Cyber criminals continue to target the health care sector, accelerating their efforts in pursuit of medical, financial and personal data. October is Cybersecurity Awareness Month, offering an opportunity for dental offices to evaluate their privacy, data protection and compliance practices and boost them with new resources.
CDA members have increasingly reported cyber fraud attempts in the dental practice:
- Scammers posing as state dental board and FBI investigators on phone calls to solicit a dentist’s participation in an “investigation” resulting in significant financial loss.
- Phishing emails disguised as notifications of an HHS complaint.
- Hacking a practice email to send malware-infected emails to 122 patients.
- Encrypting practice software so that it could not be accessed until ransom demands were satisfied.
Gaps in dental practices’ cybersecurity
A recent survey of 214 health care IT leaders and practice managers from small health care practices found that 98% believe they are HIPAA compliant, despite serious security and compliance gaps. Among the problems identified:
- Nearly all organizations surveyed had not implemented secure email transfer protocols.
- Practices often misunderstand HIPAA requirements (for example, assuming patient consent removes the need for encryption).
- Many lacked basic tools like email archiving, audit trails or sufficient anti-phishing controls.
For practices of every size, a cybersecurity breach could result in regulatory penalties, loss of patient trust, financial cost and long-term reputational damage.
Resources to support practice teams
CDA analysts have developed a full set of dentistry-focused cybersecurity resources for members. Here are just a highlighted few of them:
- Cybersecurity Toolkit: Prepare for, respond to and recover from cyberattacks with these newly added resources:
– Why Multi-Factor Authentication Is a Must for Your Practice
– The Role of Front Office Staff in Cybersecurity
– The Safest Ways to Share Passwords
– How To Spot Phishing Emails
– Protecting Your Practice: The Importance of Software Updates
- Cyber Incident Response Steps: Follow this action plan if patient data is compromised.
- HIPAA Safeguards and Training Resources: Document and maintain technical, physical and administrative safeguards.
Members can sign in to access more Privacy and HIPAA tools, including sample forms, data breach risk assessment training and guidance on practice owners and staff members’ roles and responsibilities.
As the federal lead for the annual Cybersecurity Awareness Month campaign, the Cybersecurity and Infrastructure Security Agency also offers the Cybersecurity Awareness Month 2025 Toolkit with posters, digital graphics and messaging to raise awareness among business owners, staff, clients and patients.
Your 5-step plan to strengthen cybersecurity
- Conduct a HIPAA risk analysis: Use guidance from CDA’s regulatory expert to identify where patient data is stored, how it is accessed and who has access and the security of those systems.
- Train your team: Train staff to combat threats by recognizing phishing emails, handling patient records securely and following proper data breach protocols.
- Review policies and procedures: Ensure your privacy policies reflect federal HIPAA requirements and California privacy laws. Review and update any business associate agreements. Ensure technical, administrative and physical safeguards are in place.
- Test and practice incident response: Document, share and rehearse your plan of action if there is a breach: who to notify, next steps to resolve and how to communicate both internally and with patients.
- Review cyber liability insurance: CDA members who are business owners have access to comprehensive Cyber Suite Liability coverage, with tools for responding to and recovering from a broad range of incidents beyond data breach. Request a free policy review to compare your current coverage and ensure that you’re adequately protected.
By making cybersecurity a priority in October and maintaining momentum throughout the year, the whole team can protect patient information, potential high costs and the practice’s reputation.