TechNotes
You’re Not Paranoid—Someone Really
is Out to Get Your Patients’ PHI
hackers used malware to obtain an employee’s username
and password for the practice’s membership database.
Theft is Just the Beginning
Theft and hacking are just the beginning. An increasingly
popular tactic is crypto-ransomware, a type of malicious
software (malware) that infects a computer and restricts
access to it until a ransom is paid to unlock it.
The bad guys want to steal your patients’ data,
and regulators want to punish you if the bad
guys succeed.
T
he entire dental industry is in the crosshairs of
regulators and lawyers who are focused on
safeguarding protected health information (PHI). The
“bad guys” want to steal your patients’ data, and regulators
want to punish you if the bad guys succeed.
Most dental offices have the latest equipment and trained
teams to provide excellent patient service, but when it
comes to security, many are lacking. This is unfortunate
because the dental industry suffers the same trends as
healthcare in general: upticks in cyber-attacks, social
engineering, malware, and cyber ransom that can cost
millions of dollars in response, credit monitoring, and fines.
And now the Office of Civil Rights (OCR) is taking a closer
look at how PHI is protected—across all forms of health
care, including dentistry.
No. 1 Cause of Breaches: Theft
It may be surprising to learn that half of all dental PHI
breaches are due to theft. In one 2015 case in Nevada,
12,000 records were compromised when a device with
unencrypted data was stolen. In another, a laptop was
stolen from the car of a business associate that impacted
76,000 victims.
But other types of incidents are surfacing as well. One large
group dental practice last year exposed 151,000 records—
complete with patient names, Social Security numbers,
birth dates, phone numbers, and home addresses—when
24 | www.Dentrix.com/Magazine
In fact, ransomware has become so pervasive, the FBI has
warned that ransomware has become one of the biggest
threats to consumers and businesses. Victims can be
infected by clicking on links in malicious emails that appear
to be from legitimate businesses and through compromised
advertisements on popular websites. Or they can become
victims simply by visiting the wrong website, as discovered
in one major case in California, where a hacker used cryptoransomware downloaded via browser drive-by (visiting
compromised websites) that resulted in the practice being
taken offline for several days until backups were recovered.
Data recovery was only the beginning of that hack; the
dental practice had to notify regulators, and a federal
investigation ensued.
Data breaches can be crippling to dental organizations.
They can face millions of dollars in losses due to lost
business, fines, remediation, and litigation.
How Protected Are You?
One way for dentists to avoid a PHI breach or loss is to
regularly conduct HIPAA security risk assessments (SRAs)
in their practices. SRAs look at the current state of affairs
and then provide a remediation roadmap that helps the
entire team correct gaps in compliance from a technical,
physical and administrative perspective.
Another way to lessen risks is to take advantage of cloud
computing. Storing data in the cloud is a popular choice
for dentists due to its agility and cost effectiveness. By
moving their server from the office to the cloud, dentists
can help defend themselves against the number one cause
of compromised PHI—theft of the server due to unsecured
in-office environments.
Henry Schein TechCentral, and its security partner,
ClearDATA, can conduct SRAs and offer cloud technologies
and managed services that can play an important role in
helping you protect your practice from data thieves. To
learn more about TechCentral security risk assessments call
877.483.0382 or visit www.henryscheintechcentral.com.
CHRIS BOWEN
Founder and Chief Privacy &
Security Officer of ClearDATA