A quick search on Google brought up numerous dental offices (e.g., Aspen Dental, First Choice Dental, Just Kids Dental, and Risas Dental and Braces) and other dental-related companies (e.g., Absolute Dental Services, Delta Dental of California, Henry Schein, and Managed Care of North America) that were victims of cyberattacks in 2023.
Don’t end up on such a list – it’s time to invest in cyber security and cybersecurity awareness training for staff. Below are some high-level things to think about:
Why are Dental Offices Prone to Attack?
Cyber attackers know that dental offices typically do not invest in or keep up with the latest protocols for their IT infrastructure. They also relish the following data in dental office systems, which can be used or sold on the dark web for identity theft purposes:
- Patient names, addresses and dates of birth
- Family member information
- Social security numbers
- Scans of driver’s licenses and insurance cards
- Credit card information
- Other financial information related to your patients, employees and business
What are the Consequences of a Cyber Attack?
- Business Disruption: You have to focus your time on cleaning up a mess, not serving your patients and growing your business.
- Reputational Damage: Your patients may go elsewhere because they cannot be serviced or they’ve lost trust in you.
- Costs: You will have to hire high-priced experts (including attorneys and cybersecurity experts) to help you navigate the proper response. You also may have to consider whether and/or how much to pay the cyber attacker to get back your data.
- Stress: No matter how high your risk tolerance, nothing could have prepared you for this.
What should Dental Offices do to Minimize the Risk of Cyber Attacks?
- Retain a Firm that Specializes in Cybersecurity: For highly-technical matters like these, you need an expert. Look for firms that employ Certified Information Systems Security Professionals (CISSPs) or HealthCare Information Security and Privacy Practitioners (HCISPP) and who offer real-time vulnerability scanning. Don’t confuse these firms with your typical IT provider who handles day-to-day issues like operations of computer purchases and installations, networking systems and setting up email; such IT firms typically aren’t equipped to handle complex network security at the level necessary for a medical practice.
- Implement Two-Factor Authentication (2FA): Your systems and software can be set up so that a user needs two independent credentials to access them. That way, if one credential (like an easy-to-guess password) is compromised, the hacker cannot get in without another credential (such as a security code) that is accessible only by the authorized user.
- Tighten-Up Configurations: The following are some actions you can take to reduce the potential for compromise; enlist the help of an IT professional if you do not have the expertise to address them:
- Limit or remove admin rights for staff
- Limit staff access to systems or software based on “need to know” for their job function
- Take away access from the premises and all systems for departing employees
- Close unused ports
- Consider the implementation of a Virtual Private Network (VPN), which provides a private tunnel for your data and communications while you use public networks
- Implement cloud security
- Train Your Staff: Even the best technical protections won’t help if staff members fall prey to phishing emails and social engineering tactics that compel them to click on links or attachments and/or provide confidential information online or over the phone. Train your staff on what to look for and what not to do on business computer systems.
- Purchase Cyber Insurance: Such insurance can help you weather the financial impact of a cyber attack; as with any insurance policy, you’ll need to read the fine print to understand exclusions and limits. NOTE: While cyber insurance may be helpful, it is not a substitute for doing the right things up-front (such as listed above) to minimize the risk of a cyber attack, nor will it help you contain the reputational damage stress that results from a cyber attack.
Leave a Reply