Expect the Best, Plan for the Worst: Disaster-proofing your Practice’s data and Operations

Expect the Best, Plan for the Worst. Photo courtesy of chinnarach/stock.adobe.com.

We’ve all heard the horror stories: Practices that are devastated by data-security breaches and cyber ransom attacks. In 2015, a practice in Minnesota was hit twice in one week by hackers. In 2019, a ransomware attack disabled nearly 400 dental practices across the country. Just three months later, a separate attack on an IT company in Colorado crippled more than 100 additional practices. Add on attacks in the Dallas area, Pacific Northwest and across Wisconsin, and it seems like no location is safe.

No one wants to be a practice in one of these stories. But dental practices are a prime target for hackers and ransomware-attack conspirators. While at first glance, it may seem that big box stores or lucrative chains would be a more logical target, dental practices have exactly what these cyber criminals are looking for.

“The reality is that health records are far and away the number-one commodity on the black market,” says Lorne Lavine, DMD, HIPAA and data security expert and founder and president of The Digital Dentist. “Health records contain the patient's name, phone number, date of birth, social security number, and credit card information. They are literal goldmines.”

To make it worse, the perpetrators of these cyber attacks know that dental practices can’t afford to be locked out of their systems, or have their patient data compromised—and that practices will do just about anything to get it back.

“Unfortunately, they know that dental offices for the most part have the ability to pay,” Dr Lavine says. “So, dental offices are absolutely a prime target.”

With this much attention on dental practices and their valuable data, practitioners need to take extra steps to avoid becoming a victim. This means disaster proofing your practice’s data and operations—and knowing what steps to take in the unfortunate event of a breach.

Weighing the threat

Bottom line: The threat is real. And while that doesn’t mean practices should panic, it does mean they need to be prepared. Very prepared.

“We’ve been preaching HIPAA compliance for well over a decade, but for various reasons, it just doesn’t seem to resonate with dental offices,” Dr Lavine says. “They seem to think the threat risk is relatively low. But it’s impossible to pick up a newspaper or go online and not hear about the latest ransomware breach of some major company—and dental practices are far from immune.”

And while practice’s can take individual precautions, they need to remember that not all of their data is in their hands. If their IT company doesn’t have the best practices, it is the practice that can suffer. Ultimately, if a ransomware criminal can get into the IT company’s portal, they now have access to every one of the computers and servers that the IT company manages. And at the end of the day, if the company suffers a breach, the dentist is responsible for that.

“I don't want to use fear mongering as a way of getting someone to do something,” Dr Lavine says. “But on the other hand, I feel like my obligation as an IT partner is to tell people what they're at risk of and what the consequences would be if something were to happen, as well as how best to deal with it and what their options are to deal with it would be—and what those options would cost. And then it's up to them.”

Taking precautions

So, what steps should a practice take to safeguard their data? It all boils down to 1 thing.

“Ransomware, ransomware, and ransomware,” Dr Lavine says. “Just like the 3 most important things in real estate are location, location, location. There’s no question.”

When it comes to protecting data, ransomware protocols are far and away the most critical thing, says Dr Lavine. The first critical step is keeping the ransomware out. Step 2 is dealing with it if it does get in. And step 3 is having proper recovery protocols in place if steps one and two fail. 

Step 1—keeping the ransomware out—means putting the necessary precautions in place in advance. One critical component of these precautions is to implement a business-class firewall. Consumer-level firewalls (like Linksys, Netgear, or firewalls built into cable modems) are designed for exactly that—consumers—and shouldn’t be used in business settings like a dental practice; they simply aren’t effective enough.

“Get a real firewall,” Dr Lavine states. “A real business-class firewall is a must. They aren’t inexpensive—a decent firewall is going to run a practice somewhere in the range of $500 to $800—but this is the number-one thing you can do to protect your data.”

The second component of the ever-critical step one is patch management. Every software program out there has security holes in it, holes that companies are continuously finding and patching.

“It’s like a game of whack-a-mole,” Dr Lavine says. “They’re trying to keep on top of it, but they’re finding new holes every day, and just trying to stay in front of the people who might exploit those holes.

As an example, Dr Lavine references the Microsoft transition in the beginning of 2020, where the company informed everyone that they needed to switch from Windows 7 to Windows 10. It wasn’t that Windows 7 wouldn’t work anymore, but that Microsoft would no longer be patching those systems. And since patch management is also a HIPAA law (the law states that a practice’s software must be current and up to date) this means practices, like everyone else, had to make the switch, or not be HIPAA compliant. 

And while Microsoft Windows rolls out automatic patching, it’s not enough to keep a practice’s entire servers secure. Most practices have way more software than just Windows, and by law, all of that has to be kept protected by current ransomware.

“The most common way that ransomware gets into your system is through email,” Dr Lavine explains. “But the second most-common way to get it is through an unpatched operating system. So, it is really critical that they do this patch management. You can’t just load the software and not think about it again for a year or two. That’s just not safe. And, from the HIPAA standpoint, it’s a violation if you don’t have patch software.”

Stopping ransomware

Despite a high-quality firewall and regular patching, sometimes ransomware can sneak into a system. Unfortunately, the days of just throwing some antivirus software on your compute and being done with it are over. Part of what makes ransomware so tricky is that a lot of the new viruses that are coming out are called zero-day infections—a virus that is so new that a firewall doesn’t know what to do with it. Essentially, your firewall and antivirus software don’t recognize it as a virus and don’t know what it is.

To combat this challenge, practices should have 3 things in place: Antivirus software, anti-ransomware software, and application whitelisting. While most practices have antivirus software in place, it’s also critical to have ransomware-specific defenses in place.

“There are tons of good antivirus software out there,” Dr Lavine says. “The challenge with antivirus software though is that even though the companies tell you that the software will do a good job against ransomware, in my experience that is often not the case. So, I always recommend that practice’s supplement their general antivirus software with ransomware-specific software. Some of the more best-known ones are Intercept X and HitmanPro, but there are a lot of good options out there.”

To further protect against the sneaky zero-day infections, practices should implement application whitelisting. An application whitelist is essentially a bouncer that stops uninvited guests at the door. If a program is not on the approved list, the software won’t allow it to run. If something does manage to get through your firewall, patch software, antivirus software and anti-ransomware software, the application whitelisting pretty much stops it in its tracks.

“I think application whitelisting is a game changer when it comes to viruses and ransomware,” Dr Lavine says. “We take an inventory or all the software that a practice is running, and if any program not on that list tries to run, it will literally get stopped. Since we started doing application whitelisting with our clients about six months ago, we have not had a single virus infection, which is not something we could say before that.”

Use your resources

In dentistry, dentists wouldn’t think of doing their own legal work, or attempting endo or orthodontic procedures they weren’t trained for—they would employ a specialist to get the job done. Cybersecurity shouldn’t be treated any differently, particularly as it becomes a bigger and bigger issue, but dentists should be focused on their practice and their skills, not spending time and energy trying to secure their systems. This means relying on the experts.

“One challenge with HIPAA compliance is not so much that you've got the systems in place, but that you can prove that you've got the systems in place and that you can document it all properly,” Dr Lavine says. “Most offices, even ones who are tech savvy, don't know how to do this stuff. You need to do a risk assessment—you wouldn’t treat a new patient without doing X-rays or charting and gathering your data—and you have to treat cybersecurity the same way. But you’ve really got to look and know where to look, and this requires a professional.”

And while no one wants to spend extra money where they don’t have to, in this case, hiring an expert could save practices a substantial cost down the road. Unlike a lot of HIPAA rules, which are somewhat ambiguous, the HIPAA Breach Notification Rule is very clear. It requires HIPAA-covered entities (such as dental practices) to provide notification to the U.S. Department of Health & Human Services (HSS) after a breach. Practices are also required to notify all patients and the news media, and are listed on the HSS website. Additionally, they could face tens, if not hundreds, of thousands of dollars in fines, penalties and lost revenue from the practice having to go through an audit.

“When you look at the penalties of a breach and compare them to the cost of having a really good dental IT company managing your practice, it’s a no brainer,” Dr Lavine says. “Find an IT company that really specializes in healthcare, specifically cyber security.”

This is particularly important to smaller practices that may not have the in-house resources to properly protect patient data. Most of the larger corporations and health groups, such as Anthem, hospitals, or large DSOs have high levels of cybersecurity in place; they can afford to have multiple people on payroll that specifically handle HIPAA and IT. But that isn’t true for most solo practices.

“Most dental offices don’t have that,” Dr Lavine says. “You’ve got an office manager, not a cybersecurity expert. But they are responsible for keeping the practice safe. Even the most tech-savvy practices don’t have the ability to install and manage this type of software on their own. If there is a breach, what will even a couple of days of downtime cost a practice? Without your system, you’re dead in the water. Even that will probably cost a practice more than hiring an IT expert to manage cybersecurity.”

Ultimately, Dr Lavine approaches having an IT team like having car insurance: It may seem unnecessary now, but if trouble arises, it will all seem like a good investment.

“There’s a good chance you may never need it, but the one time you do, you’re going to be awfully glad you’ve got it in place,” he says.