The fastest growing cybercrime is ransomware. Hackers spread ransomware through plausible-seeming emails that encourage recipients to open them and click on links.
For example, an office may receive an email that appears to be from FedEx. The email says, “We attempted to deliver a package. Click here to arrange delivery.” Since the office gets packages all the time, a staff member clicks as directed and launches the ransomware. Once launched, it encrypts the office data, making it inaccessible to anyone apart from the hackers. The criminals then demand a ransom in exchange for the encryption key. Usually the ransom is not excessive, often only a few thousand dollars, and must be paid in bitcoin within 48 hours. If the doctor fails to pay the ransom, the data will be destroyed.
The health care sector, including dentistry, has become a prime target for ransomware criminals. According to a 2016 NTT Security report, 88 percent of ransomware attacks occurred in the health care sector. There are two reasons for this.
First, health care facilities often have limited security in place and are vulnerable to attack. Second, health care facilities are helpless without their data. Desperate to get it back, they tend to pay up rather than resist.
However, even when they pay up, half of ransomware victims never get their data back.
One of the newest types of malware is pseudo-ransomware. Just like basic ransomware, these programs capture data and hold it hostage. However, the difference is that these new versions don’t just lock down a computer, they take the data. If the practice refuses to pay, the hackers will expose the private information.
Protect Your Data
Data loss from both basic ransomware and pseudo-ransomware are HIPAA violations. Most dentists are aware that HIPAA rules require health care professionals to keep patient data safe from theft or exposure. However, the rules also require the dentist to safely maintain the records and make them available to patients. Ransomware is on the rise, but it is not the most reported HIPAA violation. The office of Health and Human Services maintains an online listing of all reported medical dental data breaches in the U.S. The webpage lists every reported breach affecting 500 or more individuals, broken down to the following six types of breach (archived data, 2009 to present):
Theft: 41 percent
Unauthorized Disclosure: 26 percent
Hacking: 16 percent
Loss: 8 percent
Unknown: 5 percent
Improper Disposal: 3 percent
Theft and loss, which account for about half of breaches, refer to theft or loss of the physical computer in this context. Hacking only accounts for 16 percent.
A simple step you can take to protect yourself from the most common types of breaches is to make your computers hard to steal. Lock up the server in a closet, bolt it to the floor or tie it down with an anti-theft computer cable.
Preventing ransomware attacks and other cybercrimes starts with education. In most cases, lack of knowledge of the user, not the sophistication of the attack, determines whether the hack will be successful. Dentists and team members need to be aware of possible threats. Be wary of attachments; only open attachments that have been checked and approved by your anti-virus application. Never click links embedded in emails. If you trust the email, copy the link, and open it manually in your browser. Only visit known sites that are necessary to the business. Avoid online shopping and social media on work computers. Create a culture of security. Encourage team members to take pride in their security awareness.
Set up and use passwords at multiple points — to log on to the computer and to access practice management software. Resist the temptation to use one easy-to-remember password for everyone. Do not post the password to the side of the computer on a sticky note. Do not share individual passwords with others, and change them every three months.
Keep your systems up to date. Install anti-virus software as well as updates and patches for all applications, including your operating system.
Maintain multiple off-site backups. Any full backup created after a ransomware infection will also be infected. Incremental online backups are best coupled with archived full backups and a second, mirrored hard drive backup in the office.
Encrypt your patient data. If a computer is stolen with encrypted data, it is not considered a HIPAA violation.
It is possible to do this yourself. However, it is best to have an information technology professional set up enterprise-level anti-virus, firewall, encryption and backups.
Cybercrime is a reality of our high-tech world. As a dental professional, you have an ethical and legal obligation to protect your patients’ privacy.
Larry Emmott, DDS, has written three books on using technology in the dental office. He has contributed to dental publications and has been recognized as one of the top ten dentists in social media. More can be found on his blog, EmmottonTechnology.com. To comment on this article, email firstname.lastname@example.org.