Each day, the odds of a cyber attack on your dental practice increase. And the cyber crime stakes are huge.
Dentists face a double-jeopardy scenario. They run small businesses and often have limited time and resources to invest in cyber security—yet, they manage and store personal and sensitive information that is incredibly valuable to cyber criminals.
Whether it’s phishing emails used to launch ransomware and encrypt or lock your critical files or fraudulent emails designed to redirect financial funds, your staff, patients, data, computer systems, and practice are at high risk.
Cyber security stats for dental practices to know
If you believe your dental practice won’t be targeted, it’s time for a few facts.
- Over 93% of healthcare organizations have experienced a security breach of some kind over the past five years
- In 2018, 15 million patient records were compromised from 503 security breaches in the healthcare sector.
- In the past 12 months, 74% of healthcare organizations experienced a security incident. In these attacks, more than 30 million records were compromised.
- Just one of these data breaches compromised the data of more than 25 million patients.
If you suffered a cyber attack and a breach of sensitive data, what would you tell your patients? How would you maintain your reputation and attract new patients? What fines would you be required to pay?
It’s time to understand the cyber threats targeting your dental practice (and what you can do about them).
Top cyber threats to dental practices
Phishing is a cyber attack method that attempts to gather critical information—usernames, passwords, and even bank account numbers—using deceptive emails and links to malicious websites. An estimated 65% of organizations experienced a phishing attack in 2019.
In fact, the Healthcare Information and Management Systems Society (HIMSS) confirmed that healthcare phishing still remains a significant threat. In its 2019 HIMSS Cybersecurity Survey, email was revealed as the initial point of contact for attack in 59% of the security incidents that have taken place in the last 12 months.
Phishing relies on realistic-looking emails to fool recipients into clicking a link, opening a file, or even convincing a recipient to share confidential information. For example, a dentist or team member may receive a phishing email disguised as someone in the same dental practice or an important leader in the industry.
Recent healthcare phishing attacks:
Last July, an employee at Delta Dental of Arizona fell victim to a phishing scam that gave the attacker access to an email account. As you are probably well aware, Delta Dental is one of the largest U.S. dental plan systems with 39 member companies. An analysis of the compromised account suspected unauthorized access had occurred and nearly 13,000 people were affected.
In December 2018, Delta Dental of Illinois notified patients of a potential data breach after employees were targeted by a phishing attack that was attempting to gain their login credentials. The compromised data may have included patient demographic information, dates of birth, dental or vision insurance data, and Social Security numbers.
Three American Dental Association (ADA) members contacted the ADA to report they received a phishing email signed with ADA President Jeffrey M. Cole’s name that included the ADA logo in an attachment. The attempts did not result in a data breach and an advisory was sent to members.
The Oregon Department of Human Services, a government agency, was targeted with a massive phishing attack that compromised more than 2.5 million emails, after nine employees responded to the malicious email. One of the largest breaches of the year, this impacted 645,000 patients.
More than 326,000 patients of UConn Health were impacted by a phishing attack that accessed a number of employee email accounts. For 1,500 patients, social security numbers were breached.
Ransomware is malicious software designed to encrypt your computer files, emails, and other data until a ransom is paid. Strains of ransomware can completely lock your computers and devices, preventing any access to your systems.
Cyber criminals also use two-stage ransomware extortion—known as doxware and extortionware—that first restricts access to your data, then threatens to disclose the sensitive data to the public.
Ransomware attacks on the healthcare sector are not only predicted to quadruple this year, but they will also become even more organized, targeted, and malicious.
Healthcare is an attractive target for ransomware because providers are more likely to pay the ransom to avoid disruption, downtime, productivity loss, and reputation damage.
If the data is stolen, much of it is resold by hackers on the dark web. From there, it can be used for identity theft and tax scams. One estimate put the value of a stolen medical record at $50 on the digital black market, compared to $1 for a stolen social security number or credit card.
Recent ransomware attacks on dental practices:
A ransomware attack exposed the records of an estimated 80,000 Southeastern Minnesota Oral & Maxillofacial Surgery (SEMOMS) patients last September. The IT team responded and isolated the affected server and took steps to restore the encrypted data. It is unclear whether the ransom was paid or if the IT team was able to restore the server from backups.
Sarrell Dental, an Alabama not-for-profit provider operating 17 children’s dental and optical clinics in the state, experienced a ransomware attack in late July with widespread file encryption—more than 390,000 patient records were compromised. After the attack, affected clinics were closed for two weeks while the breach was investigated and systems were restored. After investigation, it appeared the attack gained access as early as January.
Business email compromise (email fraud)
According to HIMSS, cyber attacks involving business email compromise (BEC) and phishing are among the two most common cyber threats in healthcare. In fact, healthcare email fraud attacks have increased by 473% in the past two years. Successful attacks can result in losses of hundreds of thousands, or even millions, of dollars.
Similar to phishing, BEC, also known as email fraud, typically targets a company’s financial and procurement departments or a business owner. This type of email attack attempts to initiate a money transfer to an attacker-controlled account.
Is your dental practice safe from cyber attacks?
Don’t let a cyber attack take your dental practice down. Your business, staff, and patients are too important to risk it—take control of your cyber security today.
Contact our cyber security experts today for a free consultation to identify the security prevention you need and how to easily and painlessly put this into place.