When it comes to infection control in your practice, physical health and wellness shouldn’t be the only focus.
In the years I’ve been in dentistry, we’ve seen phenomenal changes in infection control, both in hardware, delivery, materials, techniques and practically anything else that comes into contact with the patient’s body.
As strange as it may seem to many of you reading this, there are a good number of doctors currently practicing who can remember providing treatment without wearing gloves.
The knowledge base that scientists and government organizations had should have been much more concerned about infection control and cross contamination in the late ‘70s and early '80s. Unfortunately, it took the tragedy of the AIDS epidemic to bring the focus of the CDC and OSHA to bear on both patient and employee safety. While there had been limited attempts to decrease possibilities of cross-contamination before, a serious threat created an incredible focus of resources on the problems.
Looking back on the idea of Universal Precautions with the hindsight of 30 years makes the practice obvious. However, at the time there was actually pushback from some individuals who thought loss of tactile sensation by using gloves would usher in a wave of subpar dentistry. Of course, those concerns seem almost silly now, but I can assure you, at the time those concerns were heard frequently.
Refocusing our concerns
As the Technology Evangelist, I’m now attempting to turn the profession’s eyes, ears and concerns in the direction of a different type of infection control. In 2006, the U.S. Department of Health and Human Services (HHS) began discussing the costs of healthcare as a percentage of GNP. The government was anticipating that by the year 2030, healthcare could potentially be 30 percent of the U.S. GNP. The concern? That any country spending that much on the health of its citizens can’t compete in the global economy.
That’s the reason there has been such a focus on the electronic health record (EHR) and other ways to increase the efficiency of healthcare delivery. The hope is that by increasing efficiency, costs can be decreased.
However, with the focus on using technology to increase efficiency, very few have stopped to consider the potential problems of digital security, or as I like to refer to it, “Digital Infection Control Engineering (DICE).”
You can’t get there from here
A brief history lesson is in order to put things in perspective. As the world became connected through the internet, organized crime saw huge potential profits through the use of spam email. There were many scams used, but the one that generated the most profits (and hence became the most popular with criminals) was the “online pharmacy.”
The fall of the Soviet Union left things highly unregulated as well as unmonitored. Many criminal enterprises sprung up in this “Wild West” environment driven by the desire for huge amounts of untaxed income.
They created tsunamis of spam that advertised “Canadian” pharmacies that sold medications below the prices available in America. Unknowing U.S. citizens, many of them senior citizens looking to save money on their prescriptions, ordered. They thought they were dealing with legitimate pharmacies, but instead, the drugs were manufactured in areas with little or no quality control. Russian criminals made obscene profits while patients were paying for medications that were not always 100 percent of what they were expecting.
Next: The Dawn of the Dead
The Dawn of the Dead
The spam was generated using zombie computers organized in Botnets. Since one computer with a single internet connection can only send so many emails, the criminals needed an economy of scale. To do so, they set about sending some of their spam to people that tricked them into opening an attachment. This type of spam, known as “phishing,” tricks you into opening the attachment. The moment it’s opened, in the background a program is run that gives the crooks the ability to control your computer. This means they can install programs that send spam from your machine. A computer thus infected is referred to as a “zombie,” and a network of zombies is called a “Botnet.”
The criminals controlling the Botnet send one command and every zombie then obeys. When you walk away from your computer, or any time it’s idle, it’s sending emails that you’re unaware of. There are literally millions of these infected computers sending spam constantly. The other part of the “spam equation” is what the bad guys want to gain by sending all of this spam in the first place. Many folks think of spam as being for spreading viruses and therefore controlling people’s computers. However, in the last two to three years, the focus of spam has been getting unsuspecting victims to accidentally install ransomware.
As law enforcement around the globe began to crack down more on the highly profitable internet pharmacy scams, the criminal gangs running them needed to find ways to continue bringing in lots of cash. The gangs had also begun falling victim to the simple concept that the targets of pharmacy scams began to catch on to the fact that many drugs were counterfeit and returned to purchasing from legitimate pharmacies. Plain and simple, this meant new ways were needed to generate revenue.
It’s estimated by the FBI that in the first six months after releasing it, CryptoLocker ransomware swindled $27 million from users whose data was stolen by it.
The concept behind ransomware is simple and nefarious. The program installs itself, then encrypts your hard drive, and asks for a ransom to decrypt your data. The result is that all of your data (and I mean ALL of your data) is suddenly unavailable to you. If this happens, you have two choices. Choice one is to reformat your hard drive and rely on your backup system to have ALL of your data available. Choice two is to pay the ransom, receive the password, and pray that the password returns your hard drive to its previous unencrypted state.
The reason the process is so profitable is because the criminals don’t have to do anything other than have the program on your hard drive. There is no need for them to steal anything, download anything or sell anything to other criminals. All they have to do is have YOU inadvertently run the ransomware program. Once the program encrypts your hard drive, it loads a screen giving you instructions on how to contact the crooks and how to send them the ransom.
Healthcare is low-hanging fruit
According to a report published in February of 2017, in the year 2016, 88 percent of all ransomware attacks perpetrated in the U.S. were in the healthcare sector. You read that correctly. There’s also the fact that 89 percent of studied healthcare organizations have experienced a data breach - which involved patient data being stolen or lost - over the past two years.
This is no accident. The criminals know that our field isn’t well prepared for this and they’re attacking our sector because of that.
Now, add to this the HIPAA law and what we must do if a breach occurs, and it’s not difficult to see that a breach could create a major time- and revenue-impacting event. In addition to that, paying the ransom encourages the criminal gangs to continue to devise new and better ways to steal our data. It’s a neverending saga as long as there’s money to be gained by illegal data theft.
What can we as practitioners and as the healthcare sector in general do about this?
Next: How can we solve the problem?
Helping to solve the problem
This is nothing short of digital terrorism and negotiating with terrorists simply encourages the behavior. I feel that agreeing to pay the ransom is simply asking the criminals to continue their activity.
The best way to prevent paying ransom is to make sure you have a current and rock-solid backup. In a dental office, there really isn’t a reason not to have reliable backups. The process is easy, reliable and takes only a few minutes a day. This small daily chore will save headaches from ransomware or the inevitable data crash.
Also, just like IT in today’s dental business environment, there’s professional help out there that can make navigating these potential pitfalls much easier and much less stressful. Regular readers will remember me talking about DDSRescue. This company provides an incredible hybrid backup service that I’ve been using since I met them.
I refer to this service as a hybrid backup because it uses both a local backup as well as a cloud-based one.
This type of backup uses a small DDSRescue computer on your network. Some files are run on your server, and the network box can communicate and back up all needed data from the server and store it on the DDSRescue box. This data is also uploaded to the cloud in a HIPAA-compliant manner to provide online backup.
The DDSRescue device performs a backup in my office once an hour, saving multiple backups throughout the day. These backups are stored both locally and in the cloud.
This is the easiest system to use because it requires no intervention by doctor or staff. Once the DDSRescue team configures the device, it will perform all its functions automatically and autonomously. Check them out at ddsrescue.com.
Should ransomware somehow manage to find its way onto your network, you can shut down your server and run your office from the DDSRescue system until your server can be reformatted and recovered.
The company has dealt with ransomeware in client offices many times and has the process of dealing with it down to a science. It’s simply the easiest and most reliable way to deal with digital terrorism.
However, that’s not all that DDSRescue offers. The company has recently begun offering a remarkable HIPAA Risk Assessment Service. As part of your business relationship, DDSRescue will provide a complete and thorough examination of your office to make sure that you are as safe as possible from attacks both externally and internally.
It’s one thing to purchase a HIPAA compliance “kit” and go through myriad checklists to make sure you have closed most of your potential loopholes. However, DDSRescue will run network scans to help ensure you’re as safe from attacks as possible. A data breach is truly an event that almost all offices are unprepared for and DDSRescue provides an incredibly professional and thorough assessment to ensure your office is as prepared as possible to prevent one.
The company and the assessment are highly recommended.
There’s no way to be 100-percent covered for a digital attack. Digital security is a cat-and-mouse game that requires constant vigilance. However, just like keeping your office on the leading edge of clinical treatment, if you’re not constantly moving forward, you’re moving backward. Antivirus, network protection, firewalls, divided internet connections and other efforts are required, but so is constant monitoring, configuring and upgrading.
The best advice I can give you is to make sure you’re using a professional IT security company when it comes to your computers and network. Protecting your data is, at a minimum, a two-phased effort of HIPAA compliance and protection from outside criminal organizations. Failing to prepare for cyber security is just as foolhardy as failing to have malpractice or business liability insurance. When it comes to infection control, don’t let it stop at the autoclave!
Of course, the criminals don’t just send spam. Once they gain control, they can see everything you do. That means they can steal passwords, gain banking information, you name it.