In an increasingly digital world, it is more important than ever for dental practices to protect themselves against the threat of cyberattacks.
Global cyberattacks increased by 38 percent in 2022 compared to 2021, with the healthcare sector seeing the largest increase in attacks, according to a report from Check Point Research. The healthcare sector ranked third out of all sectors for the most cyberattacks.
How do cyberattacks happen?
According to Gary Salman, CEO of cybersecurity company Black Talon Security, there are two primary avenues for cyberattacks to occur: Social engineering and the exploitation of vulnerabilities.
Social engineering includes email-based attacks such as phishing, a technique used to get people to reveal sensitive data. This can look like an email from someone masquerading as Google asking you to update your email address. If links from that email are clicked, it could result in malicious code such as ransomware being downloaded or usernames and passwords being stolen through credential harvesting. Social engineering can be used to breach email systems and networks.
Vulnerabilities are defects in software or hardware that allow hackers to exploit the device. According to Mr. Salman, vulnerabilities are where dental practices have the least amount of visibility into their risks. Vulnerabilities can exist on dental practices' firewalls, a network security system that monitors and controls incoming and outgoing network traffic. Hackers can scan those firewalls and chip away at the areas where there are vulnerabilities to break through.
"Once you get through someone's firewall, it's pretty much game on for the hackers," Mr. Salman told Becker's. "They're going to be on the inside of the network pretty quick. Then they're going to start looking for other computers they can exploit and ultimately getting to patient data, cloud data and things like that."
Some more rare cyberattacks in dentistry include inside attacks — employees installing illegitimate software — and practices' third-party vendors getting hit by cyberattacks such as the practice management software or information technology company.
How can dental practices protect themselves against cyberattacks?
Mr. Salman told Becker's that there are three core cybersecurity elements that need to be implemented across all industries: offensive capabilities, penetration tests, and defensive capabilities, as well as cybersecurity awareness training, which is required under the HIPAA Security Rule.
Offensive capabilities include technology within the dental practice that examines the firewalls for vulnerabilities. Penetration testing is when ethical hackers at a cybersecurity company pretend to be cybercriminals to test how well a practice can withstand potential cyberattacks. Defensive capabilities include products such as anti-virus or extended detection response software.
Another way that Mr. Salman says dental practices can protect themselves against cyberattacks is through the concept of "trust, but verify." He explained that it is essential for dentists to know what their IT company does.
"When [dental practices] have a breach or all their patient data is stolen or they have a ransomware event and the government starts investigating that … you can't tell the government, 'Oh I'm just a dentist, I don't know anything about cyber. I don't know what I was doing to protect my network, I just trusted my IT company.' Unfortunately, that doesn't work," Mr. Salman said.