Cybersecurity has recently become a critical concern for dental practices and health care entities of all sizes. With sensitive patient data and critical systems at risk, it's more important than ever for dentists to take proactive steps to protect themselves from cyber threats. In this comprehensive guide, we'll explore expert insights on dental cybersecurity from Bill Sintiris and Clint Delander of Anatomy IT, specialists in healthcare IT and cybersecurity solutions.
A Growing Threat for Dental Practices
Dental practices are increasingly becoming targets for cybercriminals. In fact, the American Dental Association (ADA) recently issued a bulletin in collaboration with the FBI, warning of increased threat activities specifically targeting dental practices. These attacks often involve social engineering scams designed to gain access to critical patient information and disrupt business operations.
"Healthcare, as you know, over the last several years has become more and more a target of attacks. The threat landscape is continuing to evolve." - Bill Sintiris
Some of the key cybersecurity threats facing dental practices include:
Ransomware attacks | • |
Encrypts critical patient data
|
| • |
Demands payment for decryption
|
| • |
Can lead to significant downtime
|
| • |
May result in data loss if no backups |
Social engineering and phishing scams | • |
Mimics legitimate communications
|
| • |
Aims to steal credentials or install malware
|
| • |
Often targets staff unfamiliar with threats
|
| • |
Can lead to unauthorized data access |
Data breaches | • |
Exposes sensitive patient information
|
| • |
Can result in HIPAA violations
|
| • |
Damages practice reputation
|
| • |
May lead to legal and financial consequences |
Compromised backups | • |
Renders data recovery impossible
|
| • |
Often targeted alongside primary systems
|
| • |
Can lead to permanent data loss
|
| • |
Emphasizes need for offsite, secure backups |
Outdated software and systems | • |
Creates vulnerabilities in your systems
|
| • |
Often exploited by cybercriminals
|
| • |
Can violate HIPAA compliance requirements
|
| • |
Regular updates are crucial for security |
Real-World Example: The Change Healthcare Data Breach
To illustrate the potential impact of cyber attacks on dental practices, consider the recent breach at Change Healthcare, a third-party insurance processor used by many dental offices:
"For about three weeks, practices were not able to submit claims to insurance companies. It affected millions of patients... Imagine three weeks of not being able to receive payments from an insurance company puts strains on the office operations. I even had some customers who had to seek outside capital and tie up their credit just to bridge the three weeks and the time that followed until they would receive payment from the insurance companies." - Clint Delander
Data breaches like these highlight the far-reaching consequences of cyber attacks, affecting not only sensitive personal data but also the financial stability of a dental office.
Essential Cybersecurity Best Practices for Dental Offices
To protect your dental practice from a credible cybersecurity threat, it's crucial to implement a comprehensive strategy. Here are some essential best practices recommended by the experts:
1: Implement User Awareness Training
One of the most effective ways to prevent cyber attacks is to train your staff to recognize and avoid potential threats. Regular cybersecurity awareness training can help your team identify phishing attempts, social engineering scams, and other common attack vectors.
"Teach your team to recognize and avoid phishing scams. And what that means is user awareness training on what security scams are out there, how to avoid them and how to protect your patient data. First and foremost, training is so critical to our employees to make sure that they really understand how to protect patient data." - Bill Sintiris
Consider implementing the following training practices:
| • |
Conduct monthly 20-minute training sessions on various cybersecurity topics
|
| • |
Use phishing simulations to test and improve staff awareness
|
| • |
Provide immediate feedback and additional training for staff who fall for simulated attacks
|
2: Use Strong Passwords and Multi-Factor Authentication
Implementing strong password policies and multi-factor authentication (MFA) can significantly reduce the risk of unauthorized access to your systems. Require complex passwords for all accounts and enable MFA wherever possible, especially for critical systems and applications.
Best practices for password management include:
| • |
Require passwords to be at least 12 characters long, including a mix of uppercase and lowercase letters, numbers, and symbols
|
| • |
Implement password manager software to help staff create and manage complex passwords
|
| • |
Enable MFA for all critical systems, including email accounts, practice management software, and remote access tools
|
3: Keep Software and Systems Up-to-Date
Regularly updating your business software, operating systems, and applications is crucial for maintaining a strong security posture. Outdated systems often contain vulnerabilities that cybercriminals can exploit.
"When Microsoft stops supporting an operating system, that's a big risk for an organization to take on because once they stop supporting it with security updates, those become target vectors for attacks." - Bill Sintiris
To ensure your systems stay up-to-date:
| • |
Implement an automated patch management system to apply security updates promptly
|
| • |
Regularly audit your software inventory to identify and replace outdated or unsupported applications
|
| • |
Plan for major system upgrades well in advance, such as the upcoming end-of-life for Windows 10 in October 2025
|
4: Implement Robust Backup and Recovery Solutions
Having a reliable backup system is essential for protecting your practice against data loss and ransomware attacks. Implement an "air-gapped" backup solution that keeps your backups separate from your main network to prevent them from being compromised in the event of an attack.
An effective backup strategy can include:
| • |
Implementing the 3-2-1 backup rule: Keep three copies of your data, on two different types of media, with one copy stored off-site
|
| • |
Regularly testing your backups to ensure they can be successfully restored
|
| • |
Encrypting backup data to protect it from unauthorized access
|
3Copies of Data
Primary + Two Backups Redundancy: Multiple copies protect against single point of failure. 2Types of Media
e.g., NAS and Cloud Diversity: Different media types guard against device-specific issues. 1Off-site Copy
Geographically Separate Security: Off-site storage safeguards against local disasters.
5: Endpoint Detection & Response: Electronic Protected Health Information
Deploy endpoint detection and response (EDR) solutions on all devices in your practice. EDR provides healthcare providers a more comprehensive level of protection than traditional antivirus software, helping to detect and respond to advanced threats in real-time.
Benefits of EDR for dental practices include:
| • |
Real-time threat detection and response
|
| • |
Improved visibility into endpoint activity
|
| • |
Ability to quickly isolate and contain compromised devices
|
The Importance of a Disaster Recovery Plan
While prevention is crucial, it's equally important to have a plan in place for responding to and recovering from a cyber incident. Developing a comprehensive disaster recovery plan can help minimize downtime and data loss in the event of an attack.
"I think the customer should have expectations based upon what their current network stack is and services they have. You know, if something like this, you know, terrible event were to happen, what does the recovery look like in those steps and how long would that take?" - Clint Delander
Key components of a dental practice disaster recovery plan should include:
| • |
Procedures for continuing patient care during system outages
|
| • |
Steps for isolating and containing a cyber incident
|
| • |
Process for restoring systems, data, and patient information from backups
|
| • |
Communication protocols for notifying patients and authorities if necessary
|
| • |
Regular testing and updating of the plan |
1 Risk Assessment Identify potential threats and vulnerabilities. 2 Define Objectives Define recovery time objectives (RTO) and recovery point objectives (RPO) for critical systems. 3 Develop Procedures Develop step-by-step recovery procedures for various scenarios 4Assign
Roles Assign roles and responsibilities to staff members for disaster recovery tasks. 5 Test and Update Regularly test and update the plan through tabletop exercises and simulations
To create an effective disaster recovery plan:
| 1. |
Conduct a risk assessment to identify potential threats and vulnerabilities
|
| 2. |
Define recovery time objectives (RTO) and recovery point objectives (RPO) for critical systems
|
| 3. |
Develop step-by-step recovery procedures for various scenarios
|
| 4. |
Assign roles and responsibilities to staff members for disaster recovery tasks
|
| 5. |
Regularly test and update the plan through tabletop exercises and simulations |
For a deeper look at rule and regulations regarding breaches, check out the Cybersecurity and Infrastructure Security Agency (CISA), and Department of Health and Human Services office (HHS) cybersecurity toolkit designed to aid healthcare professionals.
Addressing Cybersecurity Challenges for DSOs
Dental Service Organizations (DSOs) face unique cybersecurity challenges due to their multi-location nature. When implementing cybersecurity measures for a DSO, consider the following:
| • |
Securing network connections between multiple practices
|
| • |
Implementing consistent security policies across all locations
|
| • |
Managing user access and permissions for a larger, distributed workforce
|
| • |
Coordinating a security risk assessment, staff training, and awareness programs across multiple site
|
To address these challenges, DSOs should consider:
| 1. |
Implementing a centralized security management platform to ensure consistent policies across all locations
|
| 2. |
Using virtual private networks (VPNs) to secure connections between practices
|
| 3. |
Adopting a zero-trust security model to limit access to sensitive information and systems
|
| 4. |
Developing a standardized onboarding and offboarding process for staff to manage access rights effectively |
Making Cybersecurity Affordable for Dental Practices
For many dental practices, especially smaller ones, budget constraints can make implementing comprehensive cybersecurity measures challenging. However, there are ways to prioritize and make cybersecurity more affordable:
1: Prioritize Critical Security Measures
Focus on implementing the most critical security measures first, such as:
| • |
Strong passwords and multi-factor authentication
|
| • |
Regular software updates and patching
|
| • |
Reliable backup solutions
|
| • |
Basic endpoint protection
|
2: Develop a Phased Approach
Work with an IT partner to develop a phased approach to implementing cybersecurity measures. This allows you to spread the cost over time while gradually improving your security posture.
3: Leverage Managed IT Services
Consider partnering with a managed IT service provider specializing in dental or healthcare IT. This can provide access to enterprise-level security solutions at a more affordable monthly cost.
4: Invest in Cyber Liability Insurance
"Make sure you have cyber liability insurance. Okay, if at a very minimum have cyber liability insurance to cover you in the event of an attack where there's expenses that are going to be incurred." - Clint Delander
While not a direct cybersecurity measure, cyber liability insurance can help protect your practice financially in the event of a breach or attack. Many insurance providers also offer resources and guidance for improving your cybersecurity posture.
When selecting a cyber liability insurance policy, consider:
| • |
The coverage limits and types of incidents covered
|
| • |
Any requirements or prerequisites for coverage, such as implementing specific security measures
|
| • |
The insurer's reputation and track record in handling claims in the dental industry |
Staying Informed About Emerging Cyber Threats
Cybersecurity within the health care infrastructure is constantly evolving, with new threats emerging regularly. To stay informed and protected, consider the following strategies:
| • |
Partner with an IT provider specializing in dental or healthcare cybersecurity
|
| • |
Stay updated on ADA, FBI, and bulletins related to dental cybersecurity
|
| • |
Attend dental conferences and webinars that cover cybersecurity topics
|
| • |
Regularly review and update your cybersecurity policies and procedures
|
To help dental practices stay current, Anatomy IT has developed a Health IT Framework:
"We've developed what we call the Health IT Framework. And that framework is a series of 44 questions that allows an office or an organization or DSO to assess their IT health and maturity, not just from a technology perspective, but from a process, business continuity, disaster recovery, HIPAA compliance perspective." - Bill Sintiris
This framework can help dental practices objectively assess their current cybersecurity posture and identify areas for improvement.
Conclusion: Protecting Your Dental Practice in the Digital Age
As cyber threats continue to evolve and target dental practices, it's crucial to take a proactive approach to cybersecurity. By implementing best practices, developing a comprehensive disaster recovery plan, and staying informed about emerging threats, you can protect your patients' sensitive data and ensure the continuity of your practice.
"It's not a matter of if, it's a matter of when. So what can you do when you design the environment to make sure that if it is attacked, that you can mitigate that attack and that you can recover from it if it does invade you." - Bill Sintiris
Remember, cybersecurity is an ongoing process, not a one-time effort. Regularly assess your practice's security posture, update your strategies, and invest in the necessary tools and training to keep your dental practice safe in today's digital landscape.
Take Action to Protect Your Dental Practice Today
Don't wait for a cyber incident to occur before taking action. Start improving your dental practice's cybersecurity today:
| 1. |
Conduct a cybersecurity assessment to identify vulnerabilities in your current systems
|
| 2. |
Implement basic security measures like strong passwords and multi-factor authentication
|
| 3. |
Develop a staff training program to improve cybersecurity awareness
|
| 4. |
Create or update your disaster recovery plan
|
| 5. |
Consider partnering with a dental IT specialist to develop a comprehensive cybersecurity strategy |
At WEO Media, we understand the gravity of a potential cybersecurity breach and HIPAA (Health Insurance Portability and Accountability Act) violation. We understand the unique cybersecurity challenges facing dental practices looking to protect sensitive information.
By prioritizing cybersecurity and working with experienced partners like us, you can ensure that your dental practice not only remains resilient in the face of evolving cyber threats, but also effectively communicates that resilience to new and existing patients.
Ready to take the next step in protecting your dental practice and building trust with your patients? Contact WEO Media today for a free consultation on how we can help you develop a robust cybersecurity and communication strategy.
Let's Chat
Anecdote not recorded in the podcast from Clint:
The FBI provided an example in which the threat actor poses as a new patient or says they want to become a patient at the practice to obtain new patient forms online. Once the forms are received, the threat actor will then contact the practice to report they are having trouble submitting them online and ask if they can scan the forms and email them instead. The threat actor then emails the “forms” as an attachment. When the attachment is opened malware is deployed in a phishing scheme. The FBI requests dental practices that experience any fraudulent or suspicious activities to report them to the FBI Internet Crime Complaint Center |
