In late August, over 400 dental practices were affected in a ransomware cyberattack against DDS Safe, a service from The Digital Dental Record that facilitates secure data backups for dental practice computer systems. Unfortunately, scenarios like this are becoming all too common. As more and more dental practices depend on internet connectivity to conduct administrative activities, the threats and actual incidents of cyberattacks on dental providers have increased proportionally.
A cyberattack is any type of offensive maneuver that targets computer information systems, infrastructures, networks, data servers, or personal computer devices, including cell phones. Cyberattacks usemalicious code to alter computer code, logic or data, resulting in disruptive consequences that can compromise data and lead to cybercrimes, such as information and identity theft.Examples include malicious programs such as malware, phishing, spyware, viruses, and ransomware.
Ransomware, in particular, is a type of malware that denies access to a computer system until a ransom is paid. In a typical attack, an employee unknowingly clicks on an email attachment or visits a website where malicious code is lurking in the background. With one keystroke, software is installed that locks you out of your own files. This most recent cyberattack differed in that instead of targeting dental practices directly, it went after The Digital Dental Record’s remote data backup service to install ransomware on customer’s computers.
Small and mid-sized businesses like dental practices are often targets of cyberattacks because they are less likely to have full protections in place and devoted information technology personnel to prevent such attacks. For dental practices, much of the information they have is critical to their business and vital to the care of their patients. Additionally, under the Health Insurance Portability and Accountability Act (HIPAA), dental practices face major problems if their patients’ protected health information (PHI) is stolen, misused, or unavailable.
According to a November 2018 Federal Trade Commission (FTC) online article on protecting small businesses from ransomware, the best defense against ransomware is prevention. Once the ransomware infects the computer system and encrypts the data inside it, it is most often too late. The cybercrook will then demand a ransom, often in the form of cryptocurrency, to release the data. However, even if you pay, there’s no guarantee that the hackers will live up to their end of the deal and release your data. Law enforcement does not recommend paying a ransom, but it is ultimately up to the affected business to decide.
Under HIPAA’s Security Rule, covered entities are required to adopt adequate means for safeguarding the confidentiality, integrity, and availability of PHI. This includes conducting a security risk assessment regularly to assess security vulnerabilities and the mechanisms currently in place to mitigate them, and then to determine what additional controls, if any, should be implemented to prevent threats to PHI, including ransomware cyberattacks.
For our OSHA Review Subscribers…A checklist to help dental offices conduct a HIPAA security risk assessment is available from OSHA Review’s website, in the clients-only section under OSHA Review/Professional Documents.
Since 1992, OSHA Review, Inc. has provided dental professionals with comprehensive programs to support regulatory compliance and infection control. We are a registered continuing education provider in the state of California, specializing in Dental Practice Act, infection control, and OSHA training.