Dental offices are particularly vulnerable to cyberattacks. Unlike large hospital systems with cybersecurity protocols maximized to protect patient healthcare information, a vast majority of dental practices don’t have the latest generation of cybersecurity protection, according to Gary Salman, CEO of Black Talon Security, which services cybersecurity for dental offices across the United States.
When a practice gets hit, it can be devastating not only for the practice, but also for the patients. “If you are a dentist and have your own practice or are a partner, this is something that will change your life forever,” Salman said. “I can’t even describe the emotional stress that doctors go through. You can’t control the outcome of an event like this. You can do the best you can to get out of the mess you’re in, but you’re at the mercy of these criminals.”
Cybercriminals are often connected to organized crime, including organizations in Russia, Ukraine, Iran and North Korea, according to Salman. Healthcare records contain a collection of personal patient information, including social security numbers, dates of birth, driver’s license numbers, contact information, credit card information and significant personal health history. These patient records are extremely valuable on the dark web and can fetch $50–$200 per record. The information is attractive to hackers because the records are so complete.
“With cybersecurity, what we’re doing to secure systems and networks is already being hacked and bypassed. There’s a need for new solutions constantly,” said Lorne Lavine, DMD, owner of The Digital Dentist, a comprehensive information technology (IT) and cybersecurity service provider specifically for dentists. “The criminals are coming up with newer and tougher ways of defeating the defenses. It’s a cat-and-mouse game.”
Attacks also often have permanent effects on how dentists approach cybersecurity for their office.
“After a practice is hit, the dentist says, ‘I’ll pay whatever it takes to make sure this never happens again. Just tell me what I need to do,’” Salman said. “It’s horrible they got hit to begin with, but, with proper education, maybe we can change the dentist’s mindset so they say to themselves, ‘I want to avoid being a victim.’ Cybersecurity is part of running a business nowadays. If you’re connected to the internet, you have to protect yourself and your practice or you risk losing everything you’ve worked for.”
Considered the No. 1 cybersecurity threat for the healthcare industry by the Health Information Sharing and Analysis Center, ransomware is designed to hold entire computer systems hostage. Ransomware has brought down healthcare computer systems for weeks,2 has gone after cloud remote management services involved in hundreds of dental offices,3 and was even used in an attack on the American Dental Association in April 2022.4
Ransomware can infect all computers connected in a system, encrypting files and making the systems that hold the files inoperable. Criminals demand ransom in exchange for decrypting the files. The FBI advises against paying the ransom because there is no guarantee the files will be recovered. Payment also emboldens the criminals.5 Ransomware is a type of software that can be installed from malicious emails. A user thinking a link or file is legitimate will click on it and inadvertently install malware. Hackers have also patched into computer systems after obtaining login information, effectively controlling computers from anywhere in the world. After obtaining control, they will install ransomware. Legitimate software applications and remote desktop protocol access also have vulnerabilities that can be hacked and used to install ransomware.5
The problem is pervasive. Between 2020 and 2021, more than 160 ransomware attacks affected more than 1,700 health clinics across the United States. Larger hospital systems have seen losses in the tens of millions of dollars in attacks,2 and some smaller medical practices have permanently closed.6 “We’ve had dental and medical practices go out of business because of a ransomware event. Multiple doctors have closed up shop and disappeared. They can’t afford the ramifications or costs of a breach,” Salman said.
HIPAA’s Layers of Complexity
Compliance with the Health Insurance Portability and Accountability Act (HIPAA) adds another layer of complexity. Under HIPAA, entities must meet a series of standards in order to prevent cyberattacks and secure electronic protected health information (e-PHI). The “Standards for Privacy of Individually Identifiable Health Information,” commonly known as The Privacy Rule, establishes national standards for the protection of certain health information. Meanwhile, the “Security Standards for the Protection of Electronic Protected Health Information,” or the Security Rule, establishes a national set of security standards for protecting certain health information that is held or transferred in electronic form.7
“With HIPAA, there are 700 pages of rules and regulations, but the bottom line is that patients are entrusting dental offices with their very personal and private information. The patient has every right to assume the dental office will take every step to keep that information secure,” Lavine said.
“As a firm, we prepare a substantial amount of HIPAA manuals for our healthcare providers, and, during this process, we have discovered that approximately 95% of the healthcare providers’ current HIPAA manuals are outdated, which is astonishing,” said Stuart J. Oberman, JD, a healthcare attorney based in Georgia. “Under the U.S. Department of Health & Human Services (HHS) Office of Civil Rights (OCR), which enforces HIPAA, if a security breach does occur and patient information is compromised, there are specific reporting requirements that must be met, and many healthcare providers are simply not aware of this requirement, which is very concerning. In addition, many of our healthcare providers do not know that there are national standards for e-PHI records, which have to be created, maintained and terminated according to specific governmental guidelines. It should be noted, that under specific HIPAA guidelines, healthcare providers are required to have a breach notification plan in place, which, unfortunately, many healthcare providers have no knowledge of.”
The HIPAA Security Rule is written broadly enough to cover all types of medical practices, from the smallest dental practice to the largest health systems. It is centered around four pillars: (1) ensuring e-PHI is kept within confidential channels; (2) identifying and protecting against potential threats to that information; (3) protecting against any reasonably anticipated disclosures; and (4) ensuring the workforce is properly in compliance with these procedures. The Security Rule does not apply to PHI transmitted orally or in writing.7
“We work with a substantial amount of healthcare providers on a national basis when a governmental investigation takes place as a result of a security breach,” Oberman said. “During the investigation, in just about every case, the government wants to know how the breach occurred and whether the healthcare provider followed proper protocols in order to secure patient information. If not, was the healthcare provider’s failure to follow the proper protocols accidental or intentional? If a failure to implement the proper protocols was intentional, then the healthcare provider will be fined and penalized accordingly. In many cases, the government is more concerned about having the healthcare provider fix the internal problem versus penalizing the provider. When a breach does occur and a governmental investigation takes place, you always have to worry about damage control.”
In the event of an attack, HHS has a four-step process to respond to a cybersecurity event for entities that must maintain HIPAA compliance: (1) respond by executing “response and mitigation procedures, and contingency plans,” (2) report the crime to appropriate law enforcement, (3) report the threat to federal agencies as well as information sharing and analysis organizations, and (4) assess the extent of the breach to determine whether any protected health information was compromised. If a breach occurred, patients must be notified within a 60-day notice window. If more than 500 individuals are affected, the media and OCR must also be notified as soon as possible. When fewer than 500 patients are affected, then only OCR needs to be notified — but no later than 60 days after the calendar year of the breach. If no breach occurred, all documentation related to the risk assessment of the cyberattack must be kept along with details of why it is believed there was no breach.8
“One of the HIPAA rules is that you have to do a regular risk assessment and have a HIPAA management plan in place. You don’t know where you’re running short of cybersecurity best practices and HIPAA guidelines unless you look. We do that for every office,” Lavine said. “If you’re ever audited and they see that you have done a risk assessment and have a plan in place, but you’ve never lifted a finger to fix your vulnerabilities, that is far worse and called willful neglect. That’s when you hear about these multimillion-dollar settlements.”
Protecting Your Office: Hardware and Software
There is a dramatic difference between a neighborhood IT provider — who handles day-to-day operations of computer purchases and installations, networking systems, and setting up email — and cybersecurity firms, according to Lavine. IT firms are likely not equipped to handle complex network security at the level necessary for the medical field.
“In cybersecurity, there are two main components — the things that you do to keep the bad guys out of your network and the things that you do when the bad guys get in,” Lavine said. Of the 350 dental clients The Digital Dentist services, nearly all are long distance. A majority contract his firm for both IT and cybersecurity, while others prefer to keep their local IT company, using The Digital Dentist exclusively for cybersecurity. “We do have a fair number of offices that say, ‘I want to have a local IT person for my day-to-day stuff.’ They don’t specialize in cybersecurity. They don’t know about firewalls, ransomware and HIPAA. Just like with dentistry, patients will see a general dentist for most dental needs, but sometimes they also need a specialist.”
“We’ve seen so many attacks occur where practices have had good IT companies but lacked the proper cybersecurity measure to prevent a breach,” Salman said. “But the question every dentist should ask themselves is who’s checking the work of the IT company to make sure the network is actually secure? Often, the firms tell doctors, ‘You’re secure, you’re good, you’re fine. You don’t have anything to worry about. We’ve got your back.’ Then they turn around, and they’re a victim of a ransomware attack.
“Practices need to consult with a third-party cybersecurity company that can perform independent tests and verification on the network and firewalls to determine whether or not those devices are configured properly and whether they’d be susceptible to a cyberattack or a ransomware attack, and, if they are susceptible, make recommendations on how to properly configure the practice’s devices so that they’re less susceptible. I always say trust but verify,” Salman said.
There are three main generations of antivirus software used by dental practices today. Salman estimates around 90% of dental practices exclusively use the oldest form of protection — “off-the-shelf” antivirus software, which is easily defeated by current hacking operations. The readily available software often fails to stop more advanced forms of malware and most ransomware, as it is extremely easy to disable the software prior to the attack. Hackers also purchase off-the-shelf software and use it to create code that can float by undetected. While antivirus companies will eventually respond with an update in days or weeks after finding out about new threats, the damage will have already been done.
“The days of just throwing an antivirus software on there like Norton and being done with it are long gone. They’re just not going to provide adequate protection,” Lavine said.
The latest generations of antivirus software incorporate artificial intelligence (AI). AI analyzes code for whether or not it is problematic and has the capacity to the kill the malware. The newest third-generation software Salman uses is called extended detection response (XDR), which has the most advanced and adaptable AI to help counter threats.
“XDR has the ability to understand what is going on across all of the computers in a network,” Salman said. “The AI can say, ‘We have a problem here. The network appears to be under systemic attack. Let’s isolate these computers from the network. Let’s sever the internet connection and network connection to try and prevent the spread of the malicious code.’”
The Digital Dentist uses “application whitelisting,” which has a narrow list of approved programs that can run on a network. “It learns as it goes along. We had to do a lot of initial setup with it so that it learned Open Dental, Dentrix, XDR and the myriad other software applications specific to the dental industry,” Levine said. “Viruses are just tiny little programs with a set of instructions that tell a computer what to do. In the 20 months or so we’ve been installing this software for clients, we’ve not had a single virus infection on a computer, which is not something we could say before.”
When looking for a cybersecurity firm, Salman recommends finding one that — at a minimum — has experience with smaller medical offices and ideally with dental offices. Do research on the firm. Look for companies with well-trained, credentialed security engineers who are board-certified, with certifications like Certified Information Systems Security Professional (CISSP) or HealthCare Information Security and Privacy Practitioner (HCISPP). Find a half-dozen references who can vouch for the firm, and ensure the company is endorsed by state and national organizations.
Cybersecurity firms should do daily firewall and computer testing. “Many cyber solutions are still doing monthly testing or quarterly vulnerability testing, and that’s really not enough,” Salman said. “The data is now showing that the period of time from the day a vulnerability is discovered by a hacker to the day it is exploited is now a 14-day window. Practices not engaging in real-time vulnerability scanning leave themselves highly exposed to these short windows of opportunity that hackers leverage to steal patient data and launch ransomware attacks.”
Firms should also do penetration testing, during which an ethical hacker will try and break into their network. Salman recommends this be done on an annual basis. Transparency in all findings is also essential.
“With transparency, you can see which computers are properly secured and are in a good place from a security perspective and which computers are high-risk because of a vulnerability,” Salman said. “Having that kind of data readily available is very important.”
Local routers more intended for home use like Netgear, Linksys or D-Link are insufficient for the medical setting, according to Lavine. A business-class Sophos or SonicWall firewall is needed to provide ample protection. Cloud computing offers another layer of complexity. Lavine said, “More and more offices in the last 10 years are putting their information into a digital format. Now everything is digital, and more people are going cloud-based. The more information you have in your computer systems or online, the more at risk you are of having it compromised.”
Protecting Your Office: Training Staff
Security breaches can occur when dentists or staff make errors, and proper employee training is key to prevent internal security breaches or cyberattacks. However, most dental offices do not train their employees for proper security protocols, according to Oberman.
“The most common security problem in dental offices is clearly human error,” Oberman said. “It really comes down to training to figure out where the gaps are, which may include IT or internal policies and procedures.”
Oberman recommends training employees to identify third-party attempts that could lead to breaches, including recognizing phishing emails. Often sent in bulk to unsuspecting employees, intruders attempt to gain access to internal confidential patient information. In addition, during spear phishing attacks, hackers strategically tailor messages that look like legitimate emails from vendors. Spear phishing can also be carried out via phone systems.
Office procedures can help prevent attacks, according to Lavine. He recommends having a closed Wi-Fi network. Patients and staff should not be able to connect to the office’s network with their personal devices. Personal devices should never be used to communicate business information. Between the COVID-19 pandemic and the prevalence of remote work, the blurring between the office and home created additional vulnerabilities. “There are lots of ways to log in to a work computer from home, but many are not HIPAA-compliant,” Lavine said. “Remote access requires encryption, auditing, logging and auto-shutoff. Programs like Microsoft Remote Desktop, VNC and AnyDesk do not meet these criteria. We highly encourage staff to never use personal devices to log in to the office network.”
In the office, Lavine recommends a strict internet use policy detailing the websites staff can visit and setting up blocks. He said, “There should be no use of company computers for personal use at all. No Facebook, no Twitter, no email, and the consequences should go all the way up through termination.”
Salman also recommends using multifactor authentication, specifically to help secure email, bank accounts, cloud technology and online ordering. Multifactor authentication is a security method so that, in order to log in to a system or network, the user must provide two or more credentials. This can include a password combined with an automatically generated passcode sent to the user via text or email, a phone call to the user, a biometric factor like a fingerprint or voice recognition, or a security token.
Cyber Liability Insurance
Cyber liability losses have been pummeling the insurance industry over the past several years, causing premiums to rise 74% from 2020 to 2021, according to the National Association of Insurance Commissioners. This cost increase is due to a combination of rising loss ratios for insurers and the overall losses incurred by ransomware attacks. Between 2017 and 2020, the loss ratio for the top 20 insurers jumped from 32.4% to 66.9%, with a slight drop to 66.4% in 2021. Insurance companies have been developing more stringent screening guidelines to help prevent losses, reducing the total coverage limit and making it more challenging to obtain coverage.9
For dentistry, depending on the size of the dental practice, the budget and if there has been a breach in the past, a $250,000 policy is likely enough to cover the legal fees and associated costs with a breach, according to Lavine. For practices with a prior breach, the cost for coverage and the size of the policy will be greater. A $250,000 policy, depending on the size of the office, generally costs $1,000–$1,500 per year.
“When people balk at it, I say, ‘What’s your daily production?’” Lavine said. “If you’re down for a day or two, which can be the minimum if you’re hit with ransomware, you’ve lost all that production. If the amount of lost production in the aftermath of a ransomware attack would have paid for eight years of a cybersecurity insurance policy, then the policy is a no-brainer.”
Insurance companies will issue a multipage questionnaire asking about firewalls, antimalware software and how data backups are stored and maintained. They will ensure your practice is using a business-class firewall and that you have software that can combat the latest generation of viruses, according to Lavine.
While insurance forms were much shorter a decade ago, because of the dramatic rise in breaches, forms have grown more complex and are routinely 10–13 pages, according to Salman. Insurance companies may also inquire about the kinds of tests you’re running on the system, what third parties like IT companies and billing companies have access to your system, and what kind of training is being done by the office.
Dan Kolen is a freelance writer and media producer based in Chicago. To comment on this article, email email@example.com.
1. “2022 Mid-Year Horizon Report: The State of Cybersecurity in Healthcare.” Fortified Health Security, July 2022, fortifiedhealthsecurity.com/wp-content/uploads/2022/07/2022-Mid-Year-Horizon-Report.pdf. Accessed 30 Nov. 2022.
2. Bergal, Jenni. “Ransomware Attacks on Hospitals Put Patients at Risk.” The Pew Charitable Trusts, 18 May 2022, pewtrusts.org/en/research-and-analysis/blogs/stateline/2022/05/18/ransomware-attacks-on-hospitals-put-patients-at-risk. Accessed 30 Nov. 2022.
3. Kan, Michael. “Ransomware Attack Hits 400 Dental Offices Across the US.” PCMag, 29 Aug. 2019, pcmag.com/news/ransomware-attack-hits-400-dental-offices-across-the-us. Accessed 30 Nov. 2022.
4. Davis, Jessica. “Ransomware Caused American Dental Association Outage, Led to Stolen Data.” SC Media, 28 July 2002, scmagazine.com/analysis/breach/ransomware-caused-american-dental-association-outage-led-to-stolen-data. Accessed 30 Nov. 2022.
5. “Ransomware: What It Is & What To Do About It.” Cybersecurity Infrastructure Security Agency, cisa.gov/sites/default/files/2021-01/NCIJTF%20Ransomware_Fact_Sheet.pdf. Accessed 30 Nov. 2022.
6. Janofsky, Adam. “Smaller Medical Providers Get Burned by Ransomware,” The Wall Street Journal, 6 Oct. 2019, wsj.com/articles/smaller-medical-providers-get-burned-by-ransomware-11570366801. Accessed 30 Nov. 2022.
7. “Summary of the HIPAA Security Rule.” U.S. Department of Health & Human Services, 19 Oct. 2022, hhs.gov/hipaa/for-professionals/security/laws-regulations/index.html. Accessed 30 Nov. 2022.
8. “Cyber Attack Quick Response.” U.S. Department of Health & Human Services, hhs.gov/sites/default/files/cyber-attack-quick-response-infographic.gif. Accessed 30 Nov. 2022.
9. “Report on the Cyber Insurance Market.” National Association of Insurance Commissioners, 18 Oct. 2022, content.naic.org/sites/default/files/cmte-c-cyber-supplement-report-2022-for-data-year-2021.pdf. Accessed 30 Nov. 2022.