Prerak Patel and Jeff Ford
Millions of people are afraid of their dentist’s office. This leads to everything from mild anxiety before appointments to complete avoidance. The American Dental Association (ADA) reports that more than one in five adults have not seen a dentist in several years. According to a 2012 study published by the ADA, emergency room dental visits doubled nationwide from 2000 to 2010, from 1.1 million to 2.1 million.
Fortunately, advances in technology are improving patient experiences and easing patient fears. Such things as intraoral scanning, laser dentistry, and 3-D printing minimize discomfort, enable faster recovery, and shorten the treatment process. But what most people don’t realize is that these same advances can make dental offices more vulnerable to cyberattacks. Without advances in cybersecurity, people could end up trading one fear for another. Instead of worrying about drills and needles, they will worry about having their identities stolen.
Cybercriminals are not afraid of the dental office. A recent attack on a Colorado IT company resulted in hundreds of dental offices becoming infected with ransomware, which prevented them from accessing patient data and systems. This is part of an increasing rate of attacks on health-care providers. The reason is patient data. Patient data contains social security, payment, and other valuable information that can be sold on the dark web for over $400 per patient record. Dentists have a treasure trove of data locked in their networks.
Unfortunately, hacking into these devices is not difficult at all. Most of these devices are not designed for security and few dental offices make security a priority when it comes to buying and maintaining them. In our company’s work with dental offices, we’ve found that two out of three of their devices have known vulnerabilities that can be exploited, with each providing an easy opening into the network.
The risk to dentists and their patients cannot be understated. The cost of a data breach in health care averages around $400 per compromised patient record. This means that the cost to clean up a data breach can easily reach millions of dollars and can force small providers to close. For patients, a data breach brings stress, anxiety, and the potential costs of being a victim of identity theft.
Recommended solution
While cybersecurity is a topic that many people find intimidating, there are some simple steps that can be taken to protect dental offices and patients:
Insurance—Consider an appropriate level of cyber insurance and understand what’s covered. For example, many policies do not cover nation-state cyberattacks or attacks by state-sponsored groups. Also, many policies provide incentives, including some cost share to help implement good cybersecurity practices.
Understand risk first—Do not buy a technical solution or service. These are often bad investments because they’re not addressing the biggest risks. Worse yet, they may create a false sense of security. While technical tools are important, know that 95% of cyberbreaches are human-enabled and 60% are insider-led. Hence, a holistic understanding of the risk inclusive of people, process, policy, and technical considerations is essential. Typically, external IT providers lack sufficient understanding of individual dental offices’ operations to offer robust and holistic solutions. Performing this holistic risk assessment once or twice a year will ensure that dentists are focused on the right solutions for the biggest risks.
Manage risk proactively—Remediate/mitigate vulnerabilities cost effectively and proactively. Preventive measures offer better payoffs than detecting or responding to an attack. This may include basic cybersecurity awareness and training for the staff, process and policy updates, and good cyberhygiene practices such as strong passwords and multifactor authentications.
For most people, the biggest challenge is knowing how to approach the emerging cybersecurity threat. To ensure good governance of a cybersecurity program, dentists and their administrators need enough knowledge to ensure that the advice provided to them is sound, methods and tools offered by vendors, such as the ResiliEye platform, are appropriate, and a good return on investment is achieved for their efforts.
Authors' note: More information about addressing cybersecurity issues and the ResiliEye platform may be obtained by emailing the authors at [email protected].
