Ransomware is far and away the biggest threat facing dental practices.
Over the past 18 to 24 months, I have examined all the components of the information technology (IT) needs of dental offices. We have done a deep dive into backup and disaster recovery, 2-factor authentication, network penetration testing, and other topics. In this article, I want to use a wider lens—the proverbial 30,000-ft view from above.
Ransomware is far and away the biggest threat I have seen in my 35-plus years in dentistry: more than the Occupational Safety and Health Administration (OSHA), more than the Health Insurance Portability and Accountability Act (HIPAA), more than COVID-19. Even a cursory scan of the news shows the hundreds if not thousands of dental practices that have been attacked either by their own lack of adequate security or a lack of best practices from their IT companies.
To protect and secure your data, I suggest a 3-pronged approach to dealing with malware and ransomware. You need to keep the bad guys out, be able to deal with them if they get in, and have a way to recover when all else fails.
Keep the Bad Guys Out
There are dozens of ways to deal with ransomware, but as the old saying goes, an ounce of prevention is worth a pound of cure. The first line of defense is having a good firewall. By good, I mean business-class like Sophos or SonicWall, not the consumer-level firewalls like Linksys, D-Link, or Netgear. A firewall will scan all incoming and outgoing traffic and often stop malware before it can get into your network. I also recommend patch management, which is required by HIPAA law. Because all software has security holes, you must by law keep those software programs up-to-date with the latest security patches. Any good managed service IT provider can assist you with this.
Deal With the Malware That Gets Through
There are many viruses that we call zero day, meaning they attack vulnerabilities not even known to exist. In those cases, a firewall and patched software will not necessarily help; you need systems in place to deal with the viruses. In the past, a good general-purpose antivirus was adequate, but that is not true anymore; you should always supplement it with antiransomware-specific software like Intercept X or HitmanPro. However, there is an even newer, more exciting approach called application whitelisting and ringfencing, in which only programs you preapprove may run and unapproved programs (like viruses) are stopped in their tracks.
Recover From an Attack
If you have followed the first 2 steps above, the chances of being hit with a virus are very low—but low does not mean impossible, so you should be prepared. Having a solid and tested backup and disaster recovery system is critical. However, this will not necessarily save you from a ransomware criminal’s demands. Many are resorting to what I call double extortion: They demand you pay the ransom and if you refuse, they threaten to post your patient files online. Because of this, I highly recommend you have some sort of cyberliability or breach insurance; most offices should have at least $250,000 of coverage. The insurance will help cover the costs of the ransom, your downtime, legal fees, HIPAA fines…the list goes on.
In the modern era, there is no longer a single approach to protecting and securing your data. You must have a layered or stacked approach to doing everything you can to make sure the bad actors out there do not put your livelihood at risk.