Data breaches can happen to any person, business

Cybersecurity experts offers best practices on to protect oneself

Gary Salman, CEO and co-founder of Black Talon Security,has a warning for dental workplaces.

“Many practices still harbor a broken mindset, meaning they believe they are immune to breaches, thinking that it won't happen to them,” he said.

Paul Redding is vice president of partner engagement and cybersecurity for Compliancy Group, the ADA Member Advantage-endorsed company that specializes in helping practices and organizations comply with regulations set forth by the Health Insurance Portability and Accountability Act Privacy Rule and the Occupational Safety and Health Administration. He echoes Mr. Salman’s warning.

“I think [a] major misconception dental practices often operate under is the mistaken belief that because you use an electronic health record or practice management software your data is protected and your practice is compliant,” he said.

Mr. Salman, whose New York-based cybersecurity firm has experience helping dental practices be mindful of expanding threats, joined Mr. Redding in providing expert tips on how to avoid data breaches by answering a number of questions about protecting oneself from being a cyberattack victim.

ADA News: What are typical causes of data breaches?

Mr. Salman: There are two primary causes of data breaches. The first attack methodology utilizes social engineering scams, such as phishing, spear phishing, SMSishing [done via text or instant messaging apps]] and Vishing [using phone calls and voicemail]. These attacks typically result in users surrendering their credentials, such as usernames and passwords, or downloading malicious payloads that deploy ransomware and steal patient data. The second attack methodology involves detecting and exploiting vulnerabilities in devices such as firewalls, servers, workstations and smart devices. Hackers scan these devices without the practice's permission, identify flaws in software and hardware and use tools to gain access to the device and its data. Once they have infiltrated the network, they spend days or weeks exfiltrating most or all of the patient data and gain access to other systems that the practice uses.

Mr. Redding: The reality is that your vendors are protecting themselves and the data they are directly responsible for and nothing else. Sensitive data “bleed out” of your electronic health record into many other parts of your business. When you print a record from your electronic health record, it stores a copy in the temp files on your local computer. When you receive an email from a patient, provider or employee, the data is stored with the email provider in their cloud, and often on the email client on the recipient's computer.

ADA News: Are there obvious signs that a cybersecurity incident has occurred? What should dentists be on the lookout for?

Mr. Salman: Arriving at their office on a Monday morning, employees may find that computers either won't turn on, display a skull and crossbones on the monitor or see a ransom note indicating a ransomware attack. Other signs include servers being down, workstations malfunctioning, encrypted files on the desktop, inability to open files and the possibility of receiving phone calls from the hackers.

ADA News: What are practical ways that dental offices can prevent data breaches from happening?

Mr. Salman: In addition to collaborating with their IT resources, practices should engage a dedicated cybersecurity company that works hand in hand with IT to ensure adherence to all best practices. It's also crucial that all doctors and staff complete cybersecurity awareness training, a key component of compliance with the Health Insurance Portability and Accountability Act and undergo a security risk assessment to determine if changes are needed in their current data security policies and procedures. Real-time vulnerability scanning of computers to detect hardware and software vulnerabilities is essential. Daily scanning of firewalls to identify vulnerabilities, misconfigurations or open ports is necessary. Employing an ethical hacker to test the configuration and resilience of the firewall and using AI-based antivirus software to reduce ransomware risks are important steps. Maintaining clear visibility into all devices that pose a risk to the practice enables doctors to make informed, risk-based decisions. Implementing multi-factor authentication on banking, human resource systems, finance and electronic health record systems, using a domain-specific email address instead of a free Gmail or AOL account and deploying artificial intelligence-based email security tools to preemptively detect malicious emails are critical measures.

Mr. Redding: When most providers think about protecting their practice from a breach, almost universally the tendency is to focus on the technology itself: antivirus, data backups, firewalls, etc. While these are certainly important, and without question should be implemented, breach prevention really begins with the realization that this can, and almost assuredly will, happen to you. Far too often we see dentists and other small practices operate under the belief that the bad guys only target large, complex organizations, and therefore their small size shields them from risk. Nothing could be farther from the truth. Hackers and other bad actors want quick wins just like everyone else. Hackers are running a business. Their commodity is your data. This means they want the fastest, easiest path to revenue just like any other business. Sure, they are going to set up a team dedicated to a year-long campaign to hack a United Health or similar enterprise targets, but the way they are going to fund that strategic assault is with the money they make selling the data stolen from all the small businesses that were quick easy targets. The realization that your small practice is a target and the data you hold is valuable enough for the bad guys to come after you is the first step to breach prevention. Only after you have come to terms with this reality can you truly begin working to protect your patient data. 

ADA News: In the last few years, are hackers getting more sophisticated in their methods?

Mr. Salman: Very much so. We have observed a significant increase in payroll fraud, wire fraud, email compromise and third-party breaches that subsequently impact the practice, patient care and reputation, among other issues. Criminals are leveraging AI-based technology to create malicious code, a technique that no longer necessitates advanced coding skills from hackers. They are also utilizing technologies such as ChatGPT to craft highly convincing spear phishing emails. An example [might include] a fake referral letter that directs the recipient toa malicious link under the guise of downloading X-rays.

ADA News: What should dentists do if they fear that a data breach has happened?

Mr. Salman: Immediately disconnect the network from the Internet to sever the hackers' access. Encourage anyone who witnessed anything unusual or possesses relevant information to create a timeline and document their observations. This documentation may include screenshots of ransom notes and detailed accounts of events as they recall them. Contact the cyber insurance provider without delay. Do not erase or delete any data on the system. Maintain confidentiality about the incident to prevent public knowledge of the potential cyber event. Engage a cybersecurity firm to conduct forensic analysis and assist with network recovery. Inadequate management of a cyber event can lead to severe legal and compliance repercussions. It is important to note that most IT companies prioritize restoring operations and may not fully grasp the legal implications of the breach.

Mr. Redding: Most people get it wrong. When faced with a ransomware attack or a hacking incident, the first thing you want to do is contact your attorney. Yes, IT needs to jump in and stop the bleeding. Yes, your insurance is going to need to be notified. Yes, state and federal agencies have breach reporting processes that you need to follow. That said, involving your attorney on the front end, and including them in all communications around the incident, makes these communications protected under attorney/client privilege. From day one, you should assume this incident could land you in court one day, so get your attorney involved as soon as possible.

ADA News: What ultimately leads to data breaches?

Mr. Redding: Human error and insider threats lead to 80% of all data breaches, and no electronic health record in the world can prevent a human being from doing something malicious or outright dumb. These are the reasons you have to be fully secure and compliant as an organization, regardless of what electronic health record or other application you are using to manage your business. Compliance and risk management are required for all health care providers, and no one can absolve you of this responsibility. It's your name on the door.

Editor’s note: The article presented here is intended for information about the broader perspective on dentistry, regardless of its alignment with the ADA's stance. Publication of this article does not imply the ADA's endorsement, agreement or promotion of its content.