Yes, It Can Happen to You: Protect Your Patient Data.

Health care providers, including dentists, are especially vulnerable to hacking and cyber crime.

It started with a simple smash-and-grab theft from a car around the holiday season. But it became an incident that focused an entire industry on lax data security, and its associated hazards.

In early February 2017, news emerged that two months earlier, the car of a postgraduate dental resident at the University of North Carolina (UNC) School of Dentistry at Chapel Hill had been broken into. Among the items stolen were a laptop and a secure digital (SD) card that contained the personal information of about 200 patients treated at the school. The personal information might have included photos of patients, their names, dates of birth, dental and medical histories, treatment plans, referral letters, and other information that was collected for “diagnostic, clinical and training purposes,” according to a letter from the School of Dentistry. To boot, the sensitive personal data were not encrypted.

The dental school released a statement to the local CBS television affiliate, in light of the theft and its public discovery: “We sincerely regret this incident occurred and have reached out to all individuals who may be affected to inform them that certain pieces of their information may be accessible following the theft of the devices and to offer free credit monitoring for one year. The privacy and security of patients’ personal information is a top priority and we have policies and procedures in place for individuals who handle such information.”

Health care providers have become ripe targets for hackers and cybercriminals looking to score sensitive personal and financial information en masse—and dental practices are no exception. Although most headlines about health care cybersecurity have focused on hospitals or larger medical offices, dental practices present a huge opportunity for cyberthieves seeking to steal valuable client information. Such information can be sold on the Dark Web—the online trading emporium for black market information—for many times what a basic financial record will draw, or it can be used to set up ransomware exploits.

Many dental offices, unlike their larger counterparts in health care, have lacked the focus on data security needed to mitigate the risk of cyberattacks. “The UNC dental school, for the love of Pete, [had the information technology] staff and the money to stop this,” says John Flucke, D.D.S., a frequent technology blogger. He adds that incidents like the one at UNC are on the rise, as cybercriminals and hackers recognize the opportunity to take advantage of lax security practices and abundant personal information. “It goes back to the old expression that ‘You don’t know what you don’t know,’” says Flucke. “For the longest time, people bought the idea that dental information wasn’t that important.”

As cybercrime has increasingly become a more organized and sophisticated business, however, thieves have recognized the heightened value of patient data for identity-theft crimes. Illicitly obtaining patient data can be easier than stealing conventional financial records.

A credit card number might be worth 50 cents on the Dark Web, Flucke says. But a health care record, which might include such juicy and relevant details as full address history, mother’s maiden name, and the patient’s Social Security number, could be worth $25 or more. “Your dentist has a ton of data on you,” Flucke says. “And I don’t know if dentists are aware of what all that data are worth.”

Health care organizations are the target of roughly one-third of all data security breaches across all industries, making the health care industry the most breached United States sector. According to the US Department of Health and Human Services, almost 21 million health records have been compromised since September 2009. Human error typically causes most personal health information data breaches, with three times as many breaches caused by health care employees as by external attacks. As the UNC incident helped demonstrated, the most common causes of health care data breach are theft, hacking, unauthorized access or disclosure, lost records and devices, and improper disposal of records. A significant percentage of health care breaches result from lost or stolen mobile devices, tablets and laptops.

Data security continues to be “a growing issue facing small and large dental practices in the United States,” according to a June 2016 news release from the Dental Integrators Association (DIA), which also noted several recent reports that “outline some alarming software security issues specifically within the dental industry.

“It is essential for all practices to have business associate agreements in place with credible partners,” said the release from the DIA, an association comprised of more than 40 independent US firms that provide computer technology integration services to dental practices. “In addition, the DIA recommends that dentists review each business associate agreement to ensure their partners or vendors can and will adequately address security events or data breaches,” the release continued.

Many dentists who have small practices are shifting from seeing data security as “an issue that doesn’t apply to me” to acknowledging it as one that can greatly impact their business, from both the security and regulatory points of view, according to Jack Berberian, J.D. Berberian is the founder and CEO of SecureNetMD, which manages information technology (IT) issues for dental offices as well as for emergency departments and managed care facilities. As more small practices are being fined alongside larger hospitals and health care providers, Berberian says that demands are growing for better data security and information awareness, as well as for accountability.

“The message is coming across loud and clear that all [health care providers] are being held to the same standards,” Berberian says. And that accountability does not necessarily end at their own doors, he notes. If a small dental office depends on outside vendors to help manage their protected health information (PHI) or electronic health records, Berberian emphasizes that the dental office must demand that those service providers use appropriate security methods and procedures as well.

Gary Darby, president of Think Unified, another IT solutions provider that works with health care companies, says, “The concept of cybersecurity risk is elusive to nontechnology personality types, and [whatever] security risk concerns [they have] quickly dissipate when they consider that ‘cyberattacks’ only happen to other people.” For more than three decades, Darby has been helping clients protect their IT systems, and he says the “most common” attitude of “business owners is that they’re confident that they’re doing their security well, because in all the years they’ve been in business they have not experienced much more than an occasional annoying and nondestructive virus or the occasional irritating pop-up ad.”

Many prospective clients confidently boast of having anti-virus software on their computers, or a firewall, and a few even mention that they may have reliable backups, Darby says. “Owners with this line of thinking have a difficult time reconciling the risk of cyberattacks versus the cost to prevent them in the first place,” Darby adds. “It’s easy for these business owners to understand why they need car insurance, even if they’ve never had a car accident. But they can’t quite make that jump to investing in cybersecurity, when they have never had a security incident.”

Security incidents, though, are becoming much more difficult to avoid. According to the accounting firm KPMG, 80 percent of executives at health care providers and payers say their IT systems have been compromised by cyberattacks, according to the international consultancy’s survey of 223 health care executives. The top threats are malware and Health Insurance Portability and Accountability Act (HIPAA) violations, according to respondents, and their biggest information security concerns are malware infecting systems, HIPAA violations or the compromise of patient privacy, internal vulnerabilities such as employee theft or negligence, medical device security, and aging IT hardware.

However, as Darby points out, the KPMG survey focused on large institutional health care providers and sizable payers, which “have deep pockets and have invested significant sums of money into their cybersecurity programs. Yet their information technology had still been compromised by cyberattacks. So you can imagine,” he stresses, “how easy it is for cybercriminals to hack small- to medium-sized practices that have much less security. This is what makes dental practices [of that size] a prime target for cybercrime.”

So, without the resources of larger competitors, what can dental practices do to better protect their systems and their patient information from theft? To start, Darby recommends that dentists avoid sending sensitive patient information through any consumer email service that does not provide encryption. This includes Gmail and Yahoo. This change is HIPAA-compliant; HIPAA requires that health care providers ensure data are protected when sending any PHI electronically.

Additional security issues are presented by using the consumer version of Dropbox or other consumer-oriented cloud storage services to store patient data, says Darby. These services, while convenient for allowing access from multiple locations and devices, are often not HIPAA-compliant and do not back up patient data automatically. Dropbox, however, does have a business version that is HIPAA-compliant.

Transgressing those HIPAA privacy and PHI security compliance policies can carry hefty monetary penalties for health care providers. They range from $100 to $50,000 per violation, in addition to potential federal penalties, state penalties, and patient civil lawsuits, not to mention the incalculable damage to a practice’s reputation.

Flucke recommends frequently backing up system files, by using a professional service such as Aspida, and bringing in expert help to set up a commercial-grade firewall and system security for the office’s data network. In addition, he says that dental practices should especially “train their staffs about all the different ways that people are perpetrating cyberattacks.”

According to Darby, this should include educating staff members about techniques such as ransomware and cryptolocker attacks, in which data are not exfiltrated, but are instead trapped and encrypted. In such an attack, the legitimate holder of the data—in this case, the dental practice—is forced to pay a ransom to a cybercriminal to have their data released. Berberian, too, says ransomware attacks are increasingly being perpetrated in health care.

"There is usually a significant degree of anxiety when a dental practice approaches HIPAA compliance and cyber security risk and suddenly realizes its vulnerability," Darby points out. He recommends that dental offices should approach HIPAA compliance and cyber security implementation holistically — as they would technology, staff training, process and procedures — with an upfront strategic design as opposed to a piecemeal evolving security design.

"Get help from an experienced IT professional familiar with HIPPA compliance and armed with the tools to perform a HIPPA Risk Assessment Test," he adds, "revealing your [firm's] current cyber security vulnerabilities and explaining the recommended steps to address those vulnerabilities."