A Ransomware Checklist for Dental Practices

As most dentists (hopefully!) know, ransomware continues to be a significant threat to dental offices. It’s estimated that more than one-third of all health care organizations worldwide have been attacked with ransomware, and it’s only become worse since the COVID-19 pandemic hit more than 2 years ago.

Although many practitioners may believe their practices won’t be the target of these criminals, that couldn’t be farther from the truth. Patient records are the most valuable asset on the black market; they can contain names, addresses, phone numbers, Social Security numbers, insurance data, and credit card information. Additionally, many hackers assume that dentists have more disposable income than the average individual and can afford to pay a ransom.

It is critical to take steps to protect your practice. I’ve discussed these individually in previous articles, but here’s a list of what you need to do now to protect and secure your data:

• Start with a good, business-class firewall. Firewalls control the traffic both into and out of your network. Don’t go cheap with a home-use router such as Linksys or D-Link. Instead, invest in a firewall designed for businesses such as those from Sophos or SonicWall.
• Update unpatched operating systems, another common entry point for ransomware. This is exactly why many practices in 2020 replaced their Windows 7 computers. Besides being good common sense, patch management, the process of keeping your software up-to-date, is required by HIPAA.
• Invest in ransomware protection software. Almost all antivirus programs will tell you that they do a good job against ransomware, but in my experience that isn’t always the case. I highly recommend that you supplement whatever general antivirus software you have with software designed specifically to deal with ransomware viruses. Ones that come to mind are Intercept X and HitmanPro.
• Get an application whitelisting program. Of all the tools I recommend for dealing with viruses, application whitelisting is the best suggestion I can make. Application whitelisting will approve all the good software on your network, and if any program tries to run that is not on that approved list (all viruses are just small programs), it literally gets stopped in its tracks. In the 18 months that I’ve been recommending this to our clients, I have not had a single client get hit with a virus since they installed it.
• Even if you do all of the 4 items I suggest above, as anyone who works with technology knows, nothing is 100% foolproof. You need to have a backup plan…for example, a backup! Any good backup system should include a local duplicate of the server (called an image), as well as some type of offsite backup such as the cloud or external hard drives that you remove from the office each night.
• Finally, get some type of cyber liability or breach insurance. Unlike a lot of the HIPAA regulations, which can be ambiguous, the breach notification rule is very clear. If you are breached, you must notify all patients in writing and the local news media, and you will be listed on the US Department of Health & Human Services’ website, which is affectionately known as the Wall of Shame. By the way, in 2016 the Office of Civil Rights determined that if you are hit with ransomware, by definition you’ve suffered a breach.

The days of just slapping some antivirus software on your computers to protect them are long gone. Dentists need to take a layered, or stacked approach and have multiple levels of protection to keep their data safe and secure.