Simplifying Cybersecurity for Dental Practices: Ensuring Your Patients and Business are Safe

by Anne Genge, Certified Healthcare Cybersecurity Professional

iStock

Two decades ago, most dental practices had thousands of paper patient charts. It was evident if a break-in occurred and charts were tampered with or stolen. However, today’s reality is different. Our patient records are stored on a server and often forgotten about until something doesn’t work. The records become invisible.

The challenge now is that this server is far more connected to the outside world than paper charts ever were, making it crucial for dental practices to understand and invest in cybersecurity. It’s not just about protecting sensitive patient information; it’s about maintaining your reputation, ensuring the safety of your patients, and securing your business.

This article is the first part of a series aiming to simplify cybersecurity for dental practice owners and team members.

In 2021, the Healthcare Information and Management Systems Society (HIMSS) conducted a study on healthcare cybersecurity. The findings were concerning:

• 47% of healthcare respondents cited the budget as their biggest challenge.
• 43% reported problems with staff compliance related to policies and procedures.
• 39% acknowledged that legacy (old) technology puts them at risk.1

These statistics imply that a large percentage of healthcare entities, including dental practices, are wrestling with the same challenges. Cybercriminals are aware of this vulnerability. As a result, healthcare was the most targeted industry for ransomware attacks in 2020, accounting for 29% of all attacks.2

For years, dentists have been early adopters of using technology to improve patient experiences, taking advantage of advanced diagnostics and treatment planning, streamlining processes, and gaining greater case acceptance leading to increased profitability. But a crucial aspect of this digital transformation that is often overlooked is the risk associated with privacy and security.

From my extensive experience, I’ve noticed that IT providers often possess only basic cybersecurity skills, leaving numerous vulnerabilities in their wake. The cybersecurity landscape has undergone dramatic changes in the past decade, and the tools we use to protect dental practices have evolved correspondingly. Traditional backup systems are now inadequate, and advice received even a year ago may be different and/or outdated today. It would be best if you had professional, experienced cybersecurity support.

The Return on Investment (ROI) in cybersecurity may appear intangible because the return is realized only when a crisis occurs. It’s akin to advising someone to get a crown on an endo-treated tooth to prevent a future fracture – the ROI is the prevention of a possible fracture or, worse, losing the tooth.

Despite the presence of an IT provider and a designated privacy officer, the practice owner is ultimately responsible for securing the data. This can be stressful and confusing. Cybersecurity for dental professionals, therefore, needs to be simplified and demystified.

Remember, patient data is business data! Compliance with regulatory bodies or provincial privacy laws is just the tip of the iceberg. Safeguarding patient data is paramount for business survival. Many of you have likely received communication advising that a company had a breach and your information may have been compromised. Unfortunately, these situations are becoming increasingly common.

To underscore the importance of cybersecurity, let’s review a real-life incident. One day, I received a call from Dr. Patel. She and her staff arrived at the office to find that their computer systems had been hacked. As a result, patient records, schedules, and other critical data were encrypted, rendering them inaccessible. An employee had clicked on a phishing email the previous night and inadvertently downloaded a malicious attachment, leading to ransomware spreading throughout the office network.

Dr. Patel was in a state of panic. They were locked out of their system and faced a significant ransom demand to regain access. Unfortunately, the backup she had been paying for failed, and she was forced to pay the ransom. After a stressful negotiation and payment process, receiving the decryption key took nearly two weeks. Even then, the recovery was not complete. Important patient information was lost, and the trust patients had in the practice was deeply shaken. From this harrowing experience, Dr. Patel learned the importance of having experienced IT personnel, a robust cybersecurity plan, a reliable backup system, and regular security updates and training for her staff.

This incident underlines several crucial issues:

Phishing Emails: Phishing emails are a standard method used by attackers to breach dental offices. They may appear legitimate, but they’re designed to trick recipients into sharing sensitive information or unknowingly downloading malware. Therefore, training to identify these types of emails and strategies to defend against these attacks is critical.

Overreliance on Antivirus: Dr. Patel’s case demonstrated that more than relying on antivirus software is needed. Cybersecurity best practices should include multiple layers of protection, such as firewalls, intrusion detection systems, and ransomware protection, all monitored continuously by cybersecurity professionals.

Untested Backups: Dr. Patel trusted that her backup would work when needed, but the backups had never been tested. Often, dentists pay for backups but avoid testing them due to the associated costs. However, new solutions can ensure recoverability and rapid return to operations following a disaster. A cybersecurity professional can conduct a risk assessment to ensure your computer security and backup protocols are effective.

The High Cost of Data Breaches: Data breaches can have severe financial implications. According to the Canadian Dental Association, the cost per compromised record is estimated to be $168.57. For a practice with 2000 records, active and inactive, that can amount to a staggering $337,140!

Paying Ransom Does Not Guarantee Data Recovery: Notably, 1 in 4 healthcare organizations that paid ransomware demands in 2020 did not regain access to their data.3 This further underscores the need for robust cybersecurity measures and reliable, tested backups.

In summary, cybersecurity is a critical aspect of running a modern dental practice. Cyber threats are continually evolving, and a proactive approach is essential to stay ahead. Although it may seem daunting, a suitable investment in technology, personnel, and training can drastically reduce the risk of a cyber-attack. At the end of the day, the best offense is a well-planned, well-executed defense.

In my next article, I will discuss defensive strategies to protect against internal and external threats to your practice data.

References

  1. 2021 HIMSS Healthcare Cybersecurity Study
  2. Check Point Research – Hospitals Targeted in a New Wave of Ryuk Ransomware Attacks
  3. Cybersecurity Ventures – Cybercrime to Cost the World $10.5 Trillion Annually by 2025

About the Author

Anne Genge, Certified Information Privacy Professional, Certified Healthcare Cybersecurity Professional, Certified Healthcare Security Risk Assessment Specialist. Anne is the founder of Myla Training Co., Canada’s first-ever online privacy and cybersecurity training platform for dental professionals. With over two decades of experience, Anne has become a leading expert and trainer in this field. Anne collaborates closely with practice owners, managers, dental teams, and IT providers to ensure the safety of patients and practice data while enabling compliance with privacy regulations. Anne can be reached at anne@myla.training or call 877-363-9229 x702.

RESOURCES