By A.J. Zak
Orthodontic practices are in many ways perfect targets for cybercrime attacks, given that they possess a wealth of sensitive patient data and they are often small, vulnerable businesses.
But most orthodontists don’t think much about cybersecurity, or even realize that it’s something they should prioritize, said Gary Salman, CEO of Black Talon Security in New York State.
“The doctors, orthodontists, have to change their mindset,” said Salman. “If you have the mindset of ‘Hey, this is not going to happen to me,’ it eventually will.”
While the financial sector has tightened protocols in recent years in an effort to tamp down on data breaches, the healthcare industry is several years behind, and hackers are keenly aware of that fact, Salman said. Just as recently as August, for example, news broke of a ransomware attack that targeted hundreds of dental practices around the country.
Two primary reasons healthcare providers are so attractive to hackers are the potential to profit from selling patients’ identities online, and also the potential to score hefty ransom payments for holding patient data hostage.
“You look at some of these practices—they could have hundreds of thousands of patients in their database,” Salman said. Hackers access that data and can then sell it on the dark web to people who are looking to take out loans, leases, bank accounts and more in someone else’s name.
Identity theft isn’t the only issue. Ransomware is also a huge business for hackers, and such attacks are becoming more sophisticated, according to the FBI’s website. Ransomware attacks used to happen largely through spam email, but that has changed more recently as email systems have improved to filter out such messages, the agency said. Since that shift, cyber criminals have “turned to spear phishing emails targeting specific individuals,” the FBI said.
That’s one thing Black Talon Security, which recently received American Association of Orthodontists endorsement, works on with its clients: training employees at orthodontic practices on how to always have their antennae up for signs that an email may be suspicious even if it looks like it was sent from a coworker or another trusted source.
Salman’s company has also purchased domain names that sound like they might belong to a bracket, wire, or imaging business in the industry, and then sends out test phishing emails to client employees to monitor who ends up clicking on the would-be malicious link. That can better inform training on how to detect red flags.
The increasing ubiquity of cyber insurance among healthcare providers is another issue, Salman said.
“If I can hack your network and put ransomware on your network and you pay me $8,000 to get all your data back—that’s a big thing,” Salman said. “They know more and more healthcare providers have cybersecurity insurance. It’s this vicious cycle,” Salman said.
Besides the potential financial hit and loss of patient trust in the wake of a data breach, such attacks could also become a public relations nightmare.
Continuous training is one of the best ways practices can protect themselves, their employees, and their patients from the threat of cyberattacks. A security-aware culture has to start at the top, with the owners of the practice, in order for it to be successful.
“It has to be a team approach,” Salman said. “If you’re just going through this training to check this box once a year, don’t waste your money.”
Software, audits, and other tools will go a long way in keeping networks as secure as possible, but there’s still no replacement for what’s known as the “human firewall”—that refers to a person’s ability to look at an email that appears to be real but determine that it’s actually a scam.
“There’s no piece of software that’s going to catch everything,” Salman said. “And to-date, really, the best defense in terms of phishing emails is the human.”
Providers also need to understand the differences between what their information technology support team does for them versus the work cybersecurity experts do.
Practices should work with an outside company to perform independent audits of their network, to assess where there may be vulnerabilities in the system. Too often, Salman said, practice owners rely on their IT staff to regulate themselves.
“You can’t have your IT vendor auditing their own security work,” he said. “If you’re not having this independent audit, you’re setting yourself up for failure.” OP
Here are a five tips from the FBI’s cybercrime website on how you can protect your business from a ransomware attack:
- Make sure anti-virus and anti-malware tools automatically update and run regular scans.
- No users should have administrative access to your network unless absolutely necessary.
- Back up data regularly and secure those backups.
- Keep your operating system up to date.
- Be wary of email attachments and be careful about what you download.
A.J. Zak is a freelance writer for Orthodontic Products.