The Low Price of Office Data Security

Dental Products Report, Dental Products Report May 2024, Volume 58, Issue 5

With cybercrime flourishing, you need to protect your network and data. Try viewing it as a business expense.


I hope the title of this article got your attention because that was my intent. We all expect a title like that to use the high price of something, but that is not always the case. Especially when you are thinking about your office information technology (IT) security.

A couple of decades ago I had just finished giving a lecture on taking your office totally digital. As the audience was packing up and leaving the room, a well-dressed and obviously successful doctor walked up to me. At the time, practice operating systems were undergoing many frequent changes. Digital charts were a new thing, and most of the larger software companies were working on ways to integrate digital radiographs directly into their platform.

“How easy is that to do?” the doctor asked. I told him it wasn’t really that difficult but that it depended on the software. I asked him what practice management software he was using. “Heck, I don’t know,” he replied. “That’s the gal at the front desk’s department.” I was a little taken aback by the answer, but honestly also a little irritated by the way he said it.

My response? “You know that beige box with the keyboard and the mouse that sit on your front desk? That’s where all of your money is,” I said. All these years later, that statement is thousands of orders of magnitude greater.

The Dilemma
I mentioned this in my April 2024 column. Dentists, as business owners, are always walking a tightrope between money coming in and money going out. Profitability is how we continue to pay our bills. Also, if you cannot stay in business, you can’t help those who depend on you. Patients, as well as our teams, count on us to be there for them.

Every month, doctors are looking at their costs and trying to figure out a way to minimize them while still delivering the best care and best wages possible. Lowering costs and not overpaying are things we look at all the time…and you should.

Understanding
However, I think that sometimes when we don’t really understand the importance of something, we tend to not understand why it’s valuable. It’s similar to a patient who asks, “Can’t you just do a filing?” when presented with the need for a crown. As doctors, we understand why a filling is not the right choice, but often as business owners, we hesitate to spend money on something when we don’t comprehend its value. IT security in the dental office isn’t a “want” or a “nice to have” item. It is now, more than ever, a need.

There are a couple of points I want to make. The first is that security is absolutely critical. I once had a friend ask me, why would anyone want to know that “Mrs Brown had a crown done last March on tooth #30” and why it was critical? I agree that probably no criminals would want to know that. However, what they would like to know are things like Mrs Brown’s date of birth, her address, and her Social Security number…among lots of other demographic information. Once they have all of that, they can very easily perform identity theft and convert that stolen data into ill-gotten gains.

The second point is that your server has become that “box where all of your money is.” If your computer is hacked and your data encrypted, you are now completely dependent on restoring your system from backups. Good backups are critical to success, but even if you have pristine backups, your practice is going to be down until your systems are restored. That is going to mean closing the office for business until your network is back up and running.

That is why I’m such a big fan of DDS Rescue (ddsrescue.com)—they help you continue to operate with all your data accessible remotely and keep the doors open if a problem occurs. Yet, even if you have DDS Rescue service, you are still going to be out the money it will cost to restore your local system, and that can be expensive. And even if you are using a cloud-based system, odds are that you have lots of data that need to be protected on your local network.

Ransomware attacks are common. Tech security company NinjaOne estimates that ransomware attacks occur 19 times per second.¹ Plus, health care ransomware attacks have increased significantly in the past few years. You may have recently seen news of the Change Healthcare attack. That company (which is owned by UnitedHealth Group) paid a $22 million ransom to get their systems back up and running. We also saw a huge data breach at the American Dental Association in 2022, and in September 2023 supply company Henry Schein suffered a massive breach of their system.

I’m sure many of you are thinking that you are just a small fish in a big pond. Why would anyone want to bother with you when there are much bigger fish to go after? The answer to that is part of why I’m writing this column. Cybercriminals know that small health care offices are underprotected and easy targets. It’s much easier to break into systems that don’t have large IT departments tasked with protecting the network. If you are just buying some equipment from Amazon and hooking your office up to the internet, it’s akin to going on vacation, posting it on Facebook, and then leaving your doors unlocked.

If it is easier to get $100,000 from 10 offices than it is to get $1 million from a large company, odds are that the criminals will look for the low-hanging fruit.

Repercussions
If you are still having doubts, let’s talk about getting the US Department of Health and Human Services (HHS) involved. You are required by federal law to protect your patient data. If you have a data breach, you are required to notify the authorities. The HHS Office of Civil Rights is the enforcement arm of the Health Insurance Portability and Accountability Act (HIPAA), and its fines are severe. To ensure that health information is truly protected, severe fines are meted out when breaches happen. In addition to lost income and the expense of restoring your system, you then have to factor in a very large fine.

The next step is to notify your patients, which is also required by HIPAA. At that point, the loss of goodwill and trust of your patients must be factored into this equation. You will also, of course, have to pay for the notification letters and postage, but that is a drop in the bucket compared with all the other problems and expenses you will face.

Perspective
I feel the best way to look at IT security is through the lens of an insurance policy. We all have malpractice insurance. No practitioner should think, “I’m just a small office and a good doctor; no one will ever sue me.” You also don’t think, “I’m a good driver. I’ll never have an accident.” We have these insurance policies in place because we want to be protected if something bad happens. Of course, we’d save a lot of money if we didn’t pay for those policies, yet we all still have them.

So look at security as a business expense. Put it into your budget. Similar to a percentage of production being spent on wages, supplies, etc, your accounting firm can help you determine what percentage of production should be spent on IT security. Once you know that, you can then get bids and determine the best solution for your individual situation.

There are even health care–specific security companies such as Black Talon Security (blacktalonsecurity.com) that have solutions for dental offices.

Wrapping Up
This is a difficult subject, but theft and extortion have been around almost since Adam and Eve were kicked out of the Garden of Eden. There will always be a small percentage of the population that thrive on crime. Unfortunately, it’s a reality.

However, planning for the future and the long-term viability of your practice now requires vigilance in the IT security space. You don’t need to be an expert to deal with this. Instead, what you need to do is find the experts and let them do what they do best. In a similar way that patients don’t understand and perform their own dental procedures, you don’t need to understand and implement your own security profile. However, that doesn’t mean you don’t need it. Part of my job as “Technology Evangelist” is to give you the straight scoop on how tech impacts dentistry, and security is having a major impact.

Implement what your experts recommend. You’ll be better off in the long run, trust me. See you next month!

Reference
1. Crowe J. Must-know ransomware statistics, trends and facts. NinjaOne. Published March 18, 2024. Accessed April 8, 2024. https://www.ninjaone.com/blog/must-know-ransomware-statistics/