If you’re concerned about ransomware attacks, your fears aren’t unfounded. We all too often see cybersecurity failures featured in the nightly news, and we know that health care is the No. 1 industry affected by these attacks.
Here are a few important facts to consider.
- In 2020, the number of successful attacks in the health care field more than doubled.
- Large or small, all health care providers are targets for these attacks.
- It is conservatively estimated that more than 50% of all breaches reported by dental offices over the past two years were due to hacks by ransomware.
- 91% of all ransomware attacks enter into your network through camouflaged emails.
The good news is that you can deal with this threat. You simply need to follow three cybersecurity steps – assess, adjust and repeat – outlined here:
1. Assess
The first step in protecting your office from a cyberattack is to have a proper risk assessment completed.
A proper risk assessment will identify and lay out a logical plan to address any adjustments necessary to protect your network. It also fulfills a major HIPAA requirement of an assessment being performed on your office’s network at least once annually. If a recent, proper risk assessment is not on file in your office, you are not HIPAA compliant. See this article for more information: Health Care Provider Pays $100,000 Settlement to OCR for Failing to Implement HIPAA Security Rule Requirements.
If done properly:
- The assessment will be completed remotely to avoid disturbing workflow within your office.
- It will take a deep dive into your network to assess everything from your email carrier to your server, your workstations, your backup, and your recovery plan.
- It will answer the level of security you presently have and determine where it is lacking.
- The results of the assessment will be reviewed with you in detail to ensure that you understand the findings.
- A management plan will be provided detailing the steps that should be taken to address any and all areas of deficiencies.
- A copy of the risk assessment and management plan must be provided to your office to be HIPAA compliant.
2. Adjust
Next you must make adjustments at your practice to address security issues identified in the assessment. The list below includes areas of your practice that may require adjustments for cybersecurity purposes.
Emails:
- Keep in mind that 91% of all ransomware attacks come through emails.
- Your emails are stored in the cloud and need to be protected. Not all carriers provide the encryption required by HIPAA to protect your emails.
- Email carriers vary greatly in their efficiency in filtering out emails that contain known viruses and ransomware.
Firewalls:
- A freestanding, business class firewall is the minimum requirement to be compliant.
- Anything less than this will not provide the needed security subscription that will continue to push out updates to the antivirus and antimalware programs built into a business class firewall.
Antivirus:
- All computers where Protected Health Information (PHI) is stored are required to be protected by an active, enterprise level antivirus. A business class level of antivirus solution will continue to push out updates against the newest threats.
- A proper risk assessment will scan all computers on your network looking for PHI that may be stored unknowingly on workstations, so that you can move or delete it for better protection.
Physical protection:
- Your server and any other device that stores PHI need to be physically secured. Keep in mind that theft of a server or large storage device, such as an NSA or removable hard drive, constitutes a large percentage of the reason dental offices report a data breach.
- The use of a computer locker or cage is advised to physically lock these devices in place.
Windows updates:
- With a majority of all Windows updates being security patches, it is both a requirement and best practice to run all Windows security updates regularly.
- Windows updates are released at least twice a month. Your office needs to ensure that they get run at least once a month.
Staff training:
- As the last line of defense to prevent a ransomware attack, all team members, including practitioners, need to be trained on how to avoid launching an attack.
- This training should be part of your required annual HIPAA training.
Backup and Disaster Recovery:
- The last layer in this approach to proper cybersecurity is a readily available backup of all your data. It is a HIPAA requirement and the best defense against paying a ransom.
- A proper risk assessment should make you aware of how long it will take you to recover from a ransomware attack with your existing backup system.
Important Note:
- Like your server, backup systems have also become a target of ransomware attacks.
- 70% of the backup systems for small and medium businesses hit by ransomware failed, according to a report done by IBM.
3. Repeat
To ensure you are protected against ransom attacks, you need to repeat risk assessments and then adjust your practice accordingly. There are two times when risk assessments are a necessity:
- Once a year: HIPAA requires a proper risk assessment be run at least every 12 months. Annual assessments provide updated information on any and all security issues that need to be addressed to maintain proper cybersecurity.
- When you make significant changes to software or hardware: A new risk assessment should be completed whenever this occurs.
Learn more about dental security and compliance software at pattersondental.com.
About the author
Steve White is vice president and partner of DDS Rescue. He is a nationally known lecturer in the fields of business continuity, cybersecurity and office productivity. He has over 40 years of experience in the dental industry and extensive knowledge of marketing, product development, engineering and manufacturing disciplines.
– – –