Keeping Personal and Practice Data Safe in the Wake of the American Dental Association Hack

What to be concerned about and what steps to take to protect your dental practice from cyber-attacks.

None of us wants to learn the unfortunate news that our office has been hit with a cybersecurity attack. In addition to the effects it can have on our business and potentially, our income, there is also the matter of protecting patient data. Not only is protecting that data the right thing to do, but it is also required by law. Cybersecurity incidents can be a harrowing ordeal. While there is no way to completely guarantee you will never be affected by one, there are some good rules to follow which will help make you less susceptible.

Given the recent hacking of the American Dental Association (ADA) office as well as the increase in cybersecurity threats due to the ongoing issues in Ukraine, I turned to the person and company that I trust for my own practice’s cybersecurity.

Here’s some insight from Steve White, Senior Partner and Vice President of DDS Rescue.

Dr John Flucke: Given what we know about the cyber-attack at the ADA offices, what are your initial thoughts?

Steve White: Without knowing exactly what files the hackers have accessed, we can only make assumptions. Based on these assumptions, each individual ADA member should take extra steps to ensure their personal and their practice’s data is protected.

JF: Given the current situation, what are some immediate steps that ADA members should take to protect themselves and their practices?

SW: The first concern that I have is the personal data that may have been caught up in this hack—data that can be used for personal identity theft.

To be safe, you should assume that the hackers have the password to your ADA account. Even if you have never used your ADA password anywhere else, you should immediately change your passwords, especially any and all passwords associated with anything financial such as your accounting software, banking, investments or retirement accounts.

In fact, this is a good time to go through all of your passwords and employ best practices for proper password management. Password complexity and expiration policy should be enabled and enforced by Group Policy when possible. Here are a few password don’ts:

  • Don’t reuse passwords. If you do, a hacker who obtains access to 1 of your accounts will be able to access all of them.
  • Don’t use a regular dictionary word as your password. If you do, at least string several together into a passphrase.
  • Don’t use standard number substitutions. Do you think “P455w0rd” is a good password? N0p3! Cracking tools now have those built in.
  • Don’t use a short password—no matter how weird. Today’s processing speeds mean that even passwords like “h6!r$q” can be cracked quickly. Your best defense is the longest possible password.

You should also enable 2-Factor Authentication, also referred to as Multifactor Authentication, to all applications and websites that offer this as an option. Two-Factor Authentication sends a 1-time code to your cell phone to validate that it is you who is attempting to login. When enabled, a hacker will need both your password and your cell phone to successfully login.

JF: I have received notifications that both my cell phone number and my email address have appeared on the dark web. Besides identify theft protection, are there any other steps that we should take?

SW: You bring up a good point. With healthcare being such a high-priority target for cyber-attacks of all types, having an active identity theft protection program, such as LifeLock or Identity Guard, are not only a best business practice, but also just common sense.

In addition, a professionally run Dark Web Assessment should be conducted now and subsequently on an annual basis to see what personal information may be out there. You don’t have to have a full cyber-attack to have information leaked that can be used to create an online clone of you or your practice.

JF: Is there any chance that any of the information that the ADA hackers may have could increase the likelihood of an office having a cyber-attack?

SW: Not individually, but as a group, possibly. The chances that the ADA attack could lead to a single office becoming an individual target of a cyber-attack are slim. Having said that, it should be assumed that the hackers do have all the members’ email addresses. That brings up the possibility of using these addresses to do an email Phishing attack.

Over 90% of the successful ransomware attacks in dental come into the practices through emails camouflaged as a company or individual that the recipient trusts.

Each office needs to develop sound defenses against this type of attack by understanding that there is no single step that can be taken to prevent a ransomware attack. A multilayered approach is necessary.

The step that all members should immediately take is making certain that you are using a professionally managed email service. A no-charge email provider is neither Health Insurance Portability and Accountability Act (HIPAA) compliant nor a strong enough defense to decrease the chances of a successful ransomware attack.

A professionally managed email service, such as Google G-Suite and Microsoft 365, provide a layer of encryption to your stored emails that is required to be compliant. In addition, these email service providers are 2 of the best at filtering out dangerous incoming emails. They both provide continuous updates to their service to filter out malicious emails before they can reach your network.

JF: You mentioned a multi-layered approached. What are different steps and how do the members learn more?

SW: The steps that should be taken vary widely from administrative to technical. Some are easily identifiable, such as your email provider; another is if your staff has had sufficient training. Everyone in your office, doctors included, need to be properly trained in how to avoid triggering a ransomware attack. A qualified healthcare or dental cybersecurity provider should provide this annual training as part of their normal services.

The additional protection layers are technical in nature and are managed in the final—and most important—step, which is a professional network security risk assessment. We have found that the majority of offices across the country do not know that having a proper risk assessment is a major HIPAA requirement—one that needs to be done every 12 months and is the first thing that the Office of Civil Rights will ask to see should you ever be audited.

In addition to ensuring you are HIPAA-compliant, a proper risk assessment is the best tool to identify the layers of defense that your practice presently has deployed and what layers of defense should be added or upgraded to be both compliant and properly defended against a cyber-attack.

It is advised that this risk assessment be run by a third party, and if done properly, will not interfere with the workflow on your network.

From Dr John Flucke: DDS Rescue runs this assessment on my practice each year. You can learn more about a proper risk assessment by visiting their website, DDSRescue.com or by phoning them at 800-998-9048.