Over the past 20 years, an evolution in computer technology has taken place in the dental practice. Computers were previously used only for basic record keeping and billing. Then came the progression from billing to appointment scheduling, digital radiography, charting, and now, to digital dentistry. As the amount of data stored in systems has increased, so have the frequency and sophistication of cyberattacks. The days of simply relying on a firewall and antivirus software to protect the practice’s network and patient data are over. The reality is, if these devices were so effective at protecting networks from breaches, there would be no data breaches.

Cyberattacks have shifted dramatically in the past 12 to 18 months, and now, more than ever before, hackers are setting their sights on healthcare entities. The frequency and severity of these attacks have increased, and practices of all sizes are being impacted. These ransomware and malware attacks can shut down and compromise networks, resulting in an inability to access patient records and loss of revenue.  

IT companies are not cybersecurity companies. IT organizations typically partner with a cybersecurity company to independently audit its work. It is extremely critical to understand that IT companies cannot audit their own work. It takes the expertise and knowledge of a cybersecurity company to help ensure the security of the network. 

In speaking with numerous dentists, it is apparent that ransomware attacks have been impacting this community. The unfortunate mistake that practitioners make is that they have their IT company “clean it up and restore their data.” What if, as part of or prior to the attack, a practice’s data was stolen from their network and is being bought and sold on the Dark Web (the black market of hackers), and the practice did not report the breach to the Office of Civil Rights (OCR)?

The practice could be subject to massive fines for the lack of reporting. If a dentist’s office falls victim to a ransomware attack or other possible breach, there are steps that the practice and its IT company must follow to determine if electronic protected health information (ePHI) was compromised. This often involves hiring a forensics company and working with a cybersecurity company to harden the practice’s infrastructure. What we have typically seen is that if you were the victim of an attack once, you will most likely be a victim again because of vulnerabilities in your network that enabled the attack vector or payload to infiltrate your system. To recover from the attack, you cannot simply restore your data and hope for the best. 

To secure your network and combat against these sophisticated attacks, a dentist needs to implement four key pillars of cybersecurity. These pillars are cybersecurity audit, cybersecurity awareness training, vulnerability scanning, and penetration testing.