Cybersecurity trends consistently point to ransomware as the number one threat to health care. The ramifications of such an attack compromise not only patient data, but also your hard-earned profits. Ransomware operates by holding sensitive information hostage until a ransom is paid by the victim to retrieve the data.
It is absolutely necessary that you notify the federal government of such a crime. By not doing so, federal fines can be double the ransom, dealing a heavy blow to an already victimized business. Additionally, many malicious actors and criminal cybergangs are now complicating the process by exfiltrating patient data and extorting patients, in addition to the practice, for payment. This further complicates an already difficult situation, as all potentially leaked HIPAA data must be reported.
Recovering from a ransomware attack is not easy, and downtime in any business is lost money, especially in relation to cybersecurity. Compromised data and loss of patient trust are also at stake and require dental practices to understand and prepare for an attack before it’s too late. In one case, a dental office lost nearly $20,000 a day for three consecutive business days. These breaches can cost even more to repair as data restoration is often a long, drawn out process.
Not surprisingly, the health-care sector saw the largest rise of cyberattacks in the fall of 2020. There was the Universal Health Services ransomware attack, where all 400 sites were down. It took more than three weeks to recover and bring systems back online, which demonstrates how effective and profitable this can be for malicious actors.
Ransomware warning
Ransomware attacks have become more severe. Health care accounted for 32% of attacks in 2020, with such attacks increasing by 350% in late 2019. Compounding the issue are threat actors inflicting double extortion tactics, further intimidating and harming practices that are already struggling to maintain network security. The Sodinokibi tactic, a sophisticated attack used against Colorado-based IT consulting firm Complete Technology Solutions, impacted nearly 100 dental practices, barring access to patient records, schedules, and more. Practices that trust their records to a third party should require these companies to provide information about their network security and have a third party analyze their security service.
The increase in numbers and levels of sophistication in ransomware attacks in recent years prompted the Office of Foreign Assets Control within the US Treasury department to issue an important yet often overlooked advisory in October 2020. The advisory declared a continued rise in ransomware attacks and potential sanctions for facilitating ransomware payments. It warned that anyone who works with victims of ransomware attacks should cooperate with US law enforcement. The advisory is intended for CEOs, COOs, chief information officers, chief compliance officers, chief risk officers, anti-money laundering (AML)/Bank Secrecy Act (BSA) departments, legal departments, and cyber and security departments.
Getting ahead of financial disaster
No dentist wants to be offline due to a cyberattack. Prevention and detection are key. While 82% of health-care organizations state security is a top concern, only 16% indicate they have fully functional security programs, which is alarming. In fact, many say they have an “IT person” so they don’t worry. The prospect of lost business and patient data is frightening, and the ramifications of an incident can be lasting considering the potential loss of patient confidence. Patient records are highly prized by cybercriminals: an individual health-care record can sell for up to $1,000, while Social Security numbers go for as little as $1. Just last month, NBC News reported on hackers who published detailed patient data for tens of thousands of patient files from medical centers in Florida and Texas.
Implementing excellent cybersecurity practices requires more than off-the-shelf anti-virus software. Dental practices today need to be prepared for an aggressive and potentially debilitating cyberattack. One important step is to back up all computers on the cloud, external hard drives, or a combination of both. It is recommended that businesses keep three different types of backups as these adversaries are now encrypting visible backups as well. Strong passwords are also crucial, and multi-factor authentication (MFA) is an effective addition to logging in. We hear that some practices have hired firms to do penetration testing, which tests whether an adversary can break into their systems. The fallacy is that humans are the weakest link in the cybersecurity chain and most breaches happen due to an employee clicking on a phishing or spoofed email.
Regarding IT infrastructure, endpoint detection and response (EDR), a next generation anti-virus method, in conjunction with a managed security service provider (MSSP), can ensure that all medical data is safe by constantly monitoring log data activity. Relying on an MSSP that can efficiently implement EDR allows for deeper monitoring and detection of issues in log data, quickly warning IT personnel of any suspicious activity that could jeopardize the practice. Combining data log management, EDR, and MSSP processes enables the dental industry to roll back a ransomware attack. Protecting data for businesses is far more affordable now than it was in years past, with some MSSPs offering per-device pricing rather than large enterprise packages.
Looking ahead
Ransomware is unlikely to diminish in 2021. Making matters more complex, malicious actors are resorting to double ransoms, inflicting major financial harm on dental practices. However, dental offices can be on the offense against these attacks. An ounce of prevention is worth its weight for businesses to avoid or circumvent ransomware attacks. Fortunately, practices that use a combined formula of data logs, MSSPs, and EDR can halt an attack before it pervades their system. By taking this proactive approach, the dental industry can put the cyberattack epidemic where it belongs—far away from doctors, employees, and patients.
Resources
Federal information on ransomware
CHRIS JORDAN has worked in security for more than 20 years and is currently CEO of Fluency Security Corp, as well as founder and CEO of Endeavor Security (acquired in 2009 by McAfee). Jordan was vice president of McAfee's Threat Intelligence. He also founded a security services company, Endeavor Systems, which was acquired by Telesis. Jordan recently started the Beers and Bytes podcast where he critiques beers and discusses the latest trends in IT with thought leaders in IT. In 2021, the podcast won the coveted Gold award for best cybersecurity podcast in North America. Contact him at [email protected]. Fluency Security is on LinkedIn and Twitter, and the Beers and Bytes channel is on YouTube.