adapt your dental practice to avoid this financial liability
Cybercrimes are on the rise now more than ever, due to COVID-19 business disruptions and confusion. A recent INTERPOL report shows an alarming rise in the rate of cyberattacks during the pandemic. Given that the average cost of a data breach in healthcare is $7.13 million, cybersecurity is now even more important.
Federico Campbell, vice president of professional services with Cyber Defense Labs, says dental practices are no exception. During his 20-year career working with organizations like the SEC and DOJ, Federico has responded to cyberattacks across nearly every business sector, from large-scale healthcare companies, all the way down to one-doctor dental offices.
“Certainly, the dental industry and healthcare, in general, remains a massive target because of the combination of vulnerable systems and sensitive information such as patient records,” explains Federico. “Cyberattacks have become a criminal enterprise and attackers are looking for financial gain. They are no longer only interested in secret government files or hacking into financial institutions. Really, it’s about the easiest and most efficient way to make money. Unfortunately, that means holding your entire practice’s network or data for ransom, or selling sensitive Personal Health Information (PHI) and patient data.”
While you may be somewhat protected from the financial impact of an attack by a cybersecurity insurance rider or feel that your IT systems are all rock-solid, Federico notes that new vulnerabilities are introduced every day by the speed and adoption of new technology, untrained staff, limited practice resources or simply not having a security mindset across the practice.
Because dental practices are in the business of health and hygiene—not IT—they are extremely vulnerable to a crippling ransomware attack that can hold computer network systems and patient data hostage until you pay a hefty amount of money to the attacker. Even after paying the ransom, a quick return to normal business is far from guaranteed.
“Your liability potential is almost unlimited,” Federico said. “Not just from the direct financial cost of paying the ransom, but the indirect and downstream costs from HIPAA violation fines, lost business, reputational damage, attorney’s fees and restoring IT systems and business operations. These costs can quickly exceed the financial value of the practice. Cyber Defense Labs has responded to incidents where a company simply could not recover from a cyberattack because the costs were just too high. These are existential threats; you’ve also got the value of your reputation at stake, and if reasonable protections are not in place to protect patient data, the government can come after you with hefty additional fines.”
So, what can you do to protect your practice and patients? Federico suggests a three-step process, which can be undertaken on your own or with the help of a professional cybersecurity firm:
Assess where you are
To better understand your risk profile and the cyber threats you face, your practice will need a baseline assessment of your dental practice’s unique environment. That includes examining your current IT infrastructure, associated risks and existing vulnerabilities mapped against the current and evolving cyber threat landscape.
After understanding these risks and the potential impact of a cyberattack on the practice, prioritized decisions can be made on where to invest in security. This step is about being honest with yourself around your current approach to cybersecurity and if you are susceptible to a cyberattack.
For example, if you leverage “the cloud” or have remote access into your practice’s network, you will want to monitor and audit who else has access to this infrastructure. If your practice uses third-party software of any kind, investigate how it stores and secures your data.
Federico also cautions that if you operate a multi-office dental practice connected by a network, you may be at higher risk: “The more complicated the environment, certainly the more vulnerabilities and the higher the need to make sure that everything’s locked down.”
Right now, you may have employees working from home during COVID-19 or an external IT contractor using external access to manage your network from outside the office. It may be a good idea to have those connections assessed by a cybersecurity partner for proper configuration to ensure they are secure. Cyber threat actors will take any advantage to exploit the confusion and disruption during the pandemic.
Get buy-in and make changes
After the assessment, it’s time to transform the way your practice leverages technology and systems. This means getting everyone in your practice to make real, tangible changes to their everyday work.
“Oftentimes it’s not a major investment,” says Federico. “It may be a matter of updating your software or implementing strict password policies or enforcing logouts, for example. A big part of this is having a mindset that risk mitigation is not just an IT issue. Practice owners or managers must be very closely involved. It’s not just something that is limited to the staff at a functional level, you need top-down buy-in.”
Many changes are simple to implement and can make a significant impact, such as multifactor authentication, which requires a user to login and authenticate with 1) something they know, such as a password and 2) something they have such as a generated passcode from a mobile phone.
Other changes and updates may require specialized attention, such as training staff to properly identify phishing scams that use deceptive emails to trick users into visiting malicious websites or providing sensitive information to a hacker. “User awareness training is the number one most important step to instituting a security-minded practice,” says Federico.
Prioritize and continually improve
While many actions will be clear and immediate as a result of your assessment, some longer-term initiatives may also be necessary. The threat and risk landscape is continually changing, requiring constant vigilance and monitoring on the part of practices. Cybersecurity improvement is not a one-time event, but a continuous ongoing effort.
Once your assessment is complete and initial changes have been made, you will need to remain steadfast to monitor for new risks and additional needed updates to your security. For example, if a new system is brought in-house such as wireless tablets, asking what new vulnerabilities might need to be addressed before bringing them online is vital. This last step is all about making sure there is continual improvement, training and awareness.
“If a legal action, such as an investigation or lawsuit, ever arises following a cyber incident, it is important to show that you had the right mindset in place and you were doing the right thing,” cautions Federico.
“A practice is not expected to have every single security tool and process in place. That is simply not feasible. But as long as the practice has evidence to show that prioritized decisions were made to reasonably make security a part of everything you do, your liability can be limited. Attacks are just becoming much more sophisticated. You can, and should, make ongoing decisions that are appropriate to your business to help mitigate those risks. That goes a long way.”
The most forward-leaning companies regularly meet and train to address cybersecurity threats. These may be in the form of “tabletop exercises,” enabling leadership and staff to roleplay through a cyberattack and know exactly what to do in case of emergency.
Other times, companies will conduct regular network penetration testing or send fake phishing emails to better understand employee awareness and knowledge. What’s most important is that security becomes part of your practice’s culture.
Looking to get started?
Federico notes much of this process can be done independently. A good place to start is the Cyber Essentials guide from the Cybersecurity & Infrastructure Security Agency, newly charged by the U.S. government to defend against today’s cyber threats and build more secure and resilient infrastructure for the future.
However, if you are interested in a thorough, independent, and external point of view, Cyber Defense Labs can perform simple baseline tests that assess your network, environment, and cloud software—all of which the company can do with minimal business disruption. For CWA clients who are also ELITE Dental Alliance members, discounted pricing is available.
The important part is to start having a security-minded approach today, even a small change like updating to more secure passwords with multifactor authentication. Remember, even the most minor action you take can significantly bolster your cybersecurity and protect you and your patients from criminals.
Looking for more ways to mitigate risk and increase profitability in your practice? Our team of advisors can devise a comprehensive financial strategy custom fit for you. Contact us today for a complimentary consultation.