With most dentists owning and operating their own practices, they wear many different hats besides their scrub caps. From finance and personnel to operations and IT, dentists are inundated with vendors and products that want to help them focus on patient care and make their practices run as efficiently and safely as possible. In today’s connected world, that means a lot depends on cloud applications and connected devices.
The result is that the pursuit toward efficiency can become one of the weakest links in a practice’s cybersecurity posture. The headaches can quickly begin if cybersecurity is not brought to the forefront of practice management when vendors are being selected and chosen for deployment. Cybersecurity for a prosperous, successful dental practice should not consist of a trip to Best Buy or Costco for one of the $100 antivirus products.
Would your bank allow you to obtain an auto loan for a Ferrari yet only require liability insurance? Of course not, and they’ll probably insist on a monitored alarm or tracking system as well as a secured garage or fenced storage area. Today’s new dental practice is far more valuable than a typical Ferrari. With the connectedness of today’s practices, and the many vendors that help enable that connectedness, it’s fair to say that today’s dental office is more at risk of being attacked via cyberspace than that flashy luxury car is of being harmed by third parties.
New dentists who want to begin their own practices after investing in years of training and schooling must consider certain approaches to cybersecurity, many of which were not an issue just two decades ago. This change during the last 20 years is rooted in the shift from on-premises to cloud-based solutions and their providers.
Ultimately, a dental practice’s cybersecurity stance is only as strong as its weakest vendor. The weaker the vendor, the more detrimental their services are to a practice. Think of this as a ticking time bomb. If large Fortune 100 companies can be attacked and knocked offline via their HVAC software vendor, imagine the damage that a weak, unsecured cloud-based vendor can cause for a single dental office that’s 100% dependent on that vendor for patient data, as well as x-rays and other medical procedures.
Here are some basic and important tips when dentists are ready to select and implement their IT systems for billing, operations, patient care, storage, marketing, email, and more.
Back up your data and practice using your backups
It’s common to find businesses in every industry that pay for and store their data but then find out (when it’s far too late) that something went wrong months or years ago and the backed up data is either partially missing, unusable, or makes restarting operations difficult or impossible. Even if you’ve found yourself depending on lackluster vendors, if the data is there and usable, you’ve managed to avoid a huge, debilitating hurdle. Additionally, portable devices should be stored separately and not remain connected to the internet or a laptop to prevent infections. Lastly, cloud storage should use strong encryption methods to ensure data protection. Stories like the following on a ransomware attack are becoming too frequent in the news. In August of this year, Eskenazi Medical, an Indianapolis-based hospital, was still recovering data due to a ransomware attack and was not fully operational after a week of addressing the attack.1
Select reputable, time-tested partners and platforms
All vendors providing a connected service, device, or storage (or combination of the three) need to provide real-life references. It’s important to talk with other dentists, not those in other industries. After all, an ice cream manufacturing business is going to have different priorities and experiences. Practice owners should ask what service level agreements are available or come standard with their solutions, and why.
Consistently deploy multifactor authentication (MFA)
Every employee with credentials to access any system should use MFA that requires something you know plus something you have or provide via push technology), such as a code received via text message or email. Weak passwords or credentials that have not changed since deployment are often the root cause of today’s cyberattacks and ransomware incidents. This creates low-hanging fruit that has cybercriminals salivating.
Employee cybersecurity training
From front desk personnel to associate dentists, everyone in a dental practice should have regularly scheduled training to learn how to identify the latest potential attack types and their traits. From fake voice mails, phone calls, and emails, cyber bad guys stop at nothing to try to gain a foothold by seeking out unsuspecting employees. Some specialized companies provide nothing but customized training, and there are also highly informative video training sessions available for free online. Whichever route you take, this is especially important for new team members.
Cyber insurance is a no-brainer
Despite the fact that some industry voices see cyber insurance as an incentive for cybercriminals to continue their growing number of ransomware attacks, it provides peace of mind and often suggested guidelines for protecting your business. Also, many policies provide incentives, including some cost sharing, to help implement powerful cybersecurity solutions. But note that many policies do not cover nation-state cyberattacks or attacks by state-sponsored groups.
The National Institute of Standards and Technology (NIST), part of the US Department of Commerce, offers its voluntary NIST cyber security framework that is composed of five key functions, most of which are relevant to a thriving dental practice. The learning module on the NIST website does a decent job of outlining NIST’s recommendations.2
If you’re using highly trusted, capable vendors that prioritize customer service, and if you’re using powerful authentication and ongoing cybersecurity refresher courses or online training, your new dental practice is on its way to avoiding major IT catastrophes. Additionally, it allows dentists to focus on the best possible patient care rather than recovering from an ongoing string of IT setbacks. That translates into more time in the scrubs cap and less downtime.
Editor's note: This article appeared in the October 2021 print edition of Dental Economics.
1. Drees J. Indianaplis hospital still on diversion 5 days after ransomeware attack. Becker’s Health It. August 10, 2021. https://www.beckershospitalreview.com/cybersecurity/indianapolis-hospital-still-on-diversion-5-days-after-ransomware-attack.html
2. The five functions. NIST Cybersecurity Framework. Updated May 12, 2021. https://www.nist.gov/cyberframework/online-learning/five-functions
Chris Jordan is a recognized cybersecurity strategist and technologist. He currently serves as cofounder and CEO of Maryland-based Fluency Security. Contact Jordan for information on cybersecurity for your dental office at [email protected].