The rush for HIPAA compliance in the 2010s set the Dental Industry up for failure in IT security moving forward. The “Great HIPAAning” did one of two things to most industry members: It either fatigued them to any discussion of related topics such as IT security, or it caused industry members to go through processes which only provided a false sense of security.

Let’s table the word ‘HIPAA’ and just discuss the subject of IT Security. No laws, no regulations, just what’s best for your business – your livelihood.

2023 has delivered a dizzying list of high-profile security incidents, including: 23andMe, The Indian Council of Medical Research, and in our own industry, many dental offices, manufacturers, and distributors. It is easy to think that these incidents only happen to major companies, but the reality is that they happen every day in businesses of every size.

Your dental practice is the ideal target for bad actors and hackers. The combination of valuable information in your systems (SSN, DOB, medical history and records, prescription information, family names, good contact information – basically dossiers on each of your patients), and the relative ‘soft’ underbelly of a small business is enough to make the bad guys start salivating.tart salivating.

Let’s get this notion out of the way right now. Traditional insurance won’t touch cyber incidents, costs associated with data, or breach notification costs. If you purchase Cyber Security Insurance, you are still responsible for doing what is “reasonably required” to protect your data. Claim denials do happen because of failures to maintain minimum adequate security standards, and if you decide to just ignore known security threats, your insurance company can easily deny a claim.

Material costs of an IT incident rack up quickly: Operational downtime, notification costs, possible ransoms, and the cost to return to normal business in general can take a profitable quarter or year and turn it on its head – even with insurance.

In addition to monetary costs, there’s the issue of your reputation. You’ve worked hard for your 5-star ratings and stellar reviews; don’t put yourself at risk of tarnishing a reputation by being complacent about IT security or continuity.

You don’t need a degree in IT Operations to understand and make sense of the threat landscape present in the world today. However, you and your staff must first acknowledge that you have a role in the IT security of your practice. Each time you touch a computer, pick up the phone, or leave a patient alone with a computer, you create exposure. If you and your staff understand that you have a role in IT security, training is crucial.

User training is the single most important thing you can do because, contrary to what TV and the movies would have us believe, ‘hackers’ don’t usually brute-force their way through a router or firewall. That’s too much work, or requires too much expertise. Instead, a moderately resourceful bad actor prefers to attack the least secured resource in your practice: the humans. Social Engineering is the concept of deceiving a person into divulging information, granting access, installing a piece of software, or otherwise compromising the security of themselves or an organization. Social Engineering is the number one attack vector against small businesses.

Even if you engage with a company to provide IT services, there is a limit to how much protection they can put in place to protect you and your staff from Social Engineering. To prevent users from being able to fall victim to these attacks completely, your IT department would need to lock down your computer systems to the point of being uncomfortable. (As an IT person, I would suggest this though, as your first duty is to staff being able to do their job, and to being profitable, not to making your staff ‘comfortable’ through access to social media and the like. (See: “This is a business”, below.)  So, what do these threats look like, and what can be done to mitigate them?

Phishing: Phishing is the act of sending emails that are urgent in appearance, seem legitimate based on appearance, are just-specific-enough, and [most importantly] have a call-to-action. This call-to-action is typically a link of some sort – likely one that would require a sign-in by the user. The ‘link’ however is to a webpage hosted by the bad actor. If a staff member receives one of these and clicks the link, they’ll see a login page, and may enter good credentials – that go right to the bad guy. The bad guy now has a username and password (presumably for the email account), that they can use to compromise and view the contents of that mailbox, and send messages from… to your patients, whose emails and information is likely in the sent items and inbox of that account!

Phishing Training: Train users to trust nothing, avoid clicking links (especially in emails), and only interact with known parties on known subjects (these attacks can come from known contacts whose accounts have been compromised.)

Mitigation/Prevention: Strong security on your email (not just local antivirus)- this is usually part of any professional business-grade email. This topic deserves a whole article, but you can take two crucial, immediate steps: First, stop using free email services to run your business. They’re not professional in appearance, they’re insecure, and using free email accounts for business purposes is against the terms of service of most free email service providers. Second, turn two factor authentication ‘on’ on any service which will let you – not just email.

Whaling: Whaling is basically phishing on steroids. Instead of just blasting out generic calls-to-action, whaling goes after specific members of your organization by name and job role. For instance, if the bad actor finds out the name of your accountant or someone with finance access (through sites like LinkedIn), they may focus their attacks on that person.

Tech Support Scams: We’ve all had it happen. You’re browsing the internet, click one bad link, and suddenly your screen is filled with pop ups. These days, these pop ups are typically a very forceful call-to-action: “There’s a problem with your system and you need to call Microsoft at this number right now.” (How nice of them to provide the number for you, right?)

You know where this one is going: a staff member calls the number, and ‘Microsoft’ (in reality, a call center operated by bad actors) picks up. The bad actor walks the staff member through getting the bad actor remotely connected to the machine, and the rest is … a breach.

Training: The only person a staff member should ever call for a computer problem is your designated IT support person, and there should be very strict methods by which they can gain remote access.

Mitigation/Prevention: A good IT vendor will monitor systems for unknown or third-party remote access tools, but by the time they get an alert, it may be too late. These bad actors use industry standard remote tools! The best solution is to prevent your users from being able to execute this action on their own. (See: “This is a business”, below.)

LAN Access: This is a generalized category of threat that has more to do with the way your network and computers are set up. Unknown parties having physical or Wi-Fi access to your sensitive network segment is dangerous. With physical access to the network or computer hardware, bad actors can at best disrupt network functionality or at worst gain access to your data. This threat is sometimes innocent as well – a 3rd party comes in to install a piece of hardware and unintentionally causes issues with your systems or provides unintended public access via Wi-Fi.

Wi-Fi presents a silent but significant threat as well. Staff often connect personal devices to the office’s private Wi-Fi. For purposes of Wi-Fi security, all personal devices (even those of the practice management and owner!) should only connect to your guest Wi-Fi segment. Many offices lack this crucial segmentation between a ‘Private’ and ‘Guest’ Wi-Fi network, and Wi-Fi keys are rarely if ever changed on most environments.

Mitigation/Prevention: Be vigilant about who and what you allow to connect to your network. Always inform the person managing your IT and security if anything in your environment is changing or being added by 3rd parties and provide first right of refusal for the person responsible for your IT and security to engineer the solution.

Be diligent in understanding what Wi-Fi networks are present in your physical space, what network segments they are making available, who has access to the security keys, and who those keys are given out to. Regularly change the wireless security keys (annually is a good idea). Exclude staff members from the ‘private Wi-Fi’ – their phones will work just fine on the ‘guest’.

Don’t leave patients unattended in rooms without locking computers; a savvy person with just a few minutes alone in an exam room, with a logged in computer and practice management has more than enough time to find a patient list and export it. (Tip: Win Key + L is a quick way to lock a computer.)

This is an incomplete list of threats. A complete list could fill a book, and it would be out of date quickly. These are just a few of the things that are easily solved with some training and action. A regular (genuine) risk assessment is a good way to figure out what your organization can solve next.

This is a business: You can do a lot of good simply by treating yourself and your IT systems like a business. We have a saying at our firm: “What would Coca-Cola Do?” It’s a reminder for us to always be delivering enterprise level IT. Big businesses may have a lot more resources to tackle security issues, but something as simple as changing your frame of mind can have a tremendous impact on your business’s security and continuity. A few examples include: Don’t grant too many rights to users in Practice Management and IT Systems, and audit those rights regularly. Actively restrict user access to portions of the internet that are not necessary for your business such as personal email and social media. Don’t make your workstation special by allowing access on it either. (These should not be seen as punitive, but as preemptive ‘safety nets’ for your business against innocent mistakes.)

As an IT vendor, I have a desire to lock down systems to the bare minimum necessary access, however that often gets objections from client staff members. Decide as a business owner or executive the level of IT restrictions you want in place for your organization and have them implemented. Interestingly, many popular practice management platforms require that users be local administrators of their workstations, an IT no-no. Speak to your software vendor about this issue.

Finally, find a qualified IT service provider to fulfill your organization’s needs. Not all IT vendors are created equally, and you should look for someone with a full suite of services, not just on site or project work. Monitoring, backups, antivirus, helpdesk, disaster recovery, and compliance assistance are just some of the services you should expect from this vendor. Trust but verify that your IT services provider is doing what they say they do.

Technology is a vital part of Dentistry now more than ever. Move past “The Great HIPAAning” and understand that the HITECH side of things is there to get you thinking about IT best practices. You shouldn’t take care of your IT security and best practices because it is legislated– you should do it because it is in the best interest of your patients and your bottom line.