Get informed and stay protected
Each day, the odds of a cyber attack on your dental practice increase. And the cyber crime stakes are huge.
Dentists face a double-jeopardy scenario. They run small businesses with limited time and often lack resources for cyber security — yet, they manage and store personal and sensitive information that is incredibly valuable to cyber criminals.
Whether it’s phishing emails used to launch ransomware and encrypt or lock your critical files — or fraudulent emails designed to redirect financial funds — your staff, patients, data, computer systems, and practice are at high risk.
If you believe your dental practice won’t be targeted, it’s time for a few facts.
- Over 93% of healthcare organizations have experienced a security breach of some kind over the past five years
- In 2018, 15 million patient records were compromised from 503 security breaches in the healthcare sector — three times the number of records exposed in 2017.
- In the past 12 months, 74% of healthcare organizations experienced a security incident — in these attacks, more than 30 million records were compromised.
- Just one of these data breaches (American Medical Collections Agency), in the summer of 2019, compromised the data of more than 25 million patients.
Feeling safe because you retained IT support services? Unless your IT provider has strong cyber security expertise, you are still at risk. In fact, more than 400 dental practices were infected with ransomware last summer due to a ransomware attack on the IT services provider.
Believing your practice won’t be targeted is possibly the worst business assumption you can make. If you suffered a cyber attack and a breach of sensitive data, what would you tell your patients? How would you maintain your reputation and attract new patients? What fines would you be required to pay?
It’s time to understand the cyber threats targeting your dental practice.
Top cyber threats targeting your practice today
Phishing is a cyber attack method that attempts to gather personal information — usernames, passwords, credit cards details, even bank account numbers — using deceptive e-mails and links to malicious websites. An estimated 65% of organizations experienced a phishing attack in 2019.
In fact, the Healthcare Information and Management Systems Society (HIMSS) confirmed that healthcare phishing still remains a significant threat — in its 2019 HIMSS Cybersecurity Survey, email was revealed as the initial point of contact for attack in 59% of the security incidents that have taken place in the last 12 months.
Phishing relies on realistic-looking emails to fool recipients into clicking a link or opening an attachment in the email. Or even convincing a recipient to share confidential information. For example, a phishing email may land in a dentist’s or team member’s inbox that is disguised from someone in the very same dental practice or even an important leader in the industry.
Here are just a few examples of recent healthcare phishing attacks:
— Delta Dental of Arizona: Last July, an employee at Delta Dental of Arizona fell victim to a phishing scam that gave the attacker access to an email account. As you are probably well aware, Delta Dental is one of the largest U.S. dental plan systems with 39 member companies. An analysis of the compromised account suspected unauthorized access had occurred and nearly 13,000 people were affected.
—Delta Delta of Illinois: In December 2018, Delta Dental of Illinois notified patients of a potential data breach after employees were targeted by a phishing attack that was attempting to gain their login credentials. The compromised data may have included patient demographic information, dates of birth, dental or vision insurance data, and Social Security numbers.
—American Dental Association (ADA): Three ADA members contacted the ADA to report they received a phishing email signed with ADA President Jeffrey M. Cole’s name that included the ADA logo in an attachment. The attempts did not result in a data breach and an advisory was sent to members.
— Oregon Department of Human Services: The government agency was targeted with a massive phishing attack that compromised more than 2.5 million emails, after nine employees responded to the malicious email. One of the largest breaches of the year, this impacted 645,000 patients.
— UConn Health: More than 326,000 patients were impacted by a phishing attack that accessed a number of employee email accounts. For 1,500 patients, Social Security numbers were breached.
Ransomware is a malicious software designed to encrypt your computer files, emails, and other data, until a ransom is paid. Strains of ransomware can completely lock your computers and devices, preventing any access to your systems. Cyber criminals are also using two-stage ransomware extortion — attacks known as “doxware” and “extortionware” — that first restrict access to your data, and then threaten to disclose the sensitive data to the public.
Ransomware attacks on the healthcare sector are not only predicted to quadruple this year, they will become even more organized, targeted, and malicious.
Healthcare is an attractive target for ransomware because providers are more likely to pay the ransom to avoid the disruption, downtime, productivity loss, and reputation damage.
If the data is stolen, much of it is resold by hackers on the dark web. From there, it can be used for identity theft and tax scams. One estimate put the value of a stolen medical record at $50 on the digital black market, compared to $1 for a stolen social security number or credit card.
Not convinced, ransomware will target your dental practice?
Here are just two examples of ransomware attacks on dental practices:
— Southeastern Minnesota Oral & Maxillofacial Surgery: A ransomware attack exposed the records of an estimated 80,000 Southeastern Minnesota Oral & Maxillofacial Surgery (SEMOMS) patients last September. The IT team responded and isolated the affected server and took steps to restore the encrypted data. It is unclear whether the ransom was paid or if the IT team was able to restore the server from backups.
— Sarrell Dental: An Alabama not-for-profit provider, operating 17 children’s dental and optical clinics in the state, experienced a ransomware attack in late July with widespread file encryption — more than 390,000 patient records were compromised. After the attack, affected clinics were closed for two weeks while the breach was investigated and systems were restored. After investigation, it appeared the attack gained access as early as January.
Business email compromise (email fraud)
According to HIMSS, cyber attacks involving business email compromise (BEC) and phishing are among the two most common cyber threats in healthcare.
In fact, healthcare email fraud attacks have increased 473% in the past two years. Successful attacks can result in losses of hundreds of thousands, or even millions, of dollars.
Similar to phishing, BEC, also known as email fraud, typically targets a company’s financial and procurement departments or a business owner. This type of email attack attempts to initiate a financial transfer to an attacker-controlled account.
BEC scams used to obtain account credentials and facilitate this type of transfer include:
Invoice payment requests
● Attackers may use a legitimate or falsified invoice from one of your vendors or suppliers to request a payment to an account they control.
● Attackers may pose as the dentist (or another leader in the practice) in order to request a payment to an account they control.
These types of tricks or lures are designed for credential harvesting, attempts to grab user names and passwords using a range of fraudulent emails and other social engineering techniques. Spear phishing, a targeted form of phishing, is often used in credential harvesting to gain access, sending emails specifically to an individual at a healthcare facility to trick the recipient into sharing sensitive information or taking an action through links to malicious websites or attachments.
Is your dental practice safe from cyber attacks?
Don’t let a cyber attack take your dental practice down. Your business, staff, and patients are too important to risk it — take control of your cyber security now.
Contact our cyber security experts today for a free consultation to identify the security prevention you need and how to easily and painlessly put this into place. Contact us.