The pandemic ushered in a host of changes for dental practices, and many saw the changes as overdue opportunities. It forced a new workflow that included teledentistry and offered a new approach to dental preventive care. Teleprevention is encouraged as an additional tool in dental practices. In fact, 72% of US patients prefer to access health care by combining virtual appointments with in-person visits.1 Additionally, 80% of respondents in a survey on virtual meetings postpandemic believe these meetings will continue.2
Nearly half of states have regulations and reimbursement guidelines for teledentistry, while the others do not regulate it, and it’s growing in popularity. As it becomes more popular, another problem arises: cybersecurity. How do you avoid cyberattacks while implementing teledentistry and mobile dentistry? Here’s why health-care businesses have had so many data breaches and how you can prepare your business.
Security vulnerabilities in your dental practice
Many dentists overlook the issue of cyberattacks and often feel their businesses are too small to be the target of a cyberattack. Sadly, the reality is quite different. With a slew of platforms available from LiveDentist to Aspen Dental to nondental platforms such as Zoom, there is no shortage of platform choices for cyberattacks. These provide many opportunities for cybercriminals to find vulnerabilities.
Aging devices also create vulnerabilities. Devices with code written in Java cannot be updated. Hence, you either run the equipment while it is vulnerable to cyberattacks, or you replace it with new equipment. Your printer can also be a gateway for cybercriminals.
Related reading:
5 tips to help dental practices boost their cybersecurity
How dentists can protect themselves from the cyberattack epidemic
Protecting your practice while using teledentistry and mobile dentistry
Teledentistry and mobile dentistry broaden access to care. Patients who find it difficult to go in person due to pandemic concerns or who have disabilities or lack of access can speak with a dentist for their initial evaluation. As most patients and practices are very aware, the federal government created a law to protect patient information called the Health Insurance Portability and Accountability Act of 1996 (HIPAA). HIPAA-compliant platforms are available that allow the dentist and patients to communicate in a secure and compliant setting. But that’s just the beginning.
Why is your data so valuable to cybercriminals? Medical records hold a wealth of personal information. An example is a cybercriminal sends an email to patients stating that their insurance won’t pay for a procedure, and they owe the dentist a certain amount. This is called spear phishing, where they can learn more about you. Most of the time they’re after your bank accounts. It doesn’t end there. Many times, they follow this with a ransomware attack. It is important to understand the dangers of ransomware because workdays are lost, data is ransomed, reputations are lost, and patients lose trust in you.
Paul Goodman, DDS, owns two dental offices in the New Jersey area and runs a continuing dental education site called Dental Nachos. He shared his experience of when his dental practice was hit with a ransomware attack. Dr. Goodman said his business strives to follow best practices when it comes to running a successful practice and using cybersecurity. He also realizes the cyberworld is always evolving and improving. Prior to the attack, he ranked the importance of cybersecurity a seven on a scale of 1–10. After the attack, Dr. Goodman has given cybersecurity protection an 11.
In fact, he emphatically stated, “I want to stress we put everything in place to counter a cyberattack. It’s like someone shooting on a goal and we stopped the shot. But stopping the shot was incredibly stressful, more than I ever imagined. The ransomware attack created two to three days where we had to work with limited access. It created stress for everyone in the office and added the need to follow up and notify patients. I can’t imagine what we would have done had we not had the cybersecurity measures in place. After the attack, we hired Black Talon to come in and do assessments. I implore dentists to ensure all their cybersecurity protocol is up to date and monitored by IT professionals.”
His advice to dentists is:
- Immediately have an IT consultant evaluate and check your current system.
- If you have IT in place, thank them for keeping you safe and sane.
- Be aware of your staff’s cyber behaviors. Educate your staff and hold cybersecurity drills.
The following pictorial guide highlights the process dental businesses should take to protect their data, with a brief explanation of each element (figure 1).
Best apps: Smart application platforms focus on HIPAA and encrypt the conversation. A simple Zoom meeting does not meet HIPAA compliance because you use an email to login and your email will be in the audit log of Zoom; thus it is not HIPAA compliant. Whereas the smart apps meet HIPAA compliance, Microsoft Teams and Zoom do not. Therefore, dentists prefer to use the specific dental smart apps to avoid liability.
Overall policy: When it comes to protecting your data, a data policy is a necessity. Proper handling of office and patient data is critical, and HIPAA has strict guidelines. Having a data policy for your practice ensures your staff is more likely to consistently stay on top of protection protocols.
Passwords: Strong passwords are also important in protecting data. Multifactor authentication (MFA) is encouraged, as it ensures the true user is attempting to login. MFA sends a code to your email or cell number for verification. Always opt to use MFA. Change passwords regularly. A good practice is to change passwords every three months and try not to use parts of the old password. Remember, it just takes one employee using a simple password to allow hackers access to your valuable data, steal it, and sell it on the dark web.
Managed security services providers (MSSPs): If you think your business is too small for an MSSP, think again. MSSPs help small and medium businesses. Imagine it is like a cafeteria insurance plan. MSSPs can provide enterprise security coverage and keep costs down by partnering with companies such as a security information and event management (SIEM) provider. For as little as 64 cents per seat per day, your business can be protected. There’s no need to employ an IT person on site. After all, a knowledgeable IT analyst is monitoring and notifying you of any high-risk alerts offsite.
Guidelines for staff: Accessing the internet is a regular part of every office. Internet guidelines provide important rules for safe use of work devices. Employees should avoid checking personal email and conducting personal business on office equipment. The more sites visited, the more opportunities for a hacker to break in.
Inventory: Once an attack has happened, inventory lists are needed to quickly assess what gets shut down to prevent the virus from spreading. An inventory list is like an equipment audit log. It allows you to keep information on all equipment and software. This list is a great resource in case of a cyberattack, and you need a checklist for equipment to track and know what should be isolated from the network.
Assessments: A security risk assessment should be performed annually by an IT expert to identify your business vulnerabilities in relation to cyberattacks. New equipment and software are added each year and the assessment will uncover any new vulnerabilities.
Encryption: HIPAA compliance is critical even when you are using teledentistry. Patient health information (PHI) in all electronic formats must comply with HIPAA. Smart devices such as laptops, tablets, and smartphones can transmit patient information. The platform used should be properly encrypted. You cannot use text messaging of PHI or use email platforms AOL, Yahoo mail, Hotmail, and Gmail, unless it is Google’s paid G Suite.
Teledentistry has been around for a while, but the pandemic catapulted health care into implementing mobile medicine at an unforeseen rate. A US survey reported 72% of people like using teledentistry during the pandemic, and many believe it is here to stay and grow. Using smart devices is convenient but can create vulnerabilities for cybercriminals to seize. Implementing good employee guidelines for internet use and an MSSP to provide firewall security, data encryption, server monitoring, and analysis will ensure your practice is well-protected.
Prevention is key to avoiding attacks. Fluency’s approach focuses on immediate results as an attack takes place and stands as a last resort to protecting a system when firewalls and antivirus software are penetrated. Dr. Goodman encourages dentists to learn from his ransomware attack and ensure they have up-to-date cybersecurity protection. Since health care is the leading target of cyberattacks, it is critical for practices to harness the expertise of MSSPs as well as the best possible cloud-based technologies for optimal protection.
Editor's note: This article appeared in the December 2021 print edition of Dental Economics.
References
1. Facts about teledentistry. American TeleDentistry Association. August 24, 2021. americanteledentistry.org/facts-about-teledentistry/
2. How virtual do we want our future to be? Explore Zoom. https://explore.zoom.us/docs/en-us/future-of-video-conferencing.html