Gary Salman, CEO of Black Talon Security, discusses the reasons for protecting against cyberattacks to your patient files
Over the past 20 years, an evolution in computer technology has taken place in the orthodontic practice. Computers were previously used only for basic recordkeeping and billing. Then came the progression from billing to appointment scheduling, digital radiography, charting, and now, to digital dentistry. As the amount of data stored in systems has increased, so have the frequency and sophistication of cyberattacks. The days of simply relying on a firewall and antivirus software to protect the practice’s network and patient data are over. The reality is, if these devices were so effective at protecting networks from breaches, there would be no data breaches.
Cyberattacks have shifted dramatically in the past 12 to 18 months, and now, more than ever before, hackers are setting their sights on healthcare entities. The frequency and severity of these attacks have increased, and practices of all sizes are being impacted. These ransomware and malware attacks can shut down and compromise networks, resulting in an inability to access patient records and loss of revenue.
Orthodontists must consider the scope of their data and understand that they have one of the highest risk databases in the dental community — children’s records. Many orthodontists may think that since they don’t store “medical records” in their system, they don’t have to worry about protecting patient records. In the eyes of Health and Human Services (or the parent of a child), it does not matter if you are a cardiologist, a dentist, or a laboratory. If you have any patient data in your system, everyone must follow the same rules to protect these records. In addition, if a practice were to have a data breach, the HIPAA Breach Notification Rule requires practices to notify every patient of record that a breach has occurred. Imagine the negative PR that a practice would encounter in its local community and the uncomfortable conversations with the parents of the minors whose data was compromised. In addition, Identity Theft Monitoring would need to be offered to all affected minors. Health and Human Services (HHS) and the Office of Civil Rights (OCR) are just two of the reporting agencies a practice will have to work with; 49 out of the 50 states now have equal or more stringent breach notification rules. Also, if a practice treats patients from multiple states, it may be required to report to all the states in which it treat patients. A data breach is about patient trust, and once it has been broken, it’s very difficult to regain that trust.
When we ask orthodontists what they do for cybersecurity, they often say, “My IT company handles that.” IT companies are not cybersecurity companies. IT organizations typically partner with a cybersecurity company to independently audit its work. It is extremely critical to understand that IT companies cannot audit their own work. It takes the expertise and knowledge of a cybersecurity company to help ensure the security of the network.
In speaking with numerous orthodontists, it is apparent that ransomware attacks have been impacting this community. The unfortunate mistake that practitioners make is that they have their IT company “clean it up and restore their data.” What if, as part of or prior to the attack, a practice’s data was stolen from their network and is being bought and sold on the Dark Web (the black market of hackers), and the practice did not report the breach to the Office of Civil Rights (OCR)? The practice could be subject to massive fines for the lack of reporting. If an orthodontist’s office falls victim to a ransomware attack or other possible breach, there are steps that the practice and its IT company must follow to determine if electronic protected health information (ePHI) was compromised. This often involves hiring a forensics company and working with a cybersecurity company to harden the practice’s infrastructure. What we have typically seen is that if you were the victim of an attack once, you will mostly likely be a victim again because of vulnerabilities in your network that enabled the attack vector or payload to infiltrate your system. To recover from the attack, you cannot simply restore your data and hope for the best.
To secure your network and combat against these sophisticated attacks, an orthodontist needs to implement four key pillars of cybersecurity. These pillars are Cybersecurity Audit, Cybersecurity Awareness Training, Vulnerability Scanning, and Penetration Testing.
During this audit, a cybersecurity company works closely with the practice and its IT company to understand the complete landscape of the practice’s IT footprint. The cybersecurity company asks questions regarding where and how data is stored, what protocols are in place to protect the data, and how it is accessed. Are there remote team members? Does the practice contract with a billing company that “logs in” to the practice’s network? Do doctors leave the office with devices that store ePHI, leaving the practice exposed if the device is stolen or lost? Is ePHI transmitted and stored using encryption technologies to protect the data?
Cybersecurity Awareness Training
As part of the HIPAA Security Rule, covered entities (i.e., your practice) are required to undergo cybersecurity awareness training to help mitigate the risk of human error and minimize the chances of being exposed to an attack. Recent data points to a 50%-75% reduction in cyberattacks against healthcare entities that properly train their staff.
Perhaps the most vulnerable components of a network are the people using it — the orthodontist and staff. Social engineering, often referred to as “hacking the human,” is the most prominent threat vector impacting practices and is often the least discussed. As advancements are made in security, hackers begin to rely increasingly on humans making mistakes. For example, most ransomware attacks are initiated via spear phishing, which is designed to fool an email recipient into opening an email that appears to be coming from someone he/she knows or trusts. An email may be sent to the staff, purporting to be from the orthodontist, asking them to open an attachment or click on a link to update or download something. Once they initiate the action, an executable file may run, which is a ransomware attack. The ransomware typically encrypts the current computer and then searches the network for other machines. Once it finds the server, depending on the complexity and lethality of the attack, the ransomware will encrypt most of, or all of, the files on the server. This results in the files becoming inaccessible to anyone unless the user pays the ransom to the hackers to have the data decrypted. This is typically done using a cryptocurrency such as Bitcoin or Monero. Often, however, the files are not returned and, if they are returned, a time bomb attack may be set up that will impact the files again shortly thereafter. The hacking should be reported to law enforcement authorities.
For a ransomware or a network breach to occur, a network typically needs to have vulnerabilities. Examples of vulnerabilities include unpatched operating systems, outdated equipment, weak passwords, open ports on computers or firewalls, unsecure network protocols, and improperly configured firewalls. Cybersecurity firms deploy very sophisticated tools and technologies to search for “open doors and windows” on your network that hackers use to exploit. These tools gather information on your network and run tests against the devices searching for vulnerabilities. This data is then turned over to the practice’s IT company for remediation purposes, and the IT company can effectively lock the “doors and windows.” Cybersecurity companies invest heavily in best-in-class vulnerability scanning technologies that can detect thousands of vulnerabilities on a practice’s network. Testing should be performed quarterly or whenever network devices are upgraded, modified, or added.
The final cybersecurity pillar is penetration testing, which utilizes a “white-hat hacker” (ethical hacker) who uses the same tools, techniques, and protocols that a cyber-criminal would use to try and “break into” your network. Unlike a vulnerability scanner, an ethical hacker has the capacity to problem-solve during the testing. For instance, a vulnerability scanner will get to a locked “window” and not know how to progress. Essentially, it stops and moves on to something else. A hacker, based on his/her experience, will see that the “door” is locked but may run a certain script to pop the door open. Ethical hackers use their experience to exploit networks in a way an automated tool simply cannot. After ethical hackers finish their testing, they turn their findings over to your IT company so they can mitigate the risks.
The Cost of a Breach
The U.S. Department of Health and Human Services has strict guidelines in place regarding what is required to protect patient records. In the event of a data breach, the Office of Civil Rights will be notified and will conduct an investigation into the breach. They will want to see proof that the practice has complete HIPAA documentation in place and has provided HIPAA and cybersecurity training, and will ask what has been done to harden the practice’s network.
You have spent years to become an orthodontist, growing and building your practice, your reputation, and your patient’s trust. The risk of a data breach is real, and you should not be passive. You need to take a proactive approach to secure your network before this happens to you. Practitioners who have experienced data breaches all say the same thing: “This is one of the worst things that can happen to you.” The financial and social impact on your practice is debilitating. The cost for mitigating a breach can run into the hundreds of thousands of dollars and may result in a significant loss of patient trust. Fortunately, if a practice implements sound cybersecurity solutions, trains its staff, and puts a hyper focus on security, almost all attacks can be thwarted.