The increased digitization of dental records, improved AI and machine learning softwares and the commonality of QR codes are just a few of the ways that cybersecurity risks in dentistry have heightened in recent years.
Six industry leaders recently connected with Becker's to share the ways that cybersecurity and the threats that come with it have evolved in dentistry.
Note: Responses were lightly edited for clarity and length.
Question: How has the risk of cybersecurity threats increased in recent years?
Dev Ashish. Chief Technology Officer of ClearChoice Management Services (Greenwood Village, Colo.): The risk has increased in three big ways: One is the increased digitization of workflows in the dental world has led to a proliferation of headless devices, many of which are connected to the network and can present new and sometimes unprotected attack vectors. A second is the increased sophistication and the number of attackers. While the dental world likely hasn't had to deal with state sponsored cyberterrorism yet as the energy or financial sector has, the social engineering attacks are becoming more and more sophisticated. Bad actors can buy packages for ransomware on the dark web and can then target many companies with those packages. Finally, remote workers and the global supply chain lead to employees working from different areas of the world, and often over unprotected networks that create additional risk of snooping and data loss. Targeting third-party vendors and software providers has become a popular tactic to gain access to larger networks and sensitive data. This indirect attack method poses a significant challenge for dental companies relying on various software and services. Add to these three the talent shortage of cybersecurity professionals, and you end up in a scenario where many healthcare and dental offices are vulnerable, and it's important that they take the responsibility of protecting their patients' trust very seriously.
David Chei, DMD. CEO of Care 1st Dental Management (Carrollton, Texas): I believe the threats have become more sophisticated and more international. There are many actors with bad intentions that are looking for victims.
Dan Mirsky. Senior Vice President and CIO of Sage Dental (Boca Raton, Fla.): I would say another threat that is on the rise is the use of QR codes and the general user's trust in them. During COVID, we all got so used to scanning a QR code with our phones to download a menu, or check in at a doctor's office, pay for parking, etc. We got so used to them to the point where we started to blindly trust them — well, not all of us. We are starting to see more emails coming through with these QR codes to harmful phishing links and sites. The problem with QR codes is you are not able to inspect the link contained in that code by hovering over the image like we train our employees to do before clicking. What also makes it dangerous is we are so used to taking out our phones and following the link not realizing that now you have the ability to bypass the companies' cybersecurity safeguards because this is now happening on the employees' personal mobile device where [mobile device management] or other tools may not have access or protection. This is the newest attack vector that I believe we will be challenged with in the not-so-near future.
Dion Perkins. Vice President of IT of Mortenson Dental Partners (Louisville, Ky.): Three main things have led to increased risks. No. 1 is it used to be the other industries' issue to deal with, as healthcare was considered off limits to hackers. Healthcare is not only on the table but now targeted because of the value of the data on the dark web. Cyber threats come from organized companies that operate the same as your business. State-sponsored attackers are a known entity you must protect against in healthcare. Second is the fact that data can be overwhelming, with billions of records a month to review. The standard 200+ [security information and event management] analysis golden rules are just a small piece of proper protection. You must upgrade to utilize AI analysis to know what threats are real, and AI tools are a necessity and not a nicety in today's world. Finally, security review of third-party integrations is growing in importance. The count of breaches seems to have flatlined, but the number of records breached is exponentially skyrocketing. Most of these large breaches are coming from third-party integrations that are needed to stay competitive. Why do people rob banks? Because that is where the money is. Third parties extend into several healthcare firms and have the largest concentration of sensitive data.
Steven Price. President and CEO of Tech Rockstars (Monrovia, Calif.): Over the past few years, the cybersecurity landscape has seen a marked increase in threat levels across all sectors, with dental practices becoming prime targets. This escalation is attributed to several factors. Cybercriminals have become more sophisticated, employing advanced techniques like AI and machine learning to breach networks. The value of healthcare data, particularly dental records, has soared on the black market due to its detailed and comprehensive nature, making it highly lucrative for identity theft and fraud. The digitization of dental records, while streamlining administrative processes and patient care, has inadvertently expanded the attack surface for cybercriminals. This shift to digital mediums means that more patient information than ever is potentially accessible through cyberattacks. Regulatory bodies have responded by tightening compliance requirements, such HIPAA in the U.S., which mandates rigorous data protection protocols. Despite this, many dental practices find themselves struggling to keep pace with these regulations due to resource constraints. To combat these heightened risks, dental practices must adopt a proactive stance on cybersecurity, investing in robust security infrastructures, continuous monitoring, and employee training to recognize and mitigate cyber threats. The reactive approach of the past is no longer sufficient; instead, a preventive strategy, coupled with a rapid response plan for potential breaches, is necessary to protect sensitive patient data and maintain the integrity of healthcare services.
Daniel Romary. Chief Information and Analytics Officer of North American Dental Group (Pittsburgh): As we are seeing a rise the volume of cyberattacks in recent months, we also have seen an increased sophistication of the attacks, enhanced social engineering and targeted attacks, an uptick in ransomware attacks, taking advantage of remote workers and increased network/interconnectivity, and an increased interest by nation-state actors to gain access to HIPAA data.