August 29, 2019
by Alex Zlatin, CEO of Maxident
In any type of job, there are elements we hate, fear and try to avoid. For me, that element is dealing with clients who are hit by ransomware. Whether we are able to assist them in decrypting the data or not, it is an extremely stressful and overall nasty experience, to put it mildly. Ransomware, in plain English, is a program that encrypts files, including images and data, on your system and “promises” to only decrypt those files if you send them a form of payment, such as bitcoin. For example, when your x-ray folder, consisting of several thousand images and data, is encrypted and you have lost access to it, you are in a serious pickle and you have very few options, none of which are great. In a perfect world, you are able to decrypt the images and other data lost, using tools available online (though do not rely on a free decrypter becoming available any time soon), or best-case, you have a current backup that can be properly restored.
Worst case: you just lost all your images and are going to face multiple business challenges, potentially ranging from a privacy commissioner investigation, your regulatory body investigation, notifying your patients and suffering a devastating blow to your reputation.
Ask yourself: are you prepared? What can you do to minimize the risk of being hit by ransomware? Unfortunately, there is no way to eliminate the risk completely, regardless of what you might have been told. Having said that, you can be prepared and able to take steps to minimize the risk of being infected and/or recovering fast from this dire situation.
If you choose to follow the 10 steps below, you will be able to minimize your business risk when it comes to cyber-crime.
1. On-boarding training
This particular step cannot be emphasized enough as it is the most important by far when it comes to cybercrime prevention. New employees must undergo training that is specific to their duties and responsibilities. Internet and computer usage must be a mandatory training module for all employees who have access to a networked computer in your practice. New employees, in particular, are prone to making mistakes when it comes to computer and internet usage. Practically speaking, the training should include, but not be limited to, the following:
A. How to identify phishing/malicious emails and how to handle them.
• Looking at the actual email that the message was sent from and not its display name is a good way to identify risk
• Seeing the link address of all links within the email and not just the text that is used to display the link
• Seeing an email coming from one of your patients when there is no reason for them to email you, would indicate a malicious email. Especially, if it says “click here to get payment for invoice #12345”
B. What you should do when you cannot determine if an email is malicious or not.
• Online tool to test email
• Forward email to any Gmail address. Gmail has top-notch tools to identify spam/malicious/phishing emails
• Delete email without opening. It is better to call the client and get them to resend (if it was from them) rather than infecting the entire office with ransomware
C. If using MS Outlook, choosing to display emails in plain text or HTML code, by default, can open you up to ransomware that is executed as code within the HTML code of the emails.
D. Which websites to avoid.
• “Click here to get a free $50 Costco gift card”
• Any type of pornography
• “Free” streaming services of content elsewhere not available (streaming Game of Thrones at a dubious website is bad, while watching a clip on YouTube is ok).
• Any website that has “free” software to download
• Many others exist
E. How to identify phishing website addresses.
• Sophisticated “hackers” will use a similar letter within the address. It would be so good you might not even notice (e.g. using capital “i” instead of lower-case “L”)
• Using misleading subdomains (e.g. amazon.winafreegiftcard.com instead amazon.com)
F. If you encounter a message on your screen saying that your computer has been infected and Microsoft (or any other reputable company) wants to help you clean it up, close the browser window, disconnect your computer from the network and run proper anti-malware software on your computer. Also, remember to reach out to your technician.
2. Continuous training
Training employees right when they start working is not enough and will not be sufficient. It is important to bring this topic top of mind at least quarterly. As you do not get hit by ransomware frequently, it is easy for employees (at no fault of their own) to forget all their ransomware training. Also, “hackers” are constantly coming up with new malicious ways to steal information. Having training sessions periodically for your staff means you will have highly trained staff that will help you stay out of cyber-trouble.
3. Be mindful of software tools
When it comes to software tools, we are talking about a trade-off game. The more security you have, the slower your computer will be. So, as a business, you must consider the fact that in order to optimally operate your clinic, your team needs fast (or at least not slow) computers. Upgrading is a must to protect your computer from becoming vulnerable to all malware.
Thinking about types of prevention software? Here is what you need to keep in mind:
Antivirus – Generally ineffective. the malware must already be on your computer before it can be detected and new strains of malware won’t be detected until after the first wave of infections has already occurred. Anti-virus software can also be quite smothering, “protecting” you so much that the computer barely functions and using up so many of your system resources that the computer runs frustratingly slow.
Anti-malware – Better than nothing, but don’t bet the bank on it. Anti-Malware works by using commonalities – preventing executables from running from non-standard folders, warning if a web browser is trying to open a potentially harmful page or other potentially dangerous behavior. Some can monitor the system and halt some types of ransomware once they begin to encrypt files. Programs like Malwarebytes and Hitman-Pro are good at detecting and removing malware already on the system, but there is no security software that can be depended upon 100% to stop malware from getting on a computer.
Registry cleaner – This is an area where caution is required. There are some pretty good registry cleaners out there now – this was not always the case – but there is still a lot of junk and worse, such as spamware and malware advertising themselves as reputable registry cleaners. Even some of the better ones, like CCleaner, require caution when being used as they can – and do – misidentify legitimate registry keys as being malicious. Always backup the registry before making changes. And, again, registry cleaners are only useful after a system has been infected.
As opposed to the previous items in this list, backing up will not help you prevent ransomware. But it will assist in a proper restore of backed up data that might have been compromised. This is not only about the ability to restore data but it has to do with how fast you will be able to return to regular operation of your clinic. In large and busy clinics, the difference between 1 hour of being down and 6 hours is over $10,000.
5. Backup verification
The majority of dentists and office managers I speak with feel that having a backup service with their IT technician is good enough. Unfortunately, this cannot be farther from the truth. In the last 3 years, I have seen it dozens of times: the backup exists, but when the technician is trying to restore it, it fails to restore. What would a non-restorable backup be worth to you when disaster hits your clinic? Nothing, besides some extra stress and some additional gray hair. Any backup service must go through periodical verification. This verification must include a full restoration of data and working with the clinic to make sure the data is readable.
6. Trusted IT company
With the lack of regulation in the IT world, any person (whether with relevant education or not) can open an IT company. With Amazon supplying any hardware needed and the ability to build an impressive website, you might feel that the company is solid. Over the more than seven years I have been working with dentists, I have seen more incompetent technicians than competent ones. There are three parameters by which you need to evaluate a technician or an IT company: cost, service and technical knowledge. The first two are easy for you to evaluate. For my clients, we offer to evaluate the technical knowledge for their IT provider at no cost. This way, we can ensure a good and productive collaboration to solve issues without the need of the dentist or office manager to intervene and serve as the middle-man.
7. Minimizing access to email
92% of all malware infections occur via email, so regardless of how much you train your team, there will always be the risk of human error. This is why it is important to limit access to email to only the staff members who need it for business use. Outside using proper email clients (e.g. MS Outlook, Gmail), limiting the number of people that can error is a good practice.
8. Limiting internet access (staff & hardware)
Visiting suspicious websites and having malicious pop-up windows is one of the most popular ways to become infected with ransomware. Similar to the item above, provide internet access only to staff members who require it to perform their duties and responsibilities. Another great way to restrict access to the internet is having a proper router and gateway-firewall. This piece of hardware is great for blocking access to suspicious websites, even if an employee tries to access them by mistake. Exceptions to these websites can be created in case there are some false-positives.
9. Separating guest wifi from clinic network
Although this is self-explanatory and a no-brainer, I find that a lot of clinics provide WiFi access to their patients when it resides on the same network as their servers with all their data. Beyond the fairly major security breach it creates, it is not recommended from a record keeping and privacy regulation standpoint. The patient/guest WiFi must be a completely separate network that has nothing to do with your “business network”.
This is a commonly skipped item when looking at data security. On top of your regular insurance for malpractice, liability, premises, etc., it is imperative you obtain cyber-security insurance for your clinic. Similar to the “backup” item above, this insurance will cover costs you incur when dealing with a data breach and/or a disaster that has occurred. Your insurance broker should be able to provide a more in-depth explanation of what this type of insurance covers. Having said that, if your insurance broker has not mentioned this insurance to you, I recommend you look for a new one.
It’s 2019 and humans are now considered “online creatures”. This is something no organization can ignore. With the abundance of information and tools out there, there is a great lurking danger – especially to businesses and government organizations. Understanding the risks and ensuring you minimize the risk to your clinic is a must in today’s world. As Canada moves to a more unified and centralized health database, the dental industry will have to adapt and adopt new tools and technologies to stay competitive and provide patients with what they want to receive in the way they want to receive it while confronting the constant challenge of malware. G
If you have any questions regarding this article or would like to discuss your particular challenges, please feel free to reach out to firstname.lastname@example.org.
About the Author
Alex Zlatin is the CEO of dental practice management software company Maxim Software Systems (MaxiDent). He helps dental professionals take control and reach the next level of success with responsible leadership strategies. He leverages his experience in “Responsible Dental Ownership – Balancing Ethics and Business Through Purpose”, a detailed guide providing practical tools and a
unique, proven approach to running a successful dental practice.