Cybersecurity & Data Protection in Dentistry: A Global Threat

by Peter C. Fritz, BSc, DDS, FRCD(C), PhD (Perio), MBA; Charlotte P. Fritz

The American Dental Association (ADA) is an international authority guiding dentists in safeguarding personal health information (PHI) and protecting its members from cyber threats. On May 26, 2021, the ADA published a bulletin for its 161,000 members to increase awareness of potential ransomware issues affecting dental practices.1 Around April 21, 2022, the ADA was the target of a sophisticated cyber attack involving ransomware. This disrupted the normal function of the ADA computer network, paralyzing most of their online services. About a week later, the ADA learned that an unauthorized party, the Black Basta crew, was responsible for the attack and could access and possibly steal data from the ADA servers.2

While the ADA did not indicate which data types were leaked, third-party news outlets reported locating some of the leaked data on the dark web.3 According to one source, the leaked data included 2.8 gigabytes related to W2 forms, non-disclosure agreements, accounting spreadsheets, and other personal information about ADA members. Even more alarming, the hackers claimed that the leaked data represented only about 30 percent of the data stolen in the attack.3

On July 15, 2022, the ADA sent out data breach letters to all individuals whose information was compromised due to the data security incident.4 On July 17, 2022, several consumer privacy attorneys and data breach lawyers launched portals for victims of the breach. They began interviewing victims to determine what damages they sustained and what legal claims may be available.5

In light of the severe consequences and risks associated with a cybersecurity incident, some measures can be implemented in most dental practices to mitigate the impact of cybersecurity incidents. These include reinforcing administrative and technical safeguards, surrounding yourself with experts and committing to a recurring budget for continuous optimization of defences. This paper will examine the pros and cons of tactical approaches used to mitigate cybersecurity risk in the context of a Canadian dental practice.

OBTAIN CYBERSECURITY INSURANCE

Fun is like life insurance; the older you get, the more it costs.– Kin Hubbard

FIRES IN DENTAL OFFICES

All dental offices have a fire safety plan. Dentists improve the margin of safety to prevent an office fire by controlling several fire risk factors that are ever present in the dental office. Despite the many precautionary measures in place to keep patients and staff safe, fires still happen.1 If a fire occurs in a dental practice, most practices have fire insurance to offset the cost of the devastating incident.7,8

A cyber attack is similar to a fire in a dental practice. The three essential factors are a motivated hacker, a vulnerable dental office and an internet connection. (Fig. 1) Much like a fire, a cyber incident is an emergency when it is happening, and once it is over, there is damage to contend with. During a fire, one relies on professional firefighters; afterwards, one expects the insurer’s guidance on restoring the smoke and fire damage and helping to recover lost income. All businesses need help in the event of a fire, and today more than ever, they require assistance and guidance in responding to and recovering from a cyber attack. However, unlike for fires, very few dental offices have cybersecurity insurance.

Fig. 1

Elements of a Successful Cyberattack.
Elements of a Successful Cyberattack.

CYBERSECURITY INSURANCE

Ensuring your business is covered for cyber incidents is as essential today as fire insurance. A primary difference is that many insurers in the cybersecurity space function as a fire inspector, the fire department and fire and smoke restoration specialists. In the event of a cybersecurity breach, instead of calling 911 first, a call to the cybersecurity insurer should be the first call made.

The reliance of a dental practice on digital connectivity will only become more significant with time. Few Canadians were spared from the national outage experienced on Friday, July 8th, 2022, when the Rogers network suffered a temporary collapse of unknown etiology. Fortunately for dentists, the restoration of the telecommunication network was outside of their circles of influence or control.9 However, if a cyber attack localized to a network occurs within a dental office or across a dental support organization, the responsibility to protect the PHI rests with the clinic’s Privacy Officer,10 and the restoration of the network ultimately rests with the owner of the practice.

Given that cyber attacks are becoming more sophisticated and the costs increasingly fatal, a dental clinic surviving an incident without appropriate insured support will only become more difficult.

ESSENTIAL BENEFITS

Businesses whose property has been damaged or destroyed will commonly look to their insurance for relief – with varying degrees of success after the incident. An established relationship with your insurance provider is essential to navigating a cybersecurity incident.11 Understanding the limitations of the coverage is also necessary. (Table 1)

Table 1

An incident response lifecycle is shown in Fig. 2. Of note is that the urgent triaging of the incident is the highly reactive phase in the days or weeks after an attack is discovered. However, this is nowhere close to the end of the incident. The attack’s impact and business recovery can take months or years, and the expenses can be staggering.12

Fig. 2

Incident Lifecycle.
Incident Lifecycle.

LIMITATIONS

In addition to the cost of premiums associated with cyber-insurance policies, insurers can require clinics to have certain technologies in place and commonly assess their risk much like a credit score, but for cybersecurity vulnerabilities. Insurance companies reassess premiums when examining the cost of ransoms and the indirect costs of negotiation, forensics and recovery. Given how new the cybersecurity insurance marketplace is, the pricing of policies can be volatile.

To decrease the risk of an incident, insurers commonly impose requirements such as using two-factor authentication, investing in endpoint detection and response (EDR) tools, and implementing secure remote access.13 Organizations are being underwritten based on their history of past attacks and the sensitivity of their data. Dental offices, like hospitals, are caretakers of PHI and financial information, so the data will be more expensive to insure. Just like a dental office has all the ingredients for a catastrophic fire, it also has the critical elements of a devastating cybersecurity breach.

Dental offices must work with insurers to implement controls and processes to protect patient and employee data and keep premiums affordable. By establishing administrative and technical safeguards and best practices, cyber risks are reduced for the patients, the dental team and the insurer.14

IMPLEMENT ADMINISTRATIVE SAFEGUARDS

Just as courage is the danger of life, so is fear its safeguard.- Leonardo da Vinci

Effectively managing a dental practice requires a constantly evolving skill set. Most practice owners do not relish assuming another unpaid executive role. However, at the beginning of the pandemic, all practice owners added the title of Chief Risk Officer (CRO) to their portfolio, along with the current role of Privacy Officer. Chief Information Security Officer (CISO) is another role required in a fundamental shift in managing cyber risk. The ability to effectively serve in all these roles is challenging and leaves patient information vulnerable and network systems as soft targets for attackers.

The idea that cyber attacks are increasingly likely – and perhaps inevitable – has transformed into a reality.15 Business leaders realize that we have interconnected our world, primarily using technologies designed for sharing information, not protecting it.16 In an eco-system that values the system’s speed over its security, it is commonplace to trust employees and third parties to handle sensitive information and operate critical infrastructure.16 This strategy creates an enormous risk to an organization and its data by undermining the capability to protect what is required.

ROUTINE ACTIVITY THEORY (RAT)

According to routine activity theory (RAT), described by criminologists Cohen and Felson, victimization occurs when there is a convergence in time and space of a motivated offender, a suitable target and an absence of a capable guardian.17 (Fig. 3) The lack of any of these elements is sufficient to prevent the occurrence of successful direct-contact predatory crime. From the forensic victimologist’s perspective, a victim could be targeted or opportunistic.18

Fig. 3

. Routine Activity Theory and How to Mitigate Risk.
Routine Activity Theory and How to Mitigate Risk.

A targeted victim is the primary object of the offence, resulting directly from the offender’s motive for committing the crime.19 A targeted victim is selected precisely because of who they are, what they are, what they know, or what they possess. The offender may also intentionally target a victim because the victim has information, items, or valuables sought by the offender, such as the PHI and financial information of a large group of people or celebrities.20

Texas-based Jefferson Dental & Orthodontics boasts of being “the official dentist” of the Dallas Mavericks and reported a targeted hacking incident affecting 1.03 million individuals.21 The regulators were concerned that children’s dental and orthodontic records were involved, and the potential targeting of these children as victims of other crimes was especially troubling.21

The breach also potentially compromised records of Dallas Maverick players who are patients of the practice. In social engineering terms, targets such as professional sports figures are termed ‘whale fishing’ because they are big targets with deep pockets. There is always a heightened propensity for individuals – including employees – to access the medical records of celebrities and public figures for various reasons. The best approach, as discussed later, is to have limited access to all patient records, which is accomplished by having role-based access and audit logs.

An opportunistic victim is ancillary to the offence. In such cases, the offender is motivated by a desire to commit the crime, and the victim is irrelevant.22 The victim is selected because of availability and vulnerability. In April 2020, the American College of Emergency Physicians reported a malware attack affecting more than 70,000 of the group’s current and former members and members of three other emergency medical professional organizations.3 This was an opportunistic attack exploiting weak internal controls.

Another element of RAT is the location which refers to the victim’s particular locality in relation to the offender’s.17 It is often a function of both offender and victim activities and schedules. However, with cyber incidents, the location is irrelevant mainly as computers are interconnected milliseconds from each other with global reach.15

One of the primary criticisms of RAT is the assumption that criminals are rational in their decision-making, and they may not use the same rationale as the person implementing the security measures.18 They may not even be aware of the situational crime prevention techniques. But instead of a car thief jiggling a car door handle to test if it is unlocked while walking down a dark street, millions of “cyber-jiggles” can co-occur in every neighbourhood with little effort and cost.

RANSOMWARE ATTACKS REMAIN A LEADING CAUSE OF DATA BREACHES

Ransomware attacks are one of the most common ways cybercriminals orchestrate attacks designed to obtain consumer data. According to the Identity Theft Resource Center (“ITRC”), the number of ransomware attacks more than doubled between 2020 and 2021, with 158 ransomware attacks in 2020 and 321 in 2021.15 While 321 attacks may not sound alarming, every ransomware attack can affect thousands of individuals.4 The ITRC reports that ransomware attacks in 2021 alone victimized over 41 million people.

Ransomware attacks have been around for decades; however, over recent years, the number of ransomware attacks has surged compared to other cyberattacks.13 This is partly because technological developments allow cybercriminals to target the most valuable data types.16

In a typical ransomware attack, a hacker installs malicious software on a victim’s device. Usually, this was done through a social engineering attack, such as email phishing or by placing malicious code on the back-end of an organization’s website. The malicious software encrypts the data on the device, preventing the victim from logging in and accessing critical operational information.23 When the victim attempts to log in, they are met with a message from the hackers demanding a ransom to regain access to their computer network. As such, a motivated offender, a suitable target, and the absence of a capable guardian can be targeted or opportunistic, but it can cause serious harm in either case

CHIEF RISK OFFICER

Figure 4 demonstrates a crisis timeline, with the impact the CRO has shown by the red line. Before a crisis, there is ample time and control to prepare and possibly prevent the crisis. However, during the crisis the managerial control fades until a viable solution is elucidated, contingent on the threat being first identified and then contained. During the pandemic, many successful CROs used the 5 C framework to guide their businesses through the uncertainty. The same 5 C’s (Caring, Communication, Clarity, Calm and Collaboration) are essential during a cyber incident. Using this framework along with a crisis incident response plan or playbook, triaging the crisis and leading a team becomes more manageable.

Fig. 4

Crisis management and Corresponding Managerial Control Timeline.
Crisis management and Corresponding Managerial Control Timeline.

CISO

As clinicians, dentists are experts in managing dental emergencies. Moreover, managing medical emergencies in the dental office is routine as emergency protocols, or “codes,” are practiced. Although every dental team member would rather not administer CPR to a patient, there is a comfort that this is a skill that is practiced. Even more so than the clinical team, the admin team is on the front line of a cybersecurity incident. Having the team trained to perform according to established protocols is critical.

A playbook tailored to the organization should be developed and practiced. Developing this plan would fall under the responsibility of the CISO; however, outsourcing this plan be more manageable. The Ontario Dental Association (ODA) has a cybersecurity response plan available for members.24

PRIVACY OFFICER/ AI COMMISSIONER

The Office of the Privacy Commissioner of Canada has outlined an organization’s responsibilities regarding personal data using ten fair information principles.25 This framework empowers individuals to control how the private sector handles their personal information. An individual’s personal information “must only be used for purposes that a reasonable person would consider appropriate in the circumstances.”26 Patients must reveal extensive and sensitive information in a healthcare setting to receive personalized and precision medical care. As such, a healthcare organization’s responsibility to abide by the ten fair principles of the Personal Information Protection and Electronic Documents Act (PIPEDA)27 is critical in protecting an individual’s privacy. Designating a single staff member to be the primary contact person for privacy matters (Privacy Officer) and documenting how the office will handle PHI, including the how, where, why, and how long the data will be kept, are standard and proven strategies.28

The Privacy Officer and the CISO should also champion security and privacy awareness: teaching employees and service providers about phishing, handling and protecting PHI and stressing the importance of information security. The Privacy Officer also establishes security and privacy policies, ensures employees are bound by NDA agreements and provides input into the incident response plan outlining how to identify and resolve privacy incidents.29

On June 16, 2022, Canada’s Minister of Innovation, Science and Industry introduced Bill C-27 in the House of Commons.30 The Bill is designed to update Canada’s federal private sector privacy law, PIPEDA, to create a new tribunal, and propose new rules for artificial intelligence (AI) systems. Presently, an organization is required to protect personal information through physical, organizational, and technological security safeguards, and the level of protection must be proportionate to the sensitivity of the information.25 While Parts 1 and 2 of Bill C-27 (relating to the Consumer Privacy Protection Act and the Personal Information and Data Protection Tribunal Act) are of great interest in the privacy law sector, Part 3 of Bill C-27 proposes regulation of artificial intelligence (“AI”) in Canada for the first time.

In addition to the stringent existing privacy rules, AI technology “autonomously or partly autonomous, processes data related to human activities through the use of a genetic algorithm, a neural network, machine learning or another technique to generate content or make decisions, recommendations or predictions” will be regulated. The AI Act allows for the designation of an Artificial Intelligence and Data Commissioner and the establishment of an advisory committee. Some dental offices use chatbots to collect prospective patient information and, in so doing, would be subject to this legislation.31 Since hackers already use fake bots to steal sensitive information, collecting PHI through AI on a dental website creates another serious risk to PHI and requires focused attention and regulation.32

LIMITATIONS

Significant administrative skill is required to match the complexity of recent opportunistic cybersecurity-related events, from large-scale breaches to the use of ransomware by criminal groups and nation-states.16 Newfoundland and Labrador’s health system was among the most significant breaches in Canadian history. Phishing attacks using the pandemic or Rogers outage as a lure remind us of how dynamic attacks can be. All the while, dental offices are trying to save their businesses by using technology to “safely” communicate with patients as one of the most analog health care providers.

This protracted period of change and upheaval – compounded by a critical shortage of qualified cybersecurity resources – provides the perfect conditions for increasingly agile and brazen threat attackers to conduct operations.16 Compounded with new legislation, operating costs will climb, time to train staff will increase, and security processes will become more cumbersome as information sharing becomes less efficient.13 Just like one has to arrive at the airport earlier than ever to navigate security and check-in, adapting to our interconnected world requires patience and the expenditure of resources until innovation surpasses the obstacles.

IMPLEMENT TECHNICAL SAFEGUARDS

As cyber threats evolve, we need to evolve as well. – Christopher A. Wray

The specialized skills required to troubleshoot the day-to-day operation of a computer network in a dental office are often beyond the dentist’s ability. Moreover, if the dentist can manage the network, her time is still best spent treating patients and outsourcing the technical aspects of network operations. However, the responsibility to safeguard the PHI still rests with the dentist. As irritating as safety measures can be to productivity, a breach of PHI is a very serious event. In the United States, more than 900 breaches of unsecured protected health information affecting 500 or more individuals were reported in the past 24 months and are actively under investigation by the Office for Civil Rights.33 In Canada, new privacy legislation could increase the potential punishment for a breach.30 Having an IT team managing the office network is an essential role. However, ensuring PHI is protected is often a distinct role and in conflict with the IT team’s efficiency and smooth operating goals.16

THE CYBERSECURITY TEAM IS DISTINCT FROM THE IT TEAM

Oversight is required to ensure the security of the office dental network. It is likely best to task this role to a cybersecurity firm distinct from the IT team. Doing so serves as an audit, creates an independent assessment of the current infrastructure and systems, and transfers some risks to the testing party. A careful audit will focus on the following areas outlined by NIST34,13 and summarized in Table 2.

Table 2

OPERATIONAL TECHNOLOGY RISKS & IOMT

The Internet of Medical Things (IoMT) is the network of internet-connected medical devices, hardware infrastructure, and software applications used to connect healthcare information technology.35 The IoMT allows wireless and remote devices to communicate over the internet to enable a rapid and flexible analysis of medical data and troubleshooting equipment.35,36 Endpoints include obvious technology: mobile phones, point-of-sale (POS) systems, digital printers, smart watches, appliances and backup generators, but also less apparent endpoints: x-ray machines, dental compressors, vacuum systems and patient monitors. According to one estimate, there will be 29.3 billion networked devices globally by 2023, up from 18.4 billion in 2018, 26% of which will exist in the business sector.37

Given the sensitivity and strict regulations around healthcare data,38 IoMT requires a more comprehensive security infrastructure than other IoT systems.39 This is especially important when considering the risks of a breach of operational technology OT.

Operational technology – also known as industrial control systems (ICS) – is the hardware and software that monitors and controls industrial processes in various sectors, including chemical plants, power utilities, education, health care and manufacturing.13 Attacks on OT (for example, the Colonial Pipeline incident) are incredibly destructive as they cause a complete shutdown of critical infrastructure. The Communications Security Establishment (CSE) reported 235 ransomware incidents against Canadian victims from January 1, 2021, to November 16, 2021.40 More than half of those targets were critical infrastructure providers, including those in the energy, health care and manufacturing sectors.40

OT attacks are generally targeted attacks rather than opportunistic attacks on IT networks using well-known vectors, such as phishing and exploiting known system vulnerabilities.13 Given the weak network segmentation between IT and OT networks, attackers can easily infiltrate the OT environment.

In the dental office, an attacker could conceivably gain access to the radiation dosage controller on the x-ray machine or the control board for the patient monitoring unit during a sedation. Suction/compressor systems that are wi-fi enabled could be targeted and programmed to overheat and catch fire. In each example, a hacker could exploit a vulnerable IT-OT segmentation and cause serious harm to patients and staff.

Fortunately, many types of technology protect sensitive information in a dental clinic. Employing these technologies reduces the risk of a security compromise to PHI. However, this takes time, expertise and investment, driving up dental care costs. Unified threat management strategies require knowledgeable IT professionals to install, monitor, and service the network. Additional security measures often slow down the network, creating frustration for the end user. The balance between safety versus speed must tip in favour of protecting PHI. Much like having an alarm system to protect the office from a burglar, a managed detection and response service providing 24/7 monitoring of the network and dedicated teams ready for the first sign of an attack is likely the way of the future.

DEVELOP A PLAYBOOK

People ask me all the time, ‘What keeps you up at night?’ And I say, ‘Spicy Mexican food, weapons of mass destruction, and cyber attacks.’ – Dutch Ruppersberger

Relationships and information have always been and will continue to be the cornerstones for successful business collaborations. Given the dynamic and rapidly evolving field of cybersecurity, it is crucial to consider outsourcing some of the responsibility to trusted experts, especially to prepare, prevent and manage a crisis.

KNOW YOUR FIRST RESPONDERS

A cybersecurity incident should be considered an emergency in the dental office, and as with any emergency algorithm, first responders should be called in to help as soon as possible. The playbook would direct a team member on whom to call using which communication channel, as some channels may be compromised by the attack.11 Establishing in advance who the first responder is in the event of a cyber attack is a critical step in managing the emergency.

Many options exist, from expanded services from a current IT service provider to a specialized firm. For example, the ODA has partnered with IT Weapons, a Canadian IT service provider, to assist ODA members.24 Several accounting firms offer cybersecurity services, and the benefit is that there is already an established relationship surrounding sensitive information between the accountant and the dentist.13,12 Moreover, the risk management controls inherent in accounting transfer well to protect PHI.

DEVELOP A CYBERSECURITY INCIDENT RESPONSE PLAN (PLAYBOOK)

Create a playbook with the type/description of the attack at a minimum (ransomware, social engineering, phishing, data breach, etc.) along with the initial response to minimize potential harm, which will almost certainly begin with isolation and containment of affected devices along with communication with users.24 Elements of the book are noted in Table 3.

Table 3

Part of the emergency preparedness for a cybersecurity threat is educating every team member about the importance of preventing a social engineering attack. Irrespective of the technology in place to prevent a cyber attack, one careless click by a staff member can paralyze an office and jeopardize patient information.

LIMITATIONS

When deciding to partner with a cybersecurity provider, it is vital to understand the model by which they operate. Models include the People-Process-Technology41 (Fig. 5) or CIA model.42 (Fig. 6) Alignment with these models helps the dentist understand the process and end goals and provides a common language.43

Fig. 5

 People Process & Technology Framework.
People Process & Technology Framework.

Fig. 6

. CIA Triad.
CIA Triad.

Partnering with a cybersecurity managed services provider can mean losing some of the autonomy and transparency of working the business’s security and firewalls; however, for the busy clinician, this is a small price to pay for peace of mind Costs can add up quickly, and the implementation of the new systems requires unlearning old practices and relearning safer ways to access the same information. This can be frustrating for staff and initially decrease operational efficiency. Nevertheless, the additional bulkiness can be compared to the protective case holding your new smartphone: It is not appreciated until the phone hits the concrete.

DEVELOP A CYBERSECURITY BUDGET

Cyber security is a dynamic space. The user faces different challenges yearly because there are always new applications and data.
– Ken Xie

The elements above add additional costs, increase complexity and decrease the efficiency of a dental practice. However, the failure to adapt to the environment in which clinicians operate will compromise the ability to protect the PHI of their patients. It will compromise the safety of the workplace. Much like airline security forever changed after the terrorist attack on 9/11, cybersecurity processes must also evolve to meet modern challenges. The costs of hiring outside experts, training staff, and investing in updating and strengthening network systems are new recurring annual costs which need to be budgeted for.13 The alternative is an inevitable breach that can bankrupt a dental clinic. Investing in cybersecurity does nothing to increase practice revenues. This means that the ultimate victim is the small business and the consumer. Consumers should be educated that the reason for rising costs for their dental procedures is in exchange for securing their personal information.

Fig. 7

 Cyberattack Impact Factors: CIRA’s 2019 Cybersecurity Survey found that 71 percent of organizations reported experiencing at least one impactful cyber-attack. Over the past 30 months, as dentists focused on pandemic-related restrictions such as fallow time and PPE supplies, budgets could not address the current cybersecurity landscape. Dentists focused on trying to keep their teams healthy and businesses from collapsing. While cyber security risks were better understood and prioritized, there was no time or resources to invest in this area.
Cyberattack Impact Factors: CIRA’s 2019 Cybersecurity Survey found that 71 percent of organizations reported experiencing at least one impactful cyber-attack. Over the past 30 months, as dentists focused on pandemic-related restrictions such as fallow time and PPE supplies, budgets could not address the current cybersecurity landscape. Dentists focused on trying to keep their teams healthy and businesses from collapsing. While cyber security risks were better understood and prioritized, there was no time or resources to invest in this area.

Common perceptions about the impact of a cyberattack are typically shaped by what companies are required to report publicly – primarily theft of personally identifiable information (PII), payment data, and PHI.12 Discussions often focus on costs related to customer notification, credit monitoring, and the possibility of legal judgments or regulatory penalties. But especially when PII theft isn’t an attacker’s only objective, the impacts can be even more far-reaching. The effects of a cyberattack can ripple for years, resulting in a wide range of “hidden” costs – many of which are intangible impacts tied to reputation damage, operational disruption or loss of proprietary information and other strategic assets.12

There is a wide range of direct and indirect intangible costs contributing to the overall impact of a significant cyber incident. (Fig. 8) The immediate triage phase is costly, but the long-term efforts may take a far greater toll. Long after intruders are removed, and public scrutiny has faded, the impacts of a cyberattack can reverberate over a multi-year timeline. Legal costs can cascade as stolen data is leveraged in various ways over time, and it can take years to recover pre-incident growth and profitability levels.12

Fig. 8

MITRE ATT&CK Framework. As information is collected and data is analyzed using available cyber intelligence, cyber defenders benefit from organizing their ideas by modelling them after the attack process–the MITRE ATT&CK Framework. (Modified from the Mitre Corporation https://www.mitre.org/sites/default/files/pdf/protex3.pdf).
MITRE ATT&CK Framework. As information is collected and data is analyzed using available cyber intelligence, cyber defenders benefit from organizing their ideas by modelling them after the attack process–the MITRE ATT&CK Framework. (Modified from the Mitre Corporation https://www.mitre.org/sites/default/files/pdf/protex3.pdf).

BUDGET FOR CONTINUOUS STAFF TRAINING

Most clinics did not have a pandemic response plan. They relied on business continuity processes that could not address the effects of a global pandemic, including new demand for IT resources. However, having survived the disruption of the pandemic, clinics are better prepared than ever to survive the next.

Given the current emergency preparedness mindset, this provides an appropriate context to invest in staff training and for staff to be receptive to the idea. Given that recent breaches are primarily due to human factors focusing on staff training offers a potentially high return on investment. The key to maximizing the exercise is to tailor it specifically to the dental workplace as the transfer of PHI within the office network, with insurers, and with other dental offices is a unique eco-system. Much like having a staff CPR re-certification event every two years, having a staff training program on best cybersecurity practices at least annually would seem prudent.

INGEST THREAT INTELLIGENCE

The ADA is not the only dental industry organization to suffer a recent cyber incident. In October 2021, the Professional Dental Alliance (PDA), which owns dental practices in 15 states, notified more than 170,000 individuals of a phishing incident involving an affiliated vendor.44 In October 2020, the American Osteopathic Association, representing 151,000 osteopathic physicians and medical students across the U.S., notified nearly 28,000 individuals about a data exfiltration incident involving their personal information.45 In 2019, a Toronto dental clinic was the victim of a ransomware attack called Ryuk.46 The attacker demanded a $165,000 ransom which represents a significant percentage of a practice’s revenue, but with no insurance or ability to remediate the incident, paying the ransom feels like the only option in many attacks.

Reading the latest reports from leading threat intelligence agencies and major news outlets, explicitly focusing on reports of incidents targeting healthcare practices, provides learning opportunities to strengthen the community and helps prevent similar attacks from being successful.

MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK) Framework

The MITRE ATT&CK framework is an industry-standard and a fantastic resource to visualize the attack surface in the dental sector, access real-world observations, and compare the strength of existing technology.47 (Fig. 8) Open Threat Intelligence communities are free to join and offer continuous updates about ongoing cyber developments. Examples include AlienVault48 and Malware Information Sharing Platforms49 (MISP). MISP, in particular, provides visualization of data which aids understanding. Some of the intelligence on these sites might be difficult to digest for practice owners and clinicians. However, given that this is the language of the future, it is always helpful to learn a new language or at least hire a translator.

CONCLUSION

Cybercriminals have caught on that healthcare organizations are swimming in sensitive personal data, making them attractive targets for threat actors. This creates yet another unneeded challenge for dentists. Criminals are increasingly targeting more vulnerable organizations, such as hospitals, where an attack could harm human life.

Although cyberattacks are conducted through technology-based means and can cause very significant damage to infrastructure, equipment and applications, the major damage will usually be to the goodwill of the business, not to its IT assets. Incident response is not primarily a technical effort. The technical work to investigate, analyze, clean and repair computer systems are overshadowed by efforts to manage patient and third-party relationships and legal matters and restore their reputation in the community.

To summarize, implementing technical and administrative safeguards, ensuring adequate insurance and budgeting for the new cyber risk present in a dental clinic’s threat landscape will help prevent an incident. As dentists know, treatment without prevention is unsustainable, and prevention is always better than the cure.

Oral Health welcomes this original article.

References

  1. Association, A.D. Protect your practice from ransomware. 2021; Available from: https://www.ada.org/resources/practice/practice-management/protect-your-practice-from-ransomware.
  2. Mathews, L. Ransomware Criminals Strike American Dental Association. 2022; Available from: https://www.forbes.com/sites/leemathews/2022/04/27/ransomware-criminals-strike-american-dental-association/.
  3. McGee, M.K. American Dental Association Hit by Disruptive Cyber Incident. 2022; Available from: https://www.govinfosecurity.com/american-dental-association-hit-by-disruptive-cyber-incident-a-18976.
  4. Associates, C.a. American Dental Association Reports Data Breach in the Wake of Ransomware Attacks. 2022; Available from: https://www.jdsupra.com/legalnews/american-dental-association-reports-1269240/.
  5. Associates, C. Guide for Victims of Data Breach. 2022; Available from: https://www.myinjuryattorney.com/consumer-privacy-data-breach-lawyers/if-your-information-has-been-compromised-in-a-data-breach/.
  6. Institute, E., New clinical guide to surgical fire prevention. Patients can catch fire – here’s how to keep them safer. Health Devices, 2009. 38(10): p. 314-32.
  7. VanCleave, A.M., et al., Factors involved in dental surgery fires: a review of the literature. Anesth Prog, 2014. 61(1): p. 21-5.
  8. Weaver, J.M., Prevention of fire in the dental chair. Anesth Prog, 2012. 59(3): p. 105-6.
  9. Schwendicke, F. and J. Krois, Data Dentistry: How Data Are Changing Clinical Care and Research. J Dent Res, 2022. 101(1): p. 21-29.
  10. PIPEDA Fair Information Principle 1- Accountability, O.o.t.P.C.o. Canada, Editor. 2020.
  11. Ahmad, I., A Guide to Best Practices,Planning and Management. Second ed. 2021, Toronto, Ontario, Canada: LexisNexis Canada.
  12. Emily Mossburg, J.G., Hector Calzada, Beneath the surface of a cyberattack A deeper look at business impacts. 2016: Deloitte Touche Tohmatsu Limited.
  13. Morin, P., Cybersecurity in Canada: Evolving threats and practical defences. 2021: Grant Thornton.
  14. Association, O.D. Fraud and Identity Theft Awareness. 2020; Available from: https://www.oda.ca/member-resources/compliance/privacy-and-fraud/fraud-and-identity-theft-awareness/.
  15. Symantec, Internet Security Threat Report. 2019.
  16. James Kaplan, C.T., Adam Tyra, Perspectives on transforming cybersecurity. 2019: McKinsey & Company.
  17. Felson, M., M.A. Andresen, and G. Farrell, The criminal act : the role and influence of routine activity theory. 2015, Houndmills, Basingstoke, Hampshire ; New York, NY: Palgrave Macmillan. xxi, 273 pages.
  18. Andresen, M.A., Environmental criminology : evolution, theory, and practice. 2014, London ; New York: Routledge, Taylor & Francis Group. xiv, 274 pages.
  19. Von Hirsch, A., et al., Ethical and social perspectives on situational crime prevention. Studies in penal theory and penal ethics. 2000, Oxford: Hart. x, 230 p.
  20. Walker, S., C. Spohn, and M. DeLone, The color of justice : race, ethnicity, and crime in America. Sixth edition. ed. 2018, Boston MA: Cengage Learning. xxi, 570 pages.
  21. McGee, M.K. ‘Official Dentist’ of NBA Team Says Hack Affected 1 Million. 2022; Available from: https://www.healthcareinfosecurity.com/official-dentist-nba-team-says-hack-affected-1-million-a-18770.
  22. Hufnagel, S. and A. Moiseienko, Criminal networks and law enforcement : global perspectives on illegal enterprise, in Transnational criminal justice. 2020, Routledge, Taylor and Francis Group,: London ; New York. p. 1 online resource.
  23. Kanade, V. What Is Ransomware? Definition, Types, Examples, and Best Practices for Prevention, and Removal. 2022; Available from: https://www.spiceworks.com/it-security/vulnerability-management/articles/what-is-a-ransomware-attack/.
  24. Weapons, O.D.A.I., Security Incident Response Plan. 2022.
  25. PIPEDA fair information principles, O.o.t.P.C.o. Canada, Editor. 2019.
  26. Canada, O.o.t.P.C.o., Guidance on inappropriate data practices: Interpretation and application of subsection 5(3), G.o. Canada, Editor. 2018.
  27. Personal Information Protection and Electronic Documents Act, SC 2000, c 5,. 2000.
  28. Ontario, R.C.o.D.S.o., Guidelines: Electronic Records Management. 2012: Toronto.
  29. PIPEDA Fair Information Principle 6- Accuracy, O.o.t.P.C.o. Canada, Editor. 2020.
  30. Canada, P.o. BILL C-27: An Act to enact the Consumer Privacy Protection Act, the Personal Information and Data Protection Tribunal Act and the Artificial Intelligence and Data Act and to make consequential and related amendments to other Acts. 2022; Available from: https://www.parl.ca/DocumentViewer/en/44-1/bill/C-27/first-reading.
  31. Schwendicke, F., W. Samek, and J. Krois, Artificial Intelligence in Dentistry: Chances and Challenges. J Dent Res, 2020. 99(7): p. 769-774.
  32. Lee, J.W., et al., Big data and artificial intelligence (AI) methodologies for computer-aided drug design (CADD). Biochem Soc Trans, 2022. 50(1): p. 241-252.
  33. Services, U.S.D.o.H.a.H. and O.f.C. Rights. Breach Portal: Notice to the Secretary of HHS Breach of Unsecured Protected Health Information. 2022; Available from: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf.
  34. NIST offers tips to help avoid ransomware attacks. 2022; Available from: https://www.ada.org/publications/ada-news/2021/may/nist-offers-tips-to-help-avoid-ransomware-attacks.
  35. Mahajan, H.B., et al., Integration of Healthcare 4.0 and blockchain into secure cloud-based electronic health records systems. Appl Nanosci, 2022: p. 1-14.
  36. Fang, H.S.A., et al., Blockchain Personal Health Records: Systematic Review. J Med Internet Res, 2021. 23(4): p. e25094.
  37. CISCO, Cisco Annual Internet Report (2018–2023) White Paper. 2020.
  38. Joda, T., et al., Health Data in Dentistry: An Attempt to Master the Digital Challenge. Public Health Genomics, 2019. 22(1-2): p. 1-7.
  39. Carrano, F.M., et al., Blockchain in surgery: are we ready for the digital revolution? Updates Surg, 2022. 74(1): p. 3-6.
  40. Security, C.C.f.C. Cyber threat bulletin: The ransomware threat in 2021. 2021; Available from: https://cyber.gc.ca/en/guidance/cyber-threat-bulletin-ransomware-threat-2021.
  41. Digitalcraftsman. Three Pillars of Cyber Security: People – Process – Technology. 2022; Available from: https://www.openaccessgovernment.org/pillars-of-cyber-security-technology/132732/.
  42. i-scoop. The CIA triad of confidentiality, integrity and availability. 2021 [cited 2022; Available from: https://www.i-scoop.eu/cybersecurity/cia-confidentiality-integrity-availability-security/.
  43. Cole, S. Data Breach Hits US Dental Patients. 2021 [cited 2022 July 23, 2022]; Available from: https://www.infosecurity-magazine.com/news/data-breach-us-dental-patients/.
  44. McGee, M.K. Dental Alliance Reports Vendor Breach Affecting 170,000. 2021; Available from: https://www.govinfosecurity.com/dental-alliance-reports-vendor-breach-affecting-170000-a-17775.
  45. Journal, H. American Osteopathic Association Notifies 27,500 Individuals About June 2020 Data Theft Incident. 2021; Available from: https://www.hipaajournal.com/american-osteopathic-association-notifies-27500-individuals-about-june-2020-data-theft-incident/.
  46. Daigle, T. ‘Definite uptick’: Global wave of ransomware attacks hitting Canadian organizations. 2019; Available from: https://www.cbc.ca/news/science/more-ransomware-canada-1.5317871.
  47. Ironnet. 5 practical ways for a CISO to use the MITRE ATT&CK® Framework. 2022; Available from: https://www.ironnet.com/topics/mitre-attack-framework?
  48. Alienvault. Open Threat Exchange. 2022; Available from: https://otx.alienvault.com.
  49. Project, M. MISP, the open source threat sharing platform. 2022; Available from: https://www.misp-project.org.

About the Author

Peter C. Fritz is an intrepid lifelong, global learner. Peter is a periodontist, scientist, mentor and adjunct professor at three universities. He has recently completed an MBA and a law degree focusing on blockchain, cybersecurity, innovation law and technology. Peter lives by his academic mission: “Never stop learning because the world around you never stops teaching.”

Charlotte Fritz is an Associate in Risk and Forensics at Grant Thornton Cybersecurity Practice. She is a member of Women in Defence and Security and is passionate about keeping people safe. She is completing a Bachelor of Science, Computer Engineering at the University of Toronto, focusing on cybersecurity and artificial intelligence.

RELATED NEWS

RESOURCES