Depending on its size, a dental practice or dental service organization (DSO) could have millions of dollars invested into tools, devices, hardware, and software that are connected to each other, the cloud, or other systems. When one is breached, it can put a halt to thousands of dollars of billings per day, not to mention the cost of recovering from a breach. Compliance issues also come into play for any of those devices or software solutions that gather, store, or exchange patient information.
It's why a one-size-fits-all security solution can rarely protect every mission-critical piece of dental equipment or software and why an audit to identify and address security and cybersecurity vulnerabilities is a smart move for dental organizations of all sizes.
The vulnerability landscape
Dental practices and other associated businesses in the dental space are top targets for hackers and other nefarious cybersecurity actors, resulting in a 45% increase in data breaches since 2022. There are several reasons for this, most notably that the patient data they hold is lucrative, including personal, banking, and insurance information, as well as the practice's own financial and other information. A perceived lack of robust security systems and limited employee training in security also makes many practices attractive targets for hackers.
Once underway, the average hack runs for 90 days. During that time, hackers are not only able to plant malicious code, but they can freely explore accessible data and plan new ways to exploit it, as well as determine inroads into connected systems outside the practice. The threat level is severe enough that the FBI issued a notice in May 2024 to the ADA and American Association of Oral and Maxillofacial Surgeons warning of a credible, active cybersecurity threat to oral and maxillofacial surgical practices and expressing concern that general dentists and oral healthcare specialists could be targeted.
On the cybersecurity front, dental practices and DSOs face five primary vulnerabilities: phishing, ransomware, social engineering, fake software updates, and business email compromise. On the security front, physical security and access control are the biggest areas of vulnerability, while other threats come in the form of financial fraud, insider threats, and identity theft.
The consequences of a successful breach are potentially devastating, both financially and reputationally, and recovery can take years. Additionally, compromised patient records can be HIPAA violations, exposing the practice to heavy fines ranging from $100 to $50,000 per violation and the loss of patient trust.
Assessing your practice's vulnerabilities
While the best way for a dental practice or DSO to assess its vulnerabilities is to call in a cybersecurity professional, it is possible to self-audit by assessing the following five key areas of the business:
- Staff training: Is your team trained in cybersecurity best practices, including how to recognize phishing attempts, the need for strong passwords, etc., and is this training updated regularly?
- Security safeguards: Do you have security measures in place that minimize human errors (e.g., email filters, browsing restrictions, multifactor authentication, etc.), particularly around patient information access? Are they kept current?
- Software patches and updates: Are procedures in place for updating software and systems with the latest patches and updates to protect against vulnerabilities? Are they followed?
- Vendor security profiles: Do vendors, partners, or any other entity that may access the practice's systems have proper cybersecurity and security protocols to prevent a breach on their end from impacting the practice?
- Business continuity: Is there a business recovery and continuity plan in place to get operations back up and running in the wake of a breach? Is it regularly reviewed and updated as needed? Are staff aware of the plan and trained in its deployment?
The answers to these questions will provide a fairly clear picture of any areas of weakness in a practice's or DSO's security framework and help determine the next steps and whether they can be taken internally or if seeking outside expertise is the better option.
Taking action
Once areas of vulnerabilities have been identified, take action to harden them against cyber and security threats to mitigate risks and ensure the organization is prepared if the worst-case scenario comes to fruition.
One of the first steps should be getting staff members up to speed on security training and ensuring they are adhering to best practices. From there, you want to follow these steps:
- Schedule regular backups of and encrypt all critical data, which should ideally be stored offsite in a HIPAA-compliant facility. Perform tests to ensure these systems and data can be restored quickly when needed.
- Schedule regular checks for software and device updates.
- Implement or enhance email, online, and other security measures.
If one does not already exist, put in place an incident response plan outlining the steps to take should a breach occur, including how to contain it, assess its impact, and notify affected parties. Be sure the plan encompasses all HIPAA and other compliance requirements. Business continuity should be included in the incident response plan, or a separate plan should be created.
Finally, consider partnering with an information technology (IT) management firm that provides cybersecurity services to maintain software and devices. Look for a provider with specific experience in dental IT and cybersecurity that offers at minimum proactive monitoring, regular security assessments, and staff training and that has a deep understanding of HIPAA and other compliance requirements. During the evaluation process, ask prospective companies about their response times and disaster recovery capabilities and obtain -- and check -- references.
Be prepared
The harsh reality is that it is only a matter of time before a dental practice or DSO is hit by a breach of some kind. The information they hold is simply too valuable a target for hackers to resist. By limiting potential technological loopholes and establishing security and recovery protocols, the fallout can be minimized and the practice can continue providing quality patient care with minimal disruption.
Erik Eisen is the CEO of CTI Technical Services, a leading provider of IT support and cybersecurity services in the dental space.
The comments and observations expressed herein do not necessarily reflect the opinions of DrBicuspid.com, nor should they be construed as an endorsement or admonishment of any particular idea, vendor, or organization.