© Michael Borgers | Dreamstime.com

How the evolution of the dental industry has invited cyberattacks

April 23, 2020
While dental technology can make patient experiences more pleasant, it can also open up offices to cyberattacks. Prerak Patel and Jeff Ford share what dentists can do to prevent these attacks that can cost millions of dollars to repair.

Prerak Patel and Jeff Ford 

Millions of people are afraid of their dentist’s office. This leads to everything from mild anxiety before appointments to complete avoidance. The American Dental Association (ADA) reports that more than one in five adults have not seen a dentist in several years. According to a 2012 study published by the ADA, emergency room dental visits doubled nationwide from 2000 to 2010, from 1.1 million to 2.1 million.

Fortunately, advances in technology are improving patient experiences and easing patient fears. Such things as intraoral scanning, laser dentistry, and 3-D printing minimize discomfort, enable faster recovery, and shorten the treatment process. But what most people don’t realize is that these same advances can make dental offices more vulnerable to cyberattacks. Without advances in cybersecurity, people could end up trading one fear for another. Instead of worrying about drills and needles, they will worry about having their identities stolen.

Cyber-risk associated with advanced technology

Cybercriminals are not afraid of the dental office. A recent attack on a Colorado IT company resulted in hundreds of dental offices becoming infected with ransomware, which prevented them from accessing patient data and systems. This is part of an increasing rate of attacks on health-care providers. The reason is patient data. Patient data contains social security, payment, and other valuable information that can be sold on the dark web for over $400 per patient record. Dentists have a treasure trove of data locked in their networks.

The same devices that deliver improvements in patient care also deliver cybercriminals the keys to unlock the network and steal the treasure. Figures 1 and 2 illustrate this challenge. All of these devices are connected to the network and, therefore, provide gateways into the network if hacked. So, how hard is that?

Unfortunately, hacking into these devices is not difficult at all. Most of these devices are not designed for security and few dental offices make security a priority when it comes to buying and maintaining them. In our company’s work with dental offices, we’ve found that two out of three of their devices have known vulnerabilities that can be exploited, with each providing an easy opening into the network.

The risk to dentists and their patients cannot be understated. The cost of a data breach in health care averages around $400 per compromised patient record. This means that the cost to clean up a data breach can easily reach millions of dollars and can force small providers to close. For patients, a data breach brings stress, anxiety, and the potential costs of being a victim of identity theft.

Recommended solution

While cybersecurity is a topic that many people find intimidating, there are some simple steps that can be taken to protect dental offices and patients:

Insurance—Consider an appropriate level of cyber insurance and understand what’s covered. For example, many policies do not cover nation-state cyberattacks or attacks by state-sponsored groups. Also, many policies provide incentives, including some cost share to help implement good cybersecurity practices.

Understand risk first—Do not buy a technical solution or service. These are often bad investments because they’re not addressing the biggest risks. Worse yet, they may create a false sense of security. While technical tools are important, know that 95% of cyberbreaches are human-enabled and 60% are insider-led. Hence, a holistic understanding of the risk inclusive of people, process, policy, and technical considerations is essential. Typically, external IT providers lack sufficient understanding of individual dental offices’ operations to offer robust and holistic solutions. Performing this holistic risk assessment once or twice a year will ensure that dentists are focused on the right solutions for the biggest risks.

Manage risk proactively—Remediate/mitigate vulnerabilities cost effectively and proactively. Preventive measures offer better payoffs than detecting or responding to an attack. This may include basic cybersecurity awareness and training for the staff, process and policy updates, and good cyberhygiene practices such as strong passwords and multifactor authentications.

For most people, the biggest challenge is knowing how to approach the emerging cybersecurity threat. To ensure good governance of a cybersecurity program, dentists and their administrators need enough knowledge to ensure that the advice provided to them is sound, methods and tools offered by vendors, such as the ResiliEye platform, are appropriate, and a good return on investment is achieved for their efforts.

Authors' note: More information about addressing cybersecurity issues and the ResiliEye platform may be obtained by emailing the authors at [email protected].

Prerak Patel serves as business development associate with ResiliAnt/MediTechSafe, an IoT cybersecurity company. Patel holds a bachelor’s degree in neuroscience from Michigan State University.
Jeff Ford serves as chief commercial officer of ResiliAnt/MediTechSafe, an IoT cybersecurity company. Ford is a senior executive with 20-plus years of experience with GE Aviation and skilled in the areas of sales and support of global customers, lifecycle management of high-technology products, new product development, business development, and the use of data and analytics. He holds a bachelor’s and a master’s in mechanical engineering from the University of Illinois at Urbana–Champaign, and an MBA from Duke.