June 4, 2018
by Ian Furst, DDS, MSc, FRCD(C); Ian Thornton-Trump, CD, CEH, CNDA, CSA
If you have never heard of the Wannacry virus, it’s a story you need to know.
On March 14, 2017, Microsoft issued a patch for a flaw in their operating system. A flaw that could allow a malicious actor to take control of a system over the internet. In fact, the tools to conduct the attack were made publicly available by a group called the “ShadowBrokers”, which belonged to the most elite hackers in the word: The NSA.
The vulnerability impacted every version of the windows operating system and was made available to anyone – including North Korea. Then, despite a US-Computer Emergency Response Team (US-CERT) warning, many folks failed to understand how important deployment of a routine Microsoft patch was and did not apply it.
What happened next was far from routine, made headlines around the world, and the consequences were global.
By May 12, 2017, a wave of attacks occurred, designed to infiltrate computers that had not downloaded the patch. This self-replicating Internet “worm”, powered by the NSA exploit called “Eternal Blue” found its way into the computers of UKs National Health Service, and dropped the Wannacry Ransomware payload on many of their systems. It was later discovered that it took just 25 days from the day the vulnerability was announced, to the time the Lazarus Advanced Persistent Threat (APT) group had analyzed, weaponized, and deployed the ransomware virus that crippled the NHS, and infected over 400,0003 computers in 150 countries. 1
It was just 59 days from the day the patch was released to the largest attack wave.
Highly targeted, rapid attacks are becoming the new normal, and will impact all businesses including dental practices. Just last year, these authors, discovered a highly-customized, spoofed email (named the Magdalena Sonora APT group) targeting Canadian dentists in an effort to acquire the digital addresses of data-containing computers. On a larger scale, a recent study published that 35% of Canadian small businesses reported being hit by ransomware (a type of malware that encrypts the data on your computer until a Bitcoin ransom is paid), and 85% of those victims lost data. 1
The healthcare community is about to face a reckoning because of our good faith efforts to use information technology to increase the speed of care, and portability of patient information.
From 1997-2007 (Web 1.0) we entered the age of information. The internet expanded rapidly, information became freely accessible, and patient data became digital. The decade from 2008-2018 (Web 2.0) embraced the socialization of the internet and collaborative content. Ideas became shared on social media, with applications like Facebook, blogs and Twitter. Web 2.0 also allowed the sharing of patient data, collaboration on cases and a distributed care model where diagnosis and treatment could be provided at a speed previously impossible.
The latest move to Web 3.0 is all about the coalescence of data, and the centralization of services. With it, clinical practice faces a new set of challenges.
Patient data has been digitally collected, stored, and organized for over two decades. But in the last two years, it has been unwittingly shared through the use of third party
vendors to send emails, online patient registration, appointment reminders, and digital work-flow solutions such as orthodontic and implant planning software. The storage, analysis and application of data on offsite equipment and data networks is broadly referred to as cloud computing (aka ‘the cloud’). Many of the servers for these third-party solutions reside outside Canada, have unknown security, and are not governed by our privacy laws.
Unless your practice houses the software to run an application, it’s happening in the cloud.
Compounding the problem, many practices have unwittingly opened portals to patient networks by using 3rd party hardware. Consider that the automatic thermostat, remote security camera, voice activated radio, and certain intra-oral cameras all need to talk to their cloud-based-home through the internet. While this is not necessarily a problem on a home network, the myriad of devices, some with potential vulnerabilities can allow malicious actors to intercept private information safeguarded by a professional practice. All of this begs the question; why would someone want to gain access to my digital practice?
The answer is simple: money.
Full patient details can be sold on the DarkWeb for $60 or more per record. 2 Criminals can exploit these records for identity theft, fraud, blackmail, prescription abuse and many other criminal activities. Alternatively, they can deny you access to that data through Ransomware and extort your business at an average cost (2017 dollars) of $1077 per computer affected. 2 This does not include the financial effect of having to report the breach to the Provincial Privacy Officer, regulators, and your patients.
How much is the data on your practice servers’ worth and how easy is it to access?
Regulators are taking notice. Effective October 1, 2017, the Privacy Officer of Ontario enacted mandatory reporting requirements for health record custodians that fall victim to even minor privacy breaches. This includes infection of an office or clinic computer with ransomware. The RCDSO has issued guidelines in 2004 and 2012 with respect to digital security and will likely revise them soon with the growing cyber threat and adoption of cloud hosted solutions. Finally, a Canadian steering group is now planning by 2022 to have safe-guards in place against the threat of quantum computing, which may degrade current encryption methods.
Unless the profession acts quickly to lock down access to personally identifiable information the trend to highly targeted attacks will result in data loss on a potentially massive scale. Consider this: in just the first quarter of 2018 there were 1,129,799 patient records reported exposed from 110 different breaches. 2
More importantly, realize that at the end of the day, the dentist is the one who will be held accountable for any data breaches.
The first and most important policy that every practice needs to adopt is the secure storage of data. Patient data should be stored on a server, locked away safely, and only accessed from an authorized end-point-device (e.g. the computer in administration or an operatory). If practice data is stored on a machine that accesses the internet, or is stored on a computer under the front desk it is a recipe for disaster. Assess which data is critical to the mission of your office (patient records, x-rays and images, accounting data) then ask your IT administrator if it’s stored securely from theft (either from a break-in or internet) and encrypted.
Securing the data, unfortunately, is only a small technical part of the solution.
It is almost impossible to safeguard patient data while still allowing unfettered access to the internet. While wildly unpopular with employees, a commercial grade firewall should be part of the network structure of every practice that severely limits which sites can be visited. Phones should never be plugged into networked machines, updates need to be regularly applied, and logins need to be unique to each individual. Practices now need to plan on when (not if) their networks will be compromised and ensure that the least possible damage can be done.
Last, the explosion of cloud services has given small clinical practices access to clinical and administrative tools previously unimaginable. But little thought is given to what vendors do with the data shared.
Think about where the emails sent, the images uploaded to labs, and the CBCT data shared with implant providers are stored. Also take into account that not all businesses will have rigorous standards for data safety and encryption (especially if they off-shore the data). The technology needed, and expectations of the patients demand that certain cloud assets will be a vital part of the practice of dentistry in the coming decade. Eventually, regulators will assist front-line providers by building workflows that certify which vendors are safe to use, and offer practical steps to for business-to-business digital solutions.
Until that time, the face of dentistry will change as front-line workers need to become hyper-paranoid about information protection no matter where it resides.
Government of Canada Guidance:
Oral Health welcomes this original article.
About the Authors
Ian Furst – Oral & Maxillofacial Surgeon, Coronation Dental Specialty Group and Cambridge Memorial Hospital. Co-inventor, SafeReferral Secure Information Transfer.
Corresponding author: email@example.com
Ian Thornton-Trump is an ITIL certified IT professional with 20 years of experience in IT security and information technology. From 1989 to 1992, Ian served with the Canadian Forces (CF), Military Intelligence Branch; in 2002, he joined the CF Military Police Reserves and retired as a Public Affairs Officer in 2013. In Canada, Octopi Managed Services Inc. delivers managed security services to high profile legal firms and in the UK, Octopi Research Labs Ltd. undertakes security consulting and threat intelligence engagements. As the Cyber Vulnerability and Threat Hunting Team Manager for Ladbrokes Coral Group plc. Ian has an in-depth understanding of the threats, small, medium and enterprise businesses face on a daily basis.