Imagine opening an email and suddenly finding that you are locked out of all your dental patient files. That’s exactly what happened to a dentist in Atlanta last year. The situation is becoming more common as hackers look for new ways to profit from smaller businesses like dental offices.
Tony UcedeVelez of VerSprite, a cybersecurity firm for healthcare practitioners, said, “A lot of businesses have been hit by this in recent months, and the ransom can be anywhere from $50,000 to even $200,000.” Symantec recently found that of the 5,700 computers infected with ransomware in a single day, about three percent of the victims paid the ransom. At an average ransom price of just $200, that adds up to $33,600 per day. This is becoming a big problem for dental practices of all sizes.
What Is Ransomware?
Ransomware is a new twist on hacking. Instead of just stealing data and selling it on the black market, hackers often create viruses that encrypt patient data and then demand that dentists pay a ransom to get their data back.
The earliest version of a ransomware virus was first identified at the end of 2013. Within days of its appearance, thousands of computers were infected. It’s most effective point of entry is still attachments inside emails that users click on to launch an executable file.
A research study conducted by security company Bromium reported that traditional anti-virus protection software has not been effective at preventing sophisticated attacks by ransomware. Normally, hackers demand that the ransom be paid in cryptocurrencies like Bitcoin so that the payments can’t be traced by law enforcement.
Recommendations to Avoid A Cyber-attack
Here are some recommendations on what dental practices can do to reduce their threat surface:
- Make sure you have regular backups of patient data and financial records. Keep backups stored in the cloud or on a server that’s not attached to the Internet.
- Create a disaster recovery plan with help from IT and security professionals.
- Apply patches to your antivirus software and keep it up to date.
- Train your staff on what phishing emails look like and when to be cautious about opening an email that looks like it comes from someone they know.
- Don’t click on any live links inside unsolicited emails. Many types of email software are set up to automatically quarantine suspicious emails.
- Recognize that attachments are the most common way viruses enter a system.
- Talk to a cyber-security professional about safe browsing on the web.
Dental offices, along with many other healthcare providers, are often considered easy targets by hackers under the assumption that computer systems will be basic and security will be nonexistent. A combination of up-to-date virus protection along with training for your staff on how to recognize phishing scam makes the most effective defense.
What to Do If You Are a Victim of Ransomware
Even if you follow all of these precautions, your dental practice may still fall victim to a virus attack by a dedicated hacker. The first thing you should do is contact the FBI by filling out a report at the Internet Crime Complaint Center.
The FBI’s Cyber Division recommends that you include every scrap of information you can gather, such as the Bitcoin wallet address, any transaction data, and the hashtag of the ransomware or the original email. The Justice Department estimated that in 2016, there were more than 4,000 ransomware attacks per day, four times higher than 2015.
Patient Disclosure Obligations in Case of a Breach
Dealing with the aftermath of a breach can be more costly than the crime itself. HIPAA specifies that dentists are included in the obligation to notify all patients, covered entities and business associates within 60 days of when a breach has occurred. If you serve more than 500 patients, the laws specify you must also send a press release to media outlets and notify the HHS “without unreasonable delay.”
The notification must include:
- A summary of your investigation into the breach.
- An overview of which types of information may be compromised.
- A breakdown of patients by age and state.
- Contact information to a call center where patients can ask questions about their private information.
- Referrals to an identity theft protection service.
Remember that notification by email is sufficient in most cases. However, if your contact data for 10 or more patients is either too old or insufficient, you will need to provide all patients with a substitute individual notice. This can be done by posting a press release about the breach on your website for at least 90 days.
Responding to Ransomware
Hacking and holding data for ransom are no longer just a problem for major corporations. Small businesses and dental offices are being hit with ransom demands with greater regularity. Be very careful about opening unsolicited emails, avoid attachments when possible, install safe browsing limits and talk to a cybersecurity expert about disaster recovery methods. If you are the victim of a ransomware attack, there are steps you can take, but the safest route is to keep your own copy of the data so that these attacks don’t hurt your practice.
Contact Goldin Peiser & Peiser for more information about strategies and solutions to protect and improve your practice.
Note: This content is accurate as of the date published above and is subject to change. Please seek professional advice before acting on any matter contained in this article.