Editor’s intro: Cybercriminals can be phishing or planning an attack on your patient files and database. Read Gary Salman’s article to see how you can avoid being the victim of these information threats.
Gary Salman outlines what orthodontic practices can do to prevent identity theft
It seems that you can’t turn on the TV or visit your favorite news website without reading about cyberattacks crippling businesses and healthcare entities across the United States. Unfortunately, orthodontic practices are now becoming the victims of similar attacks. We often hear orthodontists say, “Why would they want to come after my practice?” Many orthodontists think that because they don’t store “medical records,” they don’t have to worry about protecting patient files. If you store any patient data in your system, it needs to be protected. Practices store critical information that can be used for identity theft and blackmail purposes (i.e., name, address, DOB, social security number, family members, scans of driver’s licenses, insurance cards, health history forms, images, lab reports, etc.). When hackers obtain this information, they will perform identity theft on your patients and/or sell the data on the Dark Web (the black market for hackers).
As an orthodontist, you have one of the highest risk databases in healthcare because of the nature of your patients — minors. If your practice has a data breach, the HIPAA Breach Notification Rule requires you to notify every patient of record that a breach occurred, offer identity theft monitoring, and notify the community of the breach by taking out ads in local newspapers and other publications. Imagine the uncomfortable conversations you will have with hundreds of parents related to their child’s data being compromised and possibly being used by criminals for identity theft purposes. Even worse, what happens if you do not have proper security in place and have a breach that you are not aware of? Then years down the road, you start finding out about the breach, and it is uncovered that numerous patients in your system were the victims of identity theft. Minors may not become aware that identity theft ever occurred until they apply for a credit card or college loan and are turned down because of poor credit. The burden and stress on you and your practice is real. According to a study from Carnegie Mellon, a child is 51 times more likely to be a victim of identity theft.1
Cybercriminals are targeting practices in one of two ways. The first is through phishing or spear phishing campaigns. The attackers will send blanket or targeted emails to you and your staff with the intent of getting them either to click on something or to give up the credentials to your network or email system. We have seen many instances where a practice’s email system gets hacked, and the hackers then send out emails to the practice’s patients with malware attached to them. Imagine opening an email and clicking on what appears to be an invoice and then getting hit with a ransomware or malware attack.
Hackers are also breaking in through vulnerabilities (“unlocked doors and windows”) on your network or, even worse, through your IT vendor. We are now seeing scenarios where practices are targeted because their IT company, or even their accountant’s office, has been hacked and the criminals then use data from these entities to attack or target their practices. You can no longer rely solely on your IT company to protect your network. IT companies are not cybersecurity companies. You need the expertise and knowledge of a specialist in cybersecurity to help ensure the security of your network. Hackers can scan your network for vulnerabilities in a matter of minutes and then identify and exploit these vulnerabilities in order to gain access. This approach is much more common than you may imagine. The FBI and Department of Homeland Security posted a bulletin in the fall of 2018 warning IT vendors that Advanced Persistent Threat Actors (APTs) are targeting IT firms in order to exploit their information to attack their clients. Since your IT vendors typically store your IP address, user name, and password in their database, a breach will give the cybercriminal the “keys to your castle.”
You have worked too long and hard to build your reputation in the community, and a data breach can be devastating. An undetected vulnerability on your network or even one “wrong click” on an email or attachment could negatively impact your practice. Don’t be the next victim.
Protecting against phishing and other types of cyberattacks is also addressed in another article by Gary Salman, “The four pillars of cybersecurity for the orthodontic practice.”
- Power R. Child Identity Theft. Carnegie Mellon CyLab. 2011. https://www.cylab.cmu.edu/files/pdfs/reports/2011/child-identity-theft.pdf. Accessed July 16, 2019.