Orthodontists have a duty to protect your sensitive orthodontic practices data to the best of your ability. Once you start storing people’s information, you are legally obliged to follow the same rules as any other business to protect those records. These rules include notifying every patient if a breach has occurred in your practice.
Imagine the PR nightmare and the uncomfortable conversations of having to contact every patient to inform them that information they entrusted with your practice has been breached. Furthermore, Identity Theft Monitoring would have to be offered to all affected minors just because your practice compromised their information.
Patient-related data is all about trust, and once that trust has been broken, it will be very difficult to regain it. How will you ease fears from your patients about cybersecurity threats in your practice in the future?
If your data is breached, the Office of Civil Rights will conduct an investigation into the breach and will require proof that your practice has completed HIPAA documentation, conducted HIPAA cybersecurity training. They will further ask what you did to strengthen the practice from cybersecurity attacks.
How Does It Happen to Orthodontic Practices Data?
- Spear Phishing
Previously, ransomware attacks would have been mainly through spam emails. That has changed as more advanced email systems have improved to filter out spam messages. So, cybercriminals have now turned to spear phishing which are emails targeted towards specific individuals.
In spear phishing, the cybercriminals will typically create domain names that sound legitimate and then send out the phishing emails to employees with legitimate-looking attachments. For instance, an email may be sent to one of the employees purporting to be from the orthodontist or an imaging company requesting them to open an attachment, download something or click a link.
One such a victim has opened the email and clicked on the attachment/link, the malicious software infects the computer and begins encrypting files and folders on the computer. The malicious software will also infect any drivers, attached drivers, backup drivers and other computers on the same network.
The hackers will then ask for ransom using a cryptocurrency such as bitcoin. Even if you pay the ransom, the files are rarely ever returned. If the hackers return the data after ransom payment, it’s usually with a time bomb attack that will infect the files again shortly thereafter.
Most practices do not even know that they have been infected until they can no longer access the patient’s data or when they begin to see messages directing them to pay a ransom in exchange of a decryption key.
- Human Error
Computers in your orthodontic practice may contract malware and viruses when employees download an item from the internet to the local hard drive. Cybercriminals are becoming more deceptive and creative in coming up with items that people will likely download. Employees can also compromise your orthodontic practices data by accessing certain websites while on the network. And once a virus or Trojan infects one computer, it spreads to the entire system.
- Outdated Practice Management System
Outdated practice management software have vulnerabilities that can be used to breach orthodontic practices data. Just as technology is ever-evolving, viruses and malware get more sophisticated year-by-year. More advanced cyber-attacks will find a loophole in outdated software that hasn’t incorporated the latest upgrades or updates.
One of the major risks for older practice management systems is that they store all the patient images, x-rays, and communications in regular file folders on the server. Different employees then access these folders through links stored in the database. This types of dental practice management system expose all the files and folders on the server to corruption, deletion or relocation by cybercriminals. Unfortunately, these outdated practice management systems are still in use in most orthodontic practices today.
- Common File formats
Commonly used file formats such as word and PDF are easier to manipulate and conceal their original contents. Your practice can be locked out of critical documents such as patient consent forms, checklists and scanned insurance claims.
- Administrative Access
Having strong passwords might help prevent data breaches, but only if the user did not have administrative rights when logged in. If a malicious software infects a computer being used by someone with administrative rights, the virus impersonates the user’s credentials and corrupts all the files they have access to.