By Greg and Wayne Polakoff
One click on an email did it. A dental office employee clicked on an email link that downloaded ransomware onto the practice’s computer server. Within minutes, all of their patient records were locked. What happened next was right out of a cyber-spy novel. The office staff were denied access to any dental records. They were held for ransom – just like a kidnapping – with the hackers demanding payment to release the records. If payment was not made, the hackers claimed they would sell them to the highest bidder.
Does that sound like science fiction? It is not! It happened to two separate dental practices just last year. One dental office in Nevada was shuttered for five days while their IT support could extract the ransomware from their system and re-install their records via a backup. In the meantime, a Health and Human Services (HHS) investigation into HIPAA non-compliance began. It was determined that nearly 3,900 patient records had been stolen, including names, addresses, social security numbers, and health records – everything a hacker needs to steal an identity. The dental practice contacted all of their clients and told them of the breach. They offered free credit monitoring for one year.
The second dental practice, in New York, was attacked in a similar way to the Nevada dentist. Almost 3,500 client medical records were stolen. The hacker demanded a payment or the records would be sold over the darknet. When the dentist refused to pay, the hacker made good on his threat. This same hacker stole over 180,000 patient records from various healthcare service providers and posted them for anyone to view and download.
Can you afford this kind of fiasco?
Being hacked is more than just a mere inconvenience to a dental practice. It can shut you down in more ways than one. If you are dealing with ransomware, you are at the mercy of the hackers and their demands. Even if you are performing regular backup procedures, it can be days before a normal IT clean sweep will be able to get you running again. How long can you afford to be down? There is also the impression a data breech leaves on your patients. Are you likely to lose clients? Yes, of course you will! The third impact of a hack is the scrutiny you will garner from HHS, which will likely proceed with a HIPAA compliance investigation. That could cost you up to $100,000 per occurrence.
Solutions to prevent a shutdown
What can you do to keep this from happening to your practice? There are steps you can, and should, be taking to keep your office from being shuttered because of a hack. How you are backing up your computer system will help protect you. Dental offices are restricted by HIPAA in both the manner and the number of backups of their computer systems. It is a matter of federal law that you provide both an onsite and offsite encrypted backup of your system. We recommend using a Hybrid Cloud Disaster Recovery backup. This makes two duplicate copies of your server. One is stored at your office and the other is stored in the cloud. When this is coupled with a Continuous Recovery system, you have the most recent information in two backup locations. How does this help you if you are hacked? Your office server can be completely shut down while you run your office from the cloud backup. Within minutes of an attack on your system, we can securely get you back up and running.
That explains what can be done if you are the victim of a hack. But how do you keep malware, ransomware, and other viruses from ever getting to your computers? The more complex hackers are at disguising viruses, the less likely your normal filters will catch them. We suggest a fourfold approach to solve this problem.
- Use a robust anti-malware software that monitors traffic for any suspicious activity. Medical facilities are prime targets for sophisticated attacks, such as malicious cookies – a script that is stored on your computer that is used to later attack your files. Your off-the-shelf virus protection won’t find this kind of activity. We recommend using anti-malware that monitors traffic on your complete computer system (servers and all devices used in your office), alerts you to suspicious activity and, very importantly, blocks bad websites before they load on any of your browsers.
- Utilize managed anti-virus software. This is centrally managed and updated in real time as virus alerts are received. When files are opened or downloaded by you, they are first scanned and then either opened or blocked. The key is to keep bad files from ever being run on your system. This prevents clever hackers from disguising harmful attachments and links as something legitimate. It also keeps you and your employees from accidentally clicking on a bad file.
- Risk intelligence scans all your computer equipment to look for any storage device that might contain electronic personal health information (ePHI). This is highly regulated by HIPAA and is a source of vulnerability for many dental offices. Risk intelligence scanning monitors your network for suspicious changes. If something unusual is happening with ePHI files, it alerts us immediately.
- Spam filtering that not only alerts you to potentially dangerous emails, it recognizes and stops all infected messages. We recommend using a spam system that can be accessed from any computer or device and is independent of the spam filter your email provider offers. On top of protecting you from viruses, a remote spam filter will allow you to access your email even if your provider went offline and normal email was interrupted. For dental offices, we recommend you use a source that works with Office 365.
The importance of protecting your dental office from a malicious cyber attack is critical. No one wins when your computer system is left unguarded. It is a matter of good business and it is the law. For more information about your system, contact us.