Protect Your Dental Practice from Ransomware

Ransomware attacks are a persistent threat in today’s environment and show no signs of slowing. According to FTI Consulting’s 2022 Resilience Barometer, 67% of respondents expect to pay ransoms in the future. Despite the belief that ransomware attacks are happening only to large organizations with large budgets, threat actors do not care whom they are attacking or the type of organization involved. Instead, they look for any opportunity that can be leveraged, whether that involves stealing assets or information or simply disrupting business operations.

Smaller organizations or those without intellectual property or proprietary information like a dental practice may not think they are targets and are therefore safe from ransomware. This is a dangerous mind-set. Ransomware attacks are effective because threat actors are usually uninterested in the data they are encrypting or stealing. There is more value in selling them back to the organization than there is in selling them to a third party on the dark web. As a result, ransomware actors focus on applying as much pressure as possible to be paid, regardless of the type of data or information the organization possesses.

Beyond the financial cost of paying a ransom or the expenses needed for remediation, ransomware attacks should be concerning to dental practices for 2 main reasons: reputation damage and exposure of protected health information (PHI). A mishandled ransomware attack can cause patients to lose trust in the practice and take their business elsewhere, and rebuilding this trust can take years. If PHI is stolen or compromised during a ransomware attack, these data are at risk of exposure, creating ramifications for patients (eg, identity theft) and HIPAA violations for the practice (eg, hefty fines, potential investigations from the US Department of Health & Human Services Office for Civil Rights, and penalties).

Reputation damage and PHI exposure are significant enough to cause permanent damage to the practice, requiring preparation before a ransomware attack with a crisis communications plan. This plan should be able to functionally answer vital questions such as the following: When systems are taken offline during an attack, what is the plan for contacting patients, employees, and other stakeholders? Who is responsible for leading the crisis communications response? In support of this response, are there advisers already retained, or do they need to be identified and hired?

Once the crisis communications plan is established, it should be tested and regularly updated to ensure its effectiveness and ability to keep pace with evolving threats. The plan should not be used for the first time during a live incident. Testing in advance will allow for tweaks and for team members to be comfortable in their response roles.

But a crisis communications plan alone is not enough to mitigate the risks from ransomware attacks. Proper protections should also include:

1. Cybersecurity training: Most ransomware incidents begin with an end user making a security blunder such as opening a malicious email attachment or clicking on a malicious hyperlink. To mitigate this risk, dental practices of all sizes should provide regular cybersecurity awareness training, with particular focus on social engineering tactics attackers use. Training should be an ongoing process to ensure staff are familiar with emerging threats and current best practices.
2. Multifactor authentication (MFA): MFA requires users to provide an additional form of authentication to prove their identity rather than rely on a simple username and password combination. This extra layer of security reduces the risk of attackers gaining access to your system even if login credentials have been compromised. MFA takes many forms—including email and text codes, biometric verification, authenticator apps—and should be enabled throughout the practice wherever possible.
3. Credential hygiene: It’s easy for staff to get complacent about login credentials when they’re using multiple passwords every day. However, strong passwords are crucial for preventing unauthorized network access and limiting the impact of a ransomware attack. Passwords should be long (aim for a minimum of 16 characters), random (avoid using personally meaningful information such as birthdays, cities, or pet’s names), and unique (secure every service or account with its own original password). Strong passwords are important even when MFA is enabled; the weaker the password, the closer you are to single-factor authentication.
4. Backup strategy: If your dental practice is attacked by ransomware, you can use backups to recover your system and go back to business without paying a cent to the attackers. Threat actors will typically attempt to destroy your backups, so it’s important to maintain multiple copies of your data. Keep at least 3 copies of your files, store the copies on at least 2 different types of storage media, and keep at least 1 copy offsite. Access to backups should be restricted and closely monitored to minimize the risk of sensitive company information falling into the wrong hands.
5. Patch management: Many ransomware attacks involve exploiting vulnerabilities in commonly used software. To counter this threat, software developers regularly release security updates designed to make their software more secure and less susceptible to attack. The issue is that in many vertical markets, including the dental industry, there’s a lag between the time security patches are released and the time they are applied, giving attackers a window of opportunity to exploit the vulnerability before it’s fixed. To mitigate this issue, dental practices must take a proactive approach to patch management and ensure security updates on all end points, servers, and appliances are installed as soon as possible.
6. Incident response plan: No cybersecurity strategy is completely foolproof, and the risk of falling victim to ransomware is always greater than zero. Every dental practice should take the time to design an incident response plan covering response procedures and who needs to do what in the event of a ransomware attack. Swift, appropriate action can stop a ransomware infection from spreading, prevent data loss, and ensure the incident is remediated as efficiently as possible.

Cybersecurity is the responsibility of everyone who works at your dental practice—not just of your information technology team. Although there is no silver bullet for ransomware, you can use several strategies to strengthen network security at your dental practice and reduce the risk of a ransomware infection.