Masking requirement continues in California health care settings.
See the latest
Ransomware attacks on health care facilities are increasing, as are the financial losses incurred by them. In one case reported to TDIC, a dentist had to replace software in the practice due to the extensive damage caused by a virus that gained access through an email attachment. The expenses totaled $49,000 to restore the data, decrypt the data and pay the ransom.
All organizations, including dental practices, that have an online presence or work with digital records are subject to cyber-related risks and the loss of reputation and consumer trust that result. Major corporations that have been victims of data breaches, like Anthem, Yahoo, LinkedIn and, more recently, Capital One, can usually recover financial and data losses because they have the financing, staff and technical expertise to address the problem. But small businesses, including dental offices, aren’t always equipped to respond efficiently and adequately.
Data breaches, malware and ransomware are the most common cyberthreats businesses face today. Ransomware attacks on health care facilities in particular are increasing, as are the financial losses incurred by them, according to the FBI’s 2018 Internet Crime Report and other recent research.
In ransomware scenarios, hackers infiltrate a system, block access to the system and then demand that a ransom be paid in order to lift the restriction. The hackers generally ask for payment by bitcoin or another untraceable digital currency so that the funds are unrecoverable once distributed.
“The health care industry is especially vulnerable to ransomware attacks because hackers know they can access patients’ protected health information and financial records, potentially disrupting delivery of care,” said Taiba Solaiman, senior TDIC Risk Management analyst.
HIPAA Journal reported in March that three separate ransomware attacks affected health care organizations in three states. Over several days, the PHI of nearly 70,000 patients was potentially compromised. Such attacks on U.S. hospitals have even impacted emergency room admissions and diverted ambulances to other area hospitals.
They are costly, too. According to a study by IBM Security and the Ponemon Institute, the cost of a data breach for health care organizations rose from $380 per breached record in 2017 to $408 per record in 2018. Across all industries, health care has the highest cost for data breaches — more than in the financial, technology and communications industries.
In a case reported to The Dentists Insurance Company, a dentist explained that an error message appeared on her office computer as she was trying to access a patient record. She contacted her IT expert who dialed in remotely and discovered a ransomware virus that might have gained access through an email attachment that the dentist opened. The ransom demand was 2 bitcoin to be paid in 24 hours; otherwise, the price would increase if payment was delayed.
Desperate to access her patient records, the dentist paid the ransom to obtain the decryption key. In the meantime, the IT expert hired a forensic specialist to review the data and ensure it wasn’t corrupted. The dentist ultimately had to replace her software due to the extensive damage caused by the virus. The expenses incurred totaled $49,000 to restore the data, decrypt the data and pay the ransom.
“This problem could have been avoided had this dentist been performing regular system backups,” Solaiman said.
Even if hackers grant access once a ransom is paid, Solaiman cautions dentists that there is no guarantee that the recovered data will be “clean” or intact. “Once a system is compromised, there is no assurance that it won’t get hacked again, as often hackers leave a backdoor as a way to regain access to the systems,” she said.
Malware, short for “malicious software,” is another cyberthreat in which criminals infect computers through intrusive emails, web links and pop-up alerts. The malware can be downloaded without one’s knowledge and capture private information.
In a second case reported to TDIC, an employee accessed a nonsecure website for personal use on one of the office computers. Doing so allowed a malware attack, including ransom of patient files. Because the dentist has multiple practice locations with a computer network connected to a single server, the ransomware spread to the files for all practice locations.
TDIC is still investigating the case, but the anticipated loss will range from $85,000 to $90,000, which includes loss of income, payment of the ransom, legal review and IT forensics.
While cybercriminals are becoming more aggressive and infecting more computer systems, human error and insufficient protocol are still leading factors in many data breaches. Here are steps you can take to help protect yourself and your practice from cyberattacks:
Make sure each employee has a unique password that contains a combination of lowercase and uppercase letters, numbers and special characters to deter potential hackers from gaining access. Do not allow staff to share usernames and passwords on any software regardless of whether the software manages or touches patient data.
You can back up your files and data on a network-attached storage device, portable hard drive, USB flash drive or online through sites like Google Drive, Dropbox and Mozy. It’s a good idea to back up files daily and test the data on a regular basis to ensure that it is functioning as intended. This will make recovering data easier in the case of cyberattacks or computer system damage.
Install anti-virus and anti-malware software for all of your devices and update when available. Use an encrypted virtual private network (VPN) when connecting to an unfamiliar Wi-Fi network to ensure a secure connection. These measures will help prevent your data from being compromised.
Educate your staff on the latest cyberthreats by instructing them on how to recognize a phishing email and by sharing YouTube videos developed by IT and security companies, for example. Ensure that the most common version of software is used and that all security patches are installed. Information system activity can be monitored and should be audited regularly. Monitor time of access, what files are being accessed, external access, suspicious activities and much more. Review the audit logs regularly.
Additionally, the U.S. Department of Health and Human Services in December 2018 published a document that provides guidelines, best practices, procedures and processes that health care providers of all sizes can follow to cost-effectively reduce cybersecurity risks. The document grew out of the Cybersecurity Act of 2015, a legislative mandate to align health care industry security approaches. “Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients” discusses specific vulnerabilities, their impact and best practices to consider.
Preventing cyberattacks is the first step in protecting your practice. The second is to be prepared should a cyberattack occur. TDIC offers comprehensive Cyber Suite Liability protection just for dentists. The coverage can help you respond to a full range of incidents, including unauthorized intrusion or interference with your computer systems, damage to data from a computer attack and cyber-related litigation.
For more guidance on cybersecurity in the dental office, contact TDIC’s Risk Management Advice Line at 800.733.0633 to speak with a trained analyst.