Estimated reading time: 6 minutes
While cyber attacks are often seen as a problem for governments and big business, dental practices can be just as vulnerable given their often lax approach to security. Cameron Cooper reports
Aylin Najarian knows just how bad it can get when a dental practice is the victim of a ransomware attack.
Now the practice manager at The Dental Practice in Burwood, Sydney, she recalls the emotional and financial fallout that occurred when working in a previous role for another practice that suffered at the hands of fraudsters.
“One morning we came in and there was nothing on our computers,” she says. “We lost all patient and staff records, X-rays, plus booking, scheduling and treatment details. They took the lot.”
The shell shocked owner of the practice agreed to pay the scammers $20,000 to release the data, only for the cyber crooks to ask for more money. Management ultimately called in a cybersecurity firm to assist, but even then the ordeal took about six months to play out and some stressed staff and patients left the practice.
“We genuinely thought we could get all that data back,” Najarian says. “But the fraudsters just wanted more and more money.”
Complacency can be costly
The experience of Najarian’s former practice, which she did not want to name, is a reminder that taking a ‘this can’t happen to me’ approach comes with many risks.
Smaller businesses such as dental practices can be a target for cybercriminals because they are profitable and have valuable patient data, but at the same time they rarely have inhouse cybersecurity resources or sophisticated anti-fraud procedures.
“They’re an easy target,” says Andrej Petkovski, founder of Osmicro Networks, a technology solutions consultancy that assists many dental practices. “Unlike larger enterprises, they typically don’t have cybersecurity plans and budgets, so there’s really no focus on the risks.”
The key cyberthreats facing dental practices include:
Ransomware—software infects a computer or device and blocks users’ access to it until a fee is paid.
Use a virtual private network, or VPN, to encrypt all data, and scan devices for viruses and ransomware.
Phishing—scammers send emails pretending to be a reputable business in order to steal financial or personal data.
Keep anti-virus software up to date and encrypt data.
Malware—malicious software is embedded in computers to gain access to or damage a computer or device without the victim’s knowledge.
Install antivirus software and urge staff not to click on dodgy links or download suspect documents.
Business email compromise—fraudsters break into an email account and trick victims into sending money or sensitive data to the fraudster’s account.
Educate employees to be suspicious of dubious correspondence.
While there are specific technology solutions to help dental practices, Petkovski advises an initial three-step approach to combat risks.
First, adopt a mindset acknowledging that cybersecurity threats are real and that the practice must protect its patients. Second, choose technology solutions providers with a proven track record of assisting dental practices and who can do a comprehensive security and network assessment as a starting point. Third, set aside a modest budget for best-practice cybersecurity and IT set-ups, rather than relying on a friend or a family member to manage IT networks.
By taking advantage of existing software applications, Petkovski says the implementation of robust security defences need not cost a lot of money.
“Dentists and other small business owners have this misconception that cybersecurity is costly, and they’ll have to buy all these expensive firewalls, which is untrue. Nine-five per cent of the things you need are already provided by Microsoft software on your computer. You just have to know how to apply them correctly.”
Dr Craig Duval, owner of Sherwood Dental in Brisbane, has taken clear steps to protect his business and clients, outsourcing IT support to Teamwork Technology and putting in place cyber safe measures.
For example, as part of inductions, staff are advised of strict email protocols. Only PDFs and Word and Excel documents from trusted sources can be opened. “I’m not saying staff won’t ever breach that rule, but they know the guidelines,” Dr Duval says.
In addition to typical firewall security and server scans, the practice does daily backups to a local drive and the cloud. It also conducts regular recovery tests to ensure the backups can be retrieved. “I get to sleep at night because of that,” he says.
Sherwood Dental has business insurance that includes coverage for ransomware attacks, while it does not store credit card details in patient files. As a further line of protection, Dr Duval gets his team to print out daily patient reports, and keeps physical copies of HICAPS slips and patient payment details just in case there is a digital data breach.
Such measures provide peace of mind, according to Dr Duval, who adds that “a head-in-the-sand approach is fraught with danger”.
Prevention is the best cure
A number of common actions can leave dental practices exposed to cyber threats. For example, data can be compromised by leaving a USB stick with business information in a bar or restaurant, or letting children access a laptop or smartphone. Likewise, staff working from home can jeopardise security if they send confidential work information via an open email platform such as Gmail and Hotmail without appropriate security provisions
Petkovski says in addition to external hacking threats, dental practices need to be aware of the threat that their own staff can pose—either through ignorance of appropriate cyber safety practices, or via malicious actions whereby staff extract data and pass it on to another practice. “Humans are the biggest vulnerability,” he says.
With clients, his team conducts regular phishing tests, sending out bogus emails to see who clicks on them. The idea is not to blame offending employees, but to educate them.
When she joined The Dental Practice in 2018, Najarian brought Osmicro on board to oversee the practice’s IT and cybersecurity functions. One of the simple but effective measures it has introduced is ensuring staff members have individual log-in credentials for computer and email access to restrict what types of data or information they can download.
“It just takes one staff member to do the wrong thing or click on the wrong email for us to have a problem,” Najarian says.
Having experienced no cyber incidents at her new practice, Najarian urges other practices to take the threat seriously.
“The message I’d say is that it’s worth it to go with an experienced cybersecurity company that can secure your data.”