By Dan Gospe
With stories about cybersecurity and hacking attempts focusing of large organizations such as Target, Blueshield, and more, many dentists often neglect cybersecurity – they assume that they won’t be a target, since their data is not as exhaustive as breaches in the news. But, there are many reasons that cybersecurity should be the first priority for even the smallest of dental practices.
According to Greg Shannon, chief scientist of the CERT Division of the Software Engineering Institute at Carnegie Mellon, “Small Business is a Huge Target because the attacks are automated”.
Automated attacks take on a different form than the targeted hacks that occur throughout the larger industries. These automated attacks are designed to seek out IP addresses with open ports, or cater to the low hanging fruit of internet-connected PCs that have out of date security software, or other gaping holes in security.
Here are a few reasons that as a small dental practice, you may be a bigger target than you think.
1. Hackers know that you don’t have a security team in place.
If you are like many dentists, you haven’t taken steps to address all of the security holes that exist in your system. Perhaps, you haven’t conducted a risk assessment to really get a handle on how security holes have crept onto your network. Hackers and malware designers, however, know these typical security lapses very well, and specifically focus their automated attacks on these vulnerabilities.
2. As you add patients to your database, your data silos grow.
It’s easy to forget how much data that you generate, and how many patient records you retain. If you begin your small dental practice from the ground up, you may lose sight of the growth of your data stores over time. Hackers know that dentists are built from the ground up, and generally do not have the state-of-the-art security measures in place from day one.
3. Old accounts remain on many systems
When an employee leaves your dental practice, many times their data, user account, and password remains untouched on your network. Password policies do not get followed, and these accounts are generally not monitored for security breach.
4. Your password policy is lax
If you use the same password for multiple logins, then you’ve doubled your risk to security breach. All it takes is one hack of a password tied to an email address, and suddenly everything you access with that password is at risk.
5. No IT team is in place for small practices
Cybersecurity for larger organizations include an IT team, responsible for monitoring and mitigating risks to breach. Smaller practices, however, have a small team which doesn’t have the resources to effectively manage their network. Most small practices end up outsourcing this type of management to an IT company, while other larger practices sometimes have an in-house IT manager addressing the security holes that are found over time.
6. For a hacker, your patient record is just the beginning
While a hacker isn’t going to care about a single patient record, it’s important to keep in mind that your data also reveals insurance, financial, and a host of other data points that are valuable to criminals. Once the criminal is into your system, it’s not only the records that he or she wants. The golden fruit of the hacking job is to gain a back door entry into associated companies, bank accounts, and more.
7. Every IP address is a target
Through automated attacks, every single hosted IP address is a target. Your server might be next in line for a spam email campaign. It isn’t uncommon for a compromised server to fire out thousands of emails a day without the owners knowledge. This will get your IP blacklisted, and affect your presence on the web and also be a very large HIPAA violation.
8. Your internet connection may be broadcasting outside your walls
Hackers steal data over unsecure Wi-Fi connections. Secure your routers, and make sure that no patients have access to your network through the guest wireless. Also, never broadcast your internal wireless network to the masses. Automated programs on cell phones of passers by can hammer these Wi-Fi signals with passwords until they gain access to your systems.
Here are some tips for keeping your cybersecurity policies up to snuff:
- Encrypt your data stores
- Avoid broadcasting the name of your Wi-Fi network
- Do not use your smartphone to access your practice’s vital data
- Use different passwords, and enforce password policies, on each portal of access
- Delete user accounts and data when employees leave the practice
- Use a business-class, monitorable antivirus
- Institute real-time monitoring for breach on your network
- Consider getting a consultation from a cybersecurity expert
Dan Gospe is the Chief Operating Officer and HIPAA Privacy Officer at dmi Networking, Inc. He can be reached through the contact form on this site, or in his office at 707-523-5915.