News

Media

Issues

Resources

Continuing Education

The importance of security in dentistry

August 16, 2016

John Flucke, DDS

Article

The threats are changing, making security all the more important in the dental practice.

In the very late 1990s my office was burglarized. Fortunately, one of my patients owned a small security/alarm company and he had convinced me to install an alarm system in the office. He had somehow gotten access to some crime statistics for my area and showed me that the incidence of break-ins for small businesses was on a statistical upswing.

We had never kept drugs in the office and our petty cash was less than $50, but I figured an alarm couldn’t hurt and besides, back then alarm systems were pretty cool gadgets, which of course made it impossible for me to resist.

About sixty days or so after having the alarm system installed, my office was broken into. The crooks made off with about $30 in petty cash and did about $1200 worth of damage to my office. The good news was that when the alarm went off it scared them away so at least the office wasn’t ransacked. We had minimal cleanup and, really, it was just more of an inconvenience than anything else. It was irritating, but it didn’t affect my business at all.

When I built my new office a few years ago, it was broken into while still under construction. The price of copper was very high and the police told me there was a ring of copper thieves in the area. They would break into buildings under construction to steal copper wire and copper pipe. Since we were running copper lines for our nitrous oxide delivery that made us a very attractive target. Fortunately, the copper pipes were already covered by concrete and the wiring was mostly done so, once again, the biggest hassle was the damage they did breaking in… even though the building wasn’t ready yet.

The new break-in threat

Ah, how we should all long for the good ole days. Sweeping up some broken glass and paying someone to perform some quick repairs seems like a tropical vacation compared to dealing with some of today’s security threats.

As we have moved our world, our lives and our practices from analog to digital, we’ve seen some incredible advantages in speed and efficiency. Unfortunately, along with those benefits we’ve also been confronted with a series of risks that exploit those same technological advances.

In the early days of our technological revolution, the biggest digital outside threat came from recreational hackers. These were almost always technology lovers who were breaking into systems for the thrill and also just to see if they could do it. The concept of stealing data or damaging the victimized system were rarely considered. Instead, this was about bragging rights and adrenaline rushes.

However, as with most things in our world, at some point along the journey crooks came up with a way to make money from it. In the early 2000s, a new term began to be heard in security circles and then the term spread into use by the general public. Identity theft became an incredibly hot topic as more and more people became victims of it and criminals kept finding better and better ways to pull it off.

So, how does all of this affect us in healthcare? In simple terms, the more information criminals can gain about an individual, the easier identity theft is to accomplish. Because of that simple fact, healthcare records, with all of the info they contain, are the most sought-after pieces of data by those committing identity theft. I’ve been told by some folks in the security field that stolen credit card data is frequently sold for a dollar or less, while a single healthcare record can go for $15-20.

This means that those of us in charge of patient data need to be extremely cautious with it and make sure that it is as safe as we can make it. The days are gone where hackers were trying to break into a system for bragging rights or just to see if they could. According to the Identity Fraud Study, released by Javelin Strategy & Research, it was estimated that $15 billion was stolen from 13.1 million U.S. consumers in 2015. Nowadays, hacking and stealing confidential data is very big business.

Let me give you an example:

Three to four months ago (roughly May to June 2016 from what my research indicates) four large healthcare firms had their systems breached by a sophisticated hacking group. This group, who used the online handle thedarkoverlord used a very sophisticated hack to gain access to these systems. Once access was gained, thedarkoverlord downloaded databases that contained patient demographic information as well as information classified as private by HIPAA.

The number of individuals who had their data compromised are as follows:

Organization #1 48,000 patients
Organization #2 210,000 patients
Organization #3 397,000 patients

Each organization was contacted by thedarkoverlord and attempts were made to even contact each member of the company’s Board of Directors. The hackers stated publically they were willing to explain how they got into the system and to return the copied data if the companies involved paid a fee. The companies did not respond and the hackers put the data up for sale on the Internet with prices for the databases ranging between $100,000-$395,000.

A few days later, thedarkoverlord announced another data breach from a fourth company (a health insurer) of 9.3 million patient records. The same scenario unfolded and the database was priced for online purchase for $485,000.

Has anyone purchased these databases? It’s hard to say. It’s likely the hackers won’t be talking about it and the same goes for any criminal group who purchased them. Why draw attention to yourself from law enforcement?

The main takeaway here is to safeguard your data. With healthcare records being worth so much on the illegal market, we are going to continue to be targets. Private practices, of course, won’t be storing millions or hundreds of thousands of records, but we still are keeping records that have a good amount of value to those looking to steal identities.

Talk to your IT folks and make sure you have your network as secure as they can make it. The best offense is a good defense.

The ransomware threat

If you haven’t heard of ransomware yet, you will. In the most simple terms, it is either a virus-type program that gets on your computer the same way a virus does or the program is placed there by a hacker who breaks into your computer or network and installs it.

That means that the standard problems of opening an infected email, running a malicious program that you think is safe, using a jump drive that infects your computer in the background, etc., are all ways you can end up with a ransomware problem.

The ransomeware program encrypts the hard drive of the computer it is installed on. When the computer is started, all the user sees is a screen that tells the user how to contact the criminal in charge of the ransomware. This person wants money and will hold your data hostage until they get what they want.

If you are lucky, the scammer will get their money, give you a password that restores your hard drive, and all is well. However, in many cases the money is taken and nothing ever happens past that. No password or instructions… nothing. Basically the computer owner is left hung out to dry and ends up having to reformat their computer.

Ransomware is becoming more and more common and it is especially happening more in healthcare. According to a recent threat report by Solutionary’s Security Engineering Research Team in the second quarter of 2016, 88 percent of all ransomware attacks were targeting hospitals. They also claim that 94 percent of the attacks in the healthcare system were linked to the same ransomware program called CryptoWall.

So, how do you fight this threat? The first way is to not be fooled into running anything that can infect your computer or your office network. The second way is to have a vigorous and robust backup and recovery process.

In addition to utilizing USB portable hard drives and large capacity jump drives, I highly recommend using a system called DDS Rescue.

DDS Rescue is a self-contained computer that is shipped to your office and plugs into your network via standard network cabling. A program is then installed on your server that allows the DDS Rescue system to see the server on the network and connect to it.

The DDS Rescue system creates multiple bootable backups of your data onsite. However, that’s only half of the amazing part. The other half is that these same bootable backups are uploaded to the cloud and stored in a secure server farm.

If a disaster ever befalls your office, these bootable backups can be accessed, giving you access to your data.

Since DDS Rescue creates a backup once every hour, if you ever are unlucky enough to face ransomware you can recreate your data with minimal downtime. I know of several offices that have been saved from ransomware by DDS Rescue the system is running in my office as I type this.

Security requires professionals

We are now at a point in the digital evolution that we must have IT professionals whose job is to make sure our networks and data are safe. In the same way that we don’t want patients diagnosing and treating their dental problems, IT pros don’t want dentists trying to configure and protect their IT infrastructure.

In order to keep things safe and HIPAA compliant, you need a good IT company.

Also, should you ever have the disaster of a security breach here are a couple of recommendations to help you. Before disaster strikes, talk your insurance professional about coverage called “Data Compromise and Identity Restoration.”

Data compromise is coverage for data that is breached that impacts a customer. Identity restoration is for helping to deal with the impacts on the practice. They are separate endorsements but sold as a package. My current cost for these two products is $157 per year and I sleep much better knowing those policies are in place.

Security is serious business

It’s important that we take the necessary steps to make sure we are prepared for any type of outside attack before they take place. By thinking things through and having professionals on your team that can help when disaster strikes, you’ve already won half the battle. Remember, just because you're paranoid doesn’t mean they’re not out to get you!