Dental Practice Reporter

By Erik Eisen, CEO, CTI Technical Services.

A single breach impacting any of the multiple cloud-based or internally connected tools, devices, and hardware and software solutions found in the typical dental practice or dental services organization (DSO) can put a stop to thousands of dollars of billings per day.

Add to that the cost of recovery and potential fines related to compliance issues if any of those devices or solutions touches patient information, and the outcome can be financially devastating.

For some, it is insurmountable.

Complicating the security environment for dental organizations is that the myriad of connected and interconnected technologies makes it impossible for a one-size-fits-all solution to adequately protect every mission-critical piece of dental equipment or software. Which is why an audit to identify and address security and cybersecurity vulnerabilities is a smart move for dental organizations of all sizes.

A uniquely vulnerable environment

Dental practices and DSOs are highly attractive targets for hackers and other nefarious cybersecurity actors. As a result, the industry experienced a 45% increase in data breaches since 2022.

There are several reasons why dental organizations are being targeted. Topping the list is the highly lucrative patient data they hold, including personal, banking, and insurance information, as well as the practice’s own financial and other information. Also at play is a perceived lack of robust security systems and limited employee training in security.

Once underway, the average hacking runs for 90 days, during which time hackers can plant malicious code, freely explore any accessible data, plan new ways to exploit stolen information, and identify inroads into connected systems outside the practice.

The threat level is high enough that the FBI in May 2024 warned the American Dental Association (ADA) and American Association of Oral and Maxillofacial Surgeons (AAOMS) about a credible, active cybersecurity threat to oral and maxillofacial surgical practices and expressed concern that general dental could eventually be targeted.

In terms of weaknesses, DSOs and dental practices face five primary cybersecurity vulnerabilities: phishing, ransomware, social engineering, fake software updates, and business email compromise (BEC). Security-wise, physical security and access control are the biggest problem areas, while other threats come in the form of financial fraud, insider threats, and identity theft.

The consequences of a successful breach are financial and reputational devastation, recovery from which can take years. If patient records are compromised, dental organizations could potentially face heavy fines ranging from $100-$50,000 for each HIPAA violation—not to mention loss of patient trust.

Ferreting out vulnerabilities

While the best way for a dental practice or DSO to assess its vulnerabilities is to call in an IT professional qualified to identify security and cybersecurity issues, a self-audit can also be conducted by assessing five key areas.

1. Staff training: is your team trained in cybersecurity best practices, including how to recognize phishing attempts, the need for strong passwords, etc., and is this training updated regularly?
2. Security safeguards: Are security measures in place that minimize human errors (e.g., email filters, browsing restrictions, multi-factor authentication, etc.), particularly around patient information access? Are they kept current?
3. Software patches and updates: Are procedures in place for updating software and systems with the latest patches and updates to protect against vulnerabilities? Are they followed?
4. Vendor security profiles: Do vendors, partners, or any other entity that may access practice systems have proper cybersecurity and security protocols in place to prevent a breach on their end from impacting the practice?
5. Business continuity: Is there a business recovery and continuity plan in place to get operations back up and running in the wake of a breach? Is it reviewed regularly and updated as needed? Are staff aware of the plan and trained in its deployment?

The answers to these questions will provide a fairly clear picture of any gaps in the security framework and help determine whether they can be addressed internally or if outside expertise is the better option.

Closing the gaps

Once vulnerabilities have been identified, take action to harden them against cyber- and security threats to mitigate risks and ensure the organization is prepared if the worst-case scenario does happen. One of the first steps should be getting staff members trained and ensuring they are adhering to security and cybersecurity best practices. From there:

• Schedule regular backups of and encrypt all critical data, which should ideally be stored off-site in a HIPAA-compliant facility, and test to ensure they can be rapidly restored when needed.
• Schedule regular checks for and deployment of software and device updates.
• Implement or enhance email, online and other security measures.

Put in place an incident response plan that outlines the steps for containing a breach, assessing its impact, and notifying any affected parties. The plan should also encompass all HIPAA and other compliance requirements. It should also address business continuity or a separate plan should be created.

Finally, consider partnering with an IT management firm that also provides cybersecurity services to maintain software and devices. Look for a provider:

• With specific experience in dental IT and cybersecurity
• That offers, at minimum, proactive monitoring, regular security assessments, and staff training.
• Has a deep understanding of HIPAA and other compliance requirements.

During the evaluation process, be sure to ask prospects about their response times and disaster recovery capabilities. Also be sure to obtain and check references.

 Be prepared

In today’s hostile security environment, it is only a matter of time before a dental practice or DSO is hit by a breach or attack. By hardening technology and establishing security and recovery protocols, the fall-out can be minimized so the practice can continue providing quality patient care.