Ransom Recovery

The last 3 articles have focused on cybersecurity best practices. Although Health Insurance Portability and Accountability Act (HIPAA) compliance is still a critical issue for many offices, in recent years I have been emphasizing the need for dental practices to up their cybersecurity game. The biggest threat to dental offices is ransomware, the class of viruses that lock your files and demand you pay a ransom to get the unlock key. A ransomware infection would be devastating to most offices. Not only would you have days of downtime and have to pay a large sum of money to (hopefully) get your data back, but a ransomware infection is considered a breach and you would have to report it to your patients and the US Department of Health & Human Services.

Previous articles looked at ways to keep ransomware out of your network or to minimize damage by encrypting the data. In this article, I want to again examine the best way to recover from a ransomware attack without paying the ransom: having a solid backup and disaster recovery system.

If a patient goes to 10 dental offices, they will likely get 10 different treatment plans. If you ask information technology (IT) providers to recommend a good, HIPAA-compliant backup system, you are going to get different opinions. Below is the system that I have developed over 21 years of providing this service for our clients. It consists of 2 main components:

1. In almost all cases, your local backup will be the first line of defense. It resides in your office and will allow for the speediest recovery. The challenge for many dental offices is that although they may have thought through the process of backing up data, they have not planned for how to quickly recover the information. Many practices just back up the data, but this is a mistake. If your server goes down and you need to be up and running, what do you do? It would often require getting another server into the office (they are not sold at the local Best Buy), reinstalling all your program files, reconfiguring the network, then downloading the backed-up data to the new server. This is at best a 1- or 2-day process, likely longer. What I recommend is taking an “image” of the server, basically a snapshot of the entire server: data, programs, network settings, everything. Put that image on a local device and virtualize it. Now, if your server goes down, you fire up that virtual copy of the server and within minutes, not days, the rest of the computers will think the server is up and running again; you will be able to pull up the practice management system data, take x-rays, etc, while the main server is being repaired.

2. Notice I said almost all cases use the local backup to recover. You are going to need an offsite backup as well. There are, however, instances where that is not true: fire, flood, theft, anything that destroys the server and the local backup. You are going to need an offsite backup as well. This also happens to be a HIPAA requirement. In the past, many practices used external hard drives; they are inexpensive and easy to run. However, I recommend a cloud backup instead—the more you can minimize hands-on management of your backup by you and your staff, the better. Although there are some cheap options, you tend to get what you pay for. Many are not HIPAA compliant, do not offer monitoring and alerts to backup problems, or cannot get you the data quickly.

While many dentists do have the ability to do backups, when you consider how important they are, I usually suggest that you have an IT professional specializing in health care handle this for you.