenges to cybersecurity, or cyberattacks, come in many forms. However, as Steve White, Vice President at dental cybersecurity company DDS Rescue explained, in dentistry, one threat stands above the rest: ransomware.
When installed, ransomware, a type of malicious software (malware), deploys encryption to prevent access to a victim’s data or network, rendering it unusable until hackers are paid a ransom. According to White, “A ransomware attack is five times more likely to occur than any other cyberattack.” What’s more, in each of their annual reports since 2019, the FBI’s Internet Crime Complaint Center (IC3) found that healthcare experiences the highest number of ransomware attacks out of any U.S. industry. Although IC3 data show 249 healthcare ransomware attacks in 2023, White notes that these crimes are “grossly underreported,” so the actual number is likely much higher.
Why Do Cybercriminals Attack Dental Practices?
Dental practice management and imaging software contains, what White calls, “a treasure trove of information.” Stored patient data are not only essential to practice services, but also comprise protected health information (PHI) under the Health Insurance Portability and Accountability Act (HIPAA). The value of PHI is the reason ransomware hackers hit healthcare providers disproportionately hard; they know that an unprepared practice will promptly pay the ransom to keep operations running and avoid penalties associated with HIPAA rule violations.
How Does a Ransomware Attack Occur?
Over 90% of all ransomware attacks are executed via highly camouflaged emails in a type of scam known as “phishing.” As White explained, phishing emails used to be identifiable to the trained eye: “Four or five years ago, you could look at an email and detect some kind of anomaly – for example, a symbol that didn’t belong.” But today, phishing scams are virtually indistinguishable from legitimate emails sent by trusted sources, making it easier than ever for hackers to trick recipients into downloading and installing ransomware.
What are the Potential Consequences of a Ransomware Attack?
Without adequate safeguards in place, a ransomware attack can prove extremely costly. Without access to patient data, offices will either lose productivity due to temporary reversion to paper and film or be forced to close entirely until recovery of data. Depending on the severity of the attack, recovering from a ransomware attack can take days or weeks. In addition to loss of revenue due to downtime, White shared that ransoms for dental offices are typically high, averaging from $15,000 to $30,000, to be paid in cryptocurrency. And like any ransom, payment requires putting trust in someone who stole from you, so it’s no surprise that in about 30% of ransomware attacks hackers will send a false encryption key after payment, leaving data locked down, and effectively lost forever.
Violation of HIPAA’s rules pertaining to PHI also can deal a devastating blow to practices, both in terms of their reputation and finances. If patient data aren’t properly secured at the time of the attack – protected by the practice’s own form of encryption to prevent it from being read or used by unauthorized parties – it likely constitutes a reportable data breach. According to HIPAA’s Breach Notification Rule, a practice must then provide written notification to every patient whose information may have been compromised within 60 days of breach discovery.
For data breaches that involve 500 or more records, practices also are required to deploy a press release via all regional media outlets (newspaper, radio and television). In addition, breaches must be reported to the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR). Failure to do so or to comply with OCR’s subsequent requirements for remediation can result in further penalties. In addition to being time- and resource-consuming, as White shared, “The expense of getting out of a major reported data breach can average $100,000.”
If You Run a Small or Medium-sized Practice, Should You Still be Concerned About Cyberattacks?
Absolutely. Although targeted cyberattacks on large healthcare organizations might be the most newsworthy incidents, they aren’t the most common. “Over 90% of the attacks in the industry are not targeted,” White said. “Most people getting hit are small businesses, like dental practices. And these attacks happen through phishing because offices usually don’t have the IT infrastructure to protect against them.”
What Are Administrative, Physical and Technical Safeguards?
As stated in the HIPAA Security Rule, covered entities like dental practices and business associates must implement three types of safeguards:
- Administrative: This includes risk analysis to determine required security measures for the protection of PHI, as well as subsequent measures that ensure implementation (like staff training).
- Physical: These safeguards (alarms, security systems, locks and enclosures) limit access to the practice (who’s allowed in the office and where within the building they can go) and IT infrastructure (who can access certain devices on the network, such as servers and firewalls).
- Technical: Electronic firewalls, encryption, data backups and most other components of IT infrastructure fall within the technical safeguards category. These should work to preserve the integrity and availability of electronic PHI and prevent unauthorized access.
What Best Practices Should an Office Follow to Protect Against Cyberattacks and Stay HIPAA-Compliant?
Investing in cyber risk insurance is certainly a wise idea, but it doesn’t cover all your bases when it comes to cybersecurity or data compliance. HIPAA’s Security Rule requires covered entities (healthcare providers) to conduct an annual enterprise-level risk assessment on IT infrastructure. According to White, fulfilling this requirement is the “best thing” a dental practice can do to prevent cyberattacks.
The HIPAA risk assessment consists of a “deep dive” into your office network by a third-party compliance expert. Your servers, workstations, email client, backup solutions and more are assessed to determine their current level of security and how they can be improved. After completion, the results of the assessment are reviewed with practice leadership, and a management plan with specific steps for addressing any deficiencies is created. When practices undergo the risk assessment and they follow through to ensure the proper administrative, physical and technical safeguards are in place, they not only satisfy HIPAA requirements, but also, as White explained, “greatly reduce the chances of falling victim to a cyberattack.”
What Should an Office Look for When Selecting a Cybersecurity Professional?
The dental practice is a unique environment, and maintaining its security requires the help of professionals who not only understand its IT requirements but also HIPAA rules. Ideally, practices should work with a cybersecurity company that has expertise in both areas. A partner like DDS Rescue, for example, can:
- Conduct an enterprise-level risk assessment
- Provide documentation of the assessment along with a management plan that meets HIPAA standards for administrative, physical and technical safeguards
- Recommend and supply upgrades to office IT infrastructure (for example, business-class servers, workstations, firewalls and email, antivirus software, backup solutions, operating system upgrades, data encryption and physical security)
- Offer managed services (remote monitoring) to ensure round-the-clock integrity and security of your network and data
- Provide disaster recovery services in the event of a cyberattack or other emergency to minimize or negate downtime and related expenses
- Train staff on best practices for cybersecurity and regulatory compliance
Because IT service providers may come in contact with PHI, healthcare risk and compliance expert Linda Harvey also notes that satisfying HIPAA compliance rules requires that any partnership must include a written business associate agreement (BAA). “It’s the responsibility of the covered entity – the dental practice – to have a BAA in place,” Harvey explained. “This isn’t a cookie-cutter agreement: each one needs to be customized to match the services that are being provided.” Most cybersecurity professionals who specialize in healthcare understand the importance of HIPAA compliance and will provide and sign a custom BAA when entering a partnership with the practice.
How Do You Get Staff On Board with Cybersecurity and Compliance?
“A culture of safety and compliance starts at the top,” said Harvey. “Everyone on the management team – doctors, office managers – must model ‘This is how we protect patients in our practice,’ so that innocent errors are reported and corrected quickly.” A major part of this effort, as well as another requirement for HIPAA compliance, is ensuring staff members receive annual training. Like the risk assessment, compliance training should consist of more than just, as Harvey says, “checking a box.” It’s also a good idea for the training to be provided by a trusted third party. Such services are offered by companies like DDS Rescue and the Dental Compliance Institute (DCI), for which Harvey serves as an advisor. Regardless of the partner you choose for HIPAA compliance training, the goal remains the same: Ensure that every member of your team understands their role in keeping your practice and its data safe and secure.
Chart a Path to Greater Success with Patterson Dental’s Navigate Business Services
Most dentists have a vision for their practice, and they know that technology plays an integral role. But, as we’ve seen, when it comes to navigating the complexities of cybersecurity and compliance – along with the many other challenges of practice ownership – everyone could use a helping hand.
Patterson’s Navigate Business Services™ offers guidance, support and solutions that enable practice owners to identify barriers to business goals and chart a clearer path to success. By connecting you with HIPAA and OSHA compliance experts at DDS Rescue, along with other trusted partners in areas like taxes and accounting, lease negotiations, practice marketing and more, Navigate Business Services can help you:
- solve immediate and long-term challenges
- discover services and solutions that meet your needs and goals
- receive support over time as your business obstacles and aspirations evolve.
No matter where you are on your journey – building, growing, optimizing or harmonizing your practice – Navigate Business Services has the resources to help, so you can focus on what matters most: taking care of patients.
To learn more about Navigate Business Services, visit pattersondental.com/navigate.
REFERENCES
Acharya A, Schroeder D, Schwei K, Chyou PH. Update on electronic dental record and clinical computing adoption among dental practices in the United States. Clin Med Res. 2017;15(3-4):59-74.
Alder S. HIPAA risk assessment. The HIPAA Journal. January 10, 2024. hipaajournal.com/hipaa-risk-assessment/
Cybersecurity & Infrastructure Security Agency. What is cybersecurity? February 1, 2021. cisa.gov/news-events/news/what-cybersecurity
Reed T. Health care was biggest victim of U.S. ransomware attacks last year. Axios. March 11, 2024. axios.com/2024/03/11/health-care-ransomware-attacks
