The Second Line of Defense

The first 2 articles of this 6-part series discussed taking a pragmatic approach to dealing with ransomware, the class of viruses I believe are the biggest risk to dental offices now and in the immediate future. Last month’s article looked at firewalls, arguing that the best defense against malware is to prevent it from getting onto your network in the first place.

But what if the virus makes it through that first line of defense? The most common entry point for ransomware is through email, with unpatched operating systems, and software not far behind. If the virus has made it through your perimeter, then you must have systems in place to deal with it before it can do damage. In my experience, there are 4 ways to handle this (you are likely familiar with at least 2 of them):

1. Antivirus software: The need for antivirus software has existed for decades, long before ransomware became prevalent. It has become so commonplace that Microsoft even includes a built-in program, Defender when you purchase Windows 10. Is it the best antivirus software out there? In my opinion, no. There are definitely better programs on the market. Yes, you must pay for them, but like many things in life, you tend to get what you pay for. I happen to be a fan of ESET NOD32. Other good products exist from companies like Kaspersky, Malwarebytes, and BitDefender. One of the key criteria when choosing an antivirus program is that it offers exclusions: the ability to not scan certain files. An antivirus program that is constantly scanning your practice management software, for example, is the most common reason for that software to run slowly. Setting up proper exclusions will prevent these types of slowdowns.
   
2. Anti-ransomware software: Although most antivirus software programs claim to prevent ransomware attacks, this hasn’t been my experience. I always recommend that you supplement your antivirus software with ransomware-specific software as well. Ones that come to mind are Intercept X from Sophos and HitmanPro. These programs on average run around $35 to $50 per computer per year, a small amount compared with the downtime and cost of paying a ransom if you’re ever hit with a virus.
   
3. One of the newer techniques is one I’ve been testing with a few offices lately and plan to start providing in early 2021. It’s called application whitelisting. The basic premise is that ransomware, like all viruses, consists of small programs that run on your computer to do things like deleting files and locking your data. With application whitelisting, monitoring software runs on the computers for 1 or 2 weeks to take stock of every program that you have. The assumption is that there’s no ransomware on the system, so all existing programs are whitelisted: They are deemed safe. After that period, you flip a switch and the systems are now in “deny all” mode, meaning if a program isn’t on your whitelist, it will be prevented from running. It’s a neat approach to dealing with ransomware and is very exciting.
   
4. Ringfencing is somewhat similar to application whitelisting. In this model, you designate which applications can access data, and all other applications (or programs, like a ransomware virus) are prevented from accessing the data.
   

Ransomware is an existential threat to health care providers and will be for many years to come. Dental practices should not only take reasonable, appropriate steps to prevent ransomware from entering their networks, but they should also have protocols and software in place to deal with any malware that makes it through perimeter firewalls.