Another day, another call about a dental practice getting ransomware. Sadly, more and more dental practices are experiencing this stressful and expensive extortion. But what if I told you, it was almost entirely preventable?
A quick history lesson…
Ransomware first made its debut in 1989 with the AIDS Trojan, also known as PS Cyborg. Biologist, Joseph L. Popp, sent 20,000 infected diskettes (for those of you that know what that is – we are officially old!) labeled “AIDS Information – Introductory Diskettes” to attendees of the World Health Organization’s international AIDS conference. After 90 reboots, the Trojan hid directories and encrypted file names. The ransom was $189 to be mailed to a P.O. Box in Panama. A drop in the bucket compared to what current day hackers are demanding!
Around 2006, criminal organizations started utilizing Trojans to encrypt data and extort people. In 2011, these organizations started targeting businesses, and in response, larger businesses started hardening their defenses. Around this time, many solo hackers started joining together to form larger crime rings, which have since been absorbed by, or financially backed by, nation state hacking.
The past few years have seen yet another change with hackers turning their eye toward small businesses and their vendors that have access to computer networks. The level of extortion has changed as well. Modern day hackers will extract a copy of the data and attempt to delete backups, making payment the only option to resume business operations. If you have better, and usually more expensive, backups, you may be able to resume business as usual, but will still have to pay the ransom since the hackers have a copy and will sell it on the dark web. The hackers of 2022 will also attempt to extort people on the data set they extracted.
Fun, right?? So… what’s a small dental practice to do?
First, Take a Breath.
This is a problem that is not going away and will continue to grow and evolve, so the best defense is a strong offense.
The National Institute for Standards and Technology, or NIST, has created guidance with the Cybersecurity Framework, or CSF, that is comprehensive and overwhelming for tech people and non tech people alike, on how to protect any business. Their approach is, in a nutshell:
If you can work out a plan with those five components, it will be easier to break down into tasks that can be easily implemented over time.
Identify Threats and Vulnerabilities
Not only is it a requirement under HIPAA (yep, you read that right), but it’s the best way to find all the ways your practice can become compromised.
It is best to have an independent third party evaluate threats and vulnerabilities. Too often, I’ve seen IT Providers do their own evaluations and either not understand what they should be looking for or attempt to make themselves look amazing for job security. The goal should never be to make anyone look bad, but rather, to find vulnerabilities with the goal of minimizing overall risk.
Protect Your Practice
Understanding the current standards to protect your practice is imperative. Having anti-virus and backups alone is no longer sufficient protection for sensitive data. As a dental professional, you have a standard of care you adhere to; think of this as standard of care for your data. You know that standards change over time with how you treat patients; it’s the same with data security.
Confusion about this topic has been consistent with dental professionals for decades, because to be frank, it is confusing. The technology itself is complicated and the people that understand it don’t know how to explain it in layman’s terms. It’s no wonder data breaches, and security incidents persist!
If you are just starting to make changes, start with the BIG 7:
- Anti-Virus: business grade anti-virus that is updated, monitored and documented.
- Patching: operating system updates as well as internet program patches (i.e., Chrome, Firefox, Silverlight, adobe, etc.
- Firewall: also known as a Unified Threat Management, or UTM device. This is NOT what is built into your internet provider’s modem. Think of a firewall like an armed security guard with explicit instructions on who can and cannot enter.
- Backups: this will be your safety net and needs to be monitored and tested regularly. The current recommendations on backups to address failures and threats is 3-2-1. Three kinds of backups, done in two different ways, with one of them offline.
- Passwords: they are a pain all around, but necessary. Utilize password managers to store and help create safe passwords. If you can do one single thing with passwords to improve your security, use a different password for work than at home.
- Wi-Fi: can be separated into segments on your network. Not everything can or should be connected to the healthcare network. Isolating devices such as burglar and surveillance systems, audio speakers, and even a Wi-Fi login for team members will help to limit exposure to hacking.
- Encryption: another pain, but one of the easiest (and usually free) things you can do to protect your business. Servers, backups, email, and even online logins, such as bank accounts, social media accounts and insurance carriers should all be encrypted.
Detect Anomalies and Events
This is best done by an IT provider that offers this service or an outside party that checks for inconsistencies in your network.
Make a Plan for Failures and Know How You Will Respond
You will never have the budget to stop everything, but you can make a plan for that eventual predictable failure and create a bubble around how bad it will be. This will make it a minor inconvenience instead of a major, and expensive catastrophe. This plan should be discussed in great depth with your IT provider to ensure you have the current standard of care for all the things mentioned above.
Practice Your Plan for Recovery
You practice for failures all the time. You take BLS training periodically to practice needing to keep someone alive in an emergency. Why wouldn’t you practice for other emergencies?
If you are prone to power and internet outages, practice. If you deal with floods or hurricanes, practice. I personally have dealt with multiple evacuations from wildfires in Northern California, and I can attest that we did not practice, and we did not do well in an emergency.
If a cyber incident is your most likely scenario, as it is with most dental practices these days, practice how you respond. Just remember that ransomware is a crime, and the crime scene must be preserved. This means, under no circumstances should you turn off power. You may remove the ethernet cable, turn off Wi-Fi, or remove power to the internet modem, but turning off power deletes useful information.
Now that you have what feels like a 47,000 step plan, go back to step one.
Take a breath. This will not happen all at once, but it will happen correctly over time, and you will be able to sleep at night. Or at the very least, not lose sleep over a cyber incident.