The other biggest risk to your practice

Thomas Terronez discusses the security of vital practice data

When you think about your day-to-day concerns in your practice, cyber-security is not likely one of them. If computers are working, and no one is complaining, then all is well, right? False. You are ignoring cybersecurity risks and leaving your practice vulnerable to a cyberattack that could shut down your business permanently through one incident. To clarify, we are not talking about HIPAA; we are talking about the security of your practice data that is vital to operating your business.

Why is it the other biggest risk? Your practice leadership lacks understanding of what should be done to protect the practice. So many practices partner with an IT vendor and assume this means they are covered. Many IT providers are not focusing on security, which increases the likelihood of a system being compromised. With cybercriminals being more successful now than ever, the scope of the compromise is far worse than it has been in the past.

As a security-focused dental IT provider, we have the advantage to see practice risks firsthand. Last year we conducted an assessment in which we analyzed general dentists, orthodontists, oral surgeons, and other specialties. We found that 60% of practices with security vulnerabilities believed they were contracted with a vendor to manage cybersecurity but were not. Through our assessment and general experience, here are the most common cybersecurity risk points:

• Lack of proper IT security structure
• Not understanding and verifying IT vendor risks
• Lack of staff training
• Insufficient insurance protection

Lack of proper IT security structure

Several factors contribute to a weak IT security structure. In our assessment of cybersecurity, we found that the three most common vulnerabilities were firewalls, backups, and endpoints.

Of practices we assessed, 35% had no firewall. They only had the modem and router that came with their Internet connection. A firewall, also known as a security appliance, is your first line of defense from malicious Internet traffic. Using an enterprise-grade security appliance versus a simple router will help you avoid malicious attacks.

An adequate firewall should have the following:

• Intrusion prevention system (IPS) — continuously monitors Internet traffic to your network and blocks possible malicious incidents and then captures information about them.
• Gateway malware protection — scans and filters Internet traffic for viruses and malicious software.
• Geo IP filtering — blocks all traffic to specific countries or regions.
• Content filtering — controls what type of websites can be accessed.
• Audit logging — records all Internet activities and is vital for security

If your security appliance is lacking in any of the preceding features, your practice may be at risk. It is important to note that any product, which has a renewal investment for its improvements and updates, is worth it.

Inadequate backup structure and segmentation also contribute to a weak IT security structure. Backing up your data to only a local device allows for it to be compromised through an attack. We recommend a disaster-recovery appliance that is segmented from your normal network. This will securely back up your data off-site to better protect your practice.

Another attribute to weak IT security is a lack of or free endpoint security software. Of practices we assessed, 50% used the inadequate free protection that came with their computer. Endpoint security software is an application control that includes antivirus and antimalware functions to secure devices accessing your network. While complete protection does not exist, enterprise-grade products provide better protection than personal or free offerings.

No proactive system monitoring

If your systems are not proactively monitored, more than likely the only time you pay attention to them is when something is not working. This reactive approach not only can put you at risk, but also increases your expenses. Well-executed compromises or attacks do not impact the system function until their damage is done, possibly leaving your practice inoperable.

A lot of compromises are multistep and can be prevented if your network and devices are proactively monitored. Monitoring your systems can save you from a potential breach and ensure your data backups are performing effectively. Protecting your patient data is not only important to you — it is important to your patients. They need to know their privacy is being protected.

Not understanding and verifying IT vendor risks

All practice owners should trust their IT vendors but always verify their work to ensure they are properly doing their job. The problem is practice staff lacks understanding of what risks to verify. Here are four simple requirements you should have for your IT vendors:

1. Require that they use two or multifactor authentication on all their software systems.If IT vendors do not do this, and a malicious actor obtains a password in use by any employee, it may be able to obtain full access and compromise your whole system. It is best practice to have this documented just in case an incident occurs.
2. Ensure client backup tools are not controlled by or manageable through their remote management tools.It is convenient to manage everything from one location; however, if that location becomes compromised, then it creates one large vulnerability point and puts your practice at risk. This should also be documented for your records.
3. Confirm they have a third party conduct penetration and vulnerability testing on their systems at least annually.If cybersecurity is not your IT vendors’ core business, they should pay experts to try to gain access to their systems. This needs to be completed at random to ensure their company’s security. This allows them to see where their vulnerabilities are and make the appropriate improvements. Many IT vendors tend to not do this because it is expensive, and they assume they are not a target. However, what cybercriminal wouldn’t want to gain access to multiple client data through hacking one IT vendor? With the average cost to recover from a security breach costing $429 per patient, your IT providers should be doing everything they can to ensure you are protected. You should obtain a summary of the cybersecurity reports for your documentation, confirming that this is happening throughout your partnership agreement.
4. Verify that they have adequate insurance to pay your associated fees and compensate your practice for business interruption if they are at fault.Good IT vendors will have their coverage, which should exceed gaps in your practice’s cyber policy. As always, ask for documentation of their coverage for your records.

Lack of staff training

Cyberattack trends and approaches change daily, with constant new methodologies being created to ensure their hacks are actively working. Cybercriminals will never miss the opportunity to capitalize on human emotion. Even with a decent IT security structure, your staff can allow compromises.

For example, COVID-19 provided hackers with easy access through phishing emails sent to staff members, posing as world health organizations providing critical updates. Since practice staff often lack understanding of cybersecurity, they unintentionally let hackers in.

While HIPAA training touches on cybersecurity, it is not adequate for this in-depth, diverse topic. Enrolling your staff into cybersecurity training and testing should be mandatory. This should be conducted at least annually; however, we recommend this is completed quarterly.

Insufficient insurance protection

Practices frequently lack cybersecurity insurance. Cyber liability insurance covers financial losses that occur from data breaches and other cyber events. If your IT vendor does not have this coverage, you might be responsible for any related expenses should a cyber incident occur at your practice.

It is not a default policy for practices, but a good insurer will bundle it with other coverages. It’s important to note that some policies exclude self-inflicted incidents, or vendor-inflicted. Cyber liability insurance should not consist of exclusions for staff (self-inflicted) errors and should protect you in worst-case scenarios, including lost revenue. The IT world has seen several firsts in cybersecurity and dental organizations in the last year; you can no longer think it won’t happen to you.

In the last year, over 600 practices were compromised and shut down because of their IT vendors. This left most of the practices inoperable with no access to their data for several weeks and some several months. Most of the incidents could have been prevented if the IT vendors had two or multifactor authentication in place for their remote access software.

These recent incidents show that poor preparation leads to the worst outcomes. Taking a proactive approach to cybersecurity to minimize your risks will pay dividends, and you will likely never know the true value of because you will not face a major compromise. However, if you take a re-
active approach to cybersecurity, it may be impossible to recover from a single incident.

Prevention can never be 100%, but you should take the steps to minimize risk as much as possible. Your practice is your livelihood and should be protected the same way. While you may like your current IT providers because the company supports you well, taking their word is not enough when it is your business and primary source of income. Trust your IT providers, but always verify that they are properly protecting your business. With cyberattacks on the rise, don’t let cybersecurity be a risk to your practice.