Providing your dental practice with adequate cybersecurity measures requires blocking malware from systems, addressing any malware that does get through, and preparing to recover from a data breach.
Over the past 6 years, I have examined all the individual components of the information technology (IT) needs of dental offices. We’ve explored topics such as digital radiography, computers and networks, business analytics software, the Health Insurance Portability and Accountability Act (HIPAA), and a host of other topics. However, of all the topics I’ve written about, in my opinion, none is more critical than cybersecurity.
There is nothing more valuable to a dental practice than their patient information, and every office should make it their highest priority to protect and secure that data.
If you’ve read the recent articles I’ve written, then you know that I feel strongly that ransomware is far and away the biggest threat I’ve seen in my 35-plus years in dentistry, more than HIPAA, more than Occupational Safety and Health Administration issues, more than COVID-19. Even a cursory scan of the daily news would show the hundreds if not thousands of dental practices that have been attacked either by their own lack of adequate security or a lack of best practices from their IT company.
If you are committed to protecting your patient information, there are 3 general approaches that I recommend. You have to do everything in your power to keep the malware from reaching your network, deal with any malware that does get through, and, finally, be prepared to recover from an attack if all else fails.
An Ounce of Prevention
There are literally dozens of ways to deal with ransomware, but as the old saying goes, an ounce of prevention is worth a pound of cure. The first line of defense is making sure you have a good firewall in place. By good, I mean business-class like Sophos or SonicWall, not the consumer-level firewalls like Linksys or D-Link or Netgear. A firewall will scan all incoming and outgoing traffic and will often stop malware before it can get into your network. I also recommend what’s called patch management, which is required by HIPAA. Because all software has security holes in it, you must, by law, keep those software programs up-to-date with the latest security patches. Any good managed service IT provider can assist you with this.
Deal With the Malware That Gets Through
There are many viruses that we call zero-day, meaning they attack vulnerabilities that aren’t even known to exist. In those cases, a firewall and patched software won’t necessarily help. In those cases, you have to have systems in place to deal with the viruses. In the past, a good general-purpose antivirus application was adequate; that’s not really true anymore. However, there’s an even newer and more exciting approach called application whitelisting and ring-fencing, where only those programs that you preapprove are allowed to run and unapproved programs (like viruses) are stopped in their tracks. I’ve been installing application whitelisting for my clients for 2½ years and have not seen a single virus hit any of those systems with that protection in place.
Recover From an Attack
If you have followed the first 2 steps above, the chances of being hit with a virus are very, very low—but low doesn’t mean impossible, so you should be prepared. Having a solid and tested backup and disaster recovery system is critical. However, we’ve seen more and more attacks called double and triple extortion. Double extortion is when they download a copy of your data and threaten to put it online and triple extortion is when they are able to access the patient files and threaten to contact your patients directly.
For these reasons, I highly recommend a minimum of $250,000 of cyberliability/breach insurance. Between legal costs and HIPAA fines and penalties, you’re going to need it if you ever suffer a breach.
In the modern era, there is no longer a single approach to protecting and securing your data. You must have a layered or stacked approach to doing everything you can to make sure the bad actors out there don’t put your entire livelihood at risk.