How Hackers Can Hold Your Dental Practice for Ransom
Dr. Robert (Bob) Patterson had been practicing dentistry for 17 years in Oceanside, CA. Nothing in his career would prepare him for November 7th. When he turned on his computer, he was greeted by the following message: “Your files are encrypted. To decrypt them, you have to pay $1,000 dollars by November 7th at 1:30 P.M. If you don’t pay by then, your fine will double. If not paid after that, all your files will be deleted.”
His staff had the same message on their computers. Dr. Bob was on lockdown and only 30 minutes away from his first patient and procedure. He immediately picked up the phone and called his software provider. They told him that the hacker had gotten through his firewall. Fortunately, Dr. Bob had everything backed up, but it would take 2 days to install everything from scratch, so Dr. Bob had no other choice but to pay the hacker $1,000 in Bitcoins (the untraceable currency of the internet) to get his system unlocked and his practice back up and running.
A hacker’s #1 means of profiting from a dental practice is by holding the practice’s access to essential software for ransom, then promising to release it back to the dentist for thousands of dollars. Hackers are also targeting dentists and other healthcare professionals because these practitioners have sensitive data on individual consumers that they can profit from, such as social security numbers and payment information. This data can be combined with other information hackers may have obtained from other sources that can help them put together the whole picture and commit identity theft. In addition, if the data pertains to celebrities or public officials then that information can be used to ransom or exploit them as well, especially if it is information that alters their public personas.
Dr. Bob had to inform all of his patients that their personal data had been compromised in order to be in compliance with HIPAA. Even though the ransom was paid, there was no guarantee that the hacker wouldn’t exploit the patients through use of their personal info.
According to the Department of Health and Human Services, 1 out of 3 data breaches occur in the healthcare industry, making it the highest targeted industry at 33% of all breaches. Since 2009, over 21,000,000 health records have been compromised. Dentists represent around 20% of the hacking victims and are an easier target for cyber criminals than medical doctors. This is because they tend to be owner practitioners versus belonging to a group with a larger IT infrastructure that is protected by more robust cyber safeguards.
Dr. Bob implemented two changes based on his experience:
- He had his IT and software system audited by cyber security specialists. They recommended setting up a better and faster backup system so that if this ever happened again, Dr. Bob could reinstall the software and history on new servers in minutes rather than days.
- Dr. Bob also obtained cyber liability insurance as part of his business insurance. He was able to finally rest easy, knowing cyber liability insurance protected his practice from financial loss due to ransom and liability claims around a patient’s financial and personal information being used or compromised.
The 5 easiest ways hackers can gain access to your dental practice software or individual work stations are:
This malicious software deploys robots/spiders to attack and find an opening or pathway into the dental practice’s system. Once they have bypassed the firewall, the hacker can take control of the information and the server that it is hosted on. Once in control they encrypt (lock) all the information, denying anyone access to it who does not have the key (code) to unlock it.
Weaknesses in New Versions of Software
New software releases sometimes have weaknesses in the coding that allow hackers to gain access. When a hacker finds an inadvertently created “backdoor” they will also tell other hackers who in turn will also look for other businesses using this software and target them as well. This launches an army of hackers armed with a small window of time in which to get in and get out before the software provider discovers this backdoor opening and shuts it down.
When unauthorized users are allowed on an individual workstation or computer to browse the web, access email, etc., there is a chance they can infect your system. The person who used your computer or another employee’s computer is most likely unaware that by logging with their information via your computer, they are a carrier of malware and trojan horses bridging their way from one system to another to infect it.
Easy to Hack Usernames and Passwords
Many modern programs measure password strength and will require that they include a variety of capitalized letters and symbols to make it harder to decode. Using passwords that are easy for you to remember are most likely easy for a hacker to guess, find, or replicate quickly. Making your credentials complex and changing them frequently helps prevent hackers from gaining access.
Visiting Unsecured or Offshore Sites
Through these avenues, malware and trojan horses can more easily enter into a workstation and eventually into the dental practices software system. Making sure employees don’t visit unsecured sites and offshore places can help prevent hitchhikers from attacking your system. Look for an “https” to the left of the web address to quickly check if the connection is secure.