Predictable Failures

It’s 7:30 a.m. You’ve arrived at the office with coffee in one hand and your keys in the other. You sit down at your computer, check your email, and see someone has responded about a recent job opening with their resume attached. You open the resume and then all your computers slow down. It’s a ransomware attack.

A pop-up message appears stating that your data is being held hostage and requests you pay these hackers with cryptocurrency soon. Meanwhile, the hackers have already copied your data and are selling it on the dark web.

Today’s hackers are smarter and trickier than ever. They can disguise an extremely  destructive virus that can corrupt your practice in moments as a seemingly innocent email.

Whether it’s a power outage, a ransomware attack, or internal mishandling of PHI, you are likely to face at least one major cyber security risk or data breach during your practice’s lifetime.

We spoke with Amy Wood, CEO of Copper Penny Consulting, who provided us with best practices for cyber security. She dedicates her time to educating dental professionals on HIPAA compliance and mitigating cyber risks.

She shared with us five components of how to prepare for when cyber issues do happen: Identify, Protect, Detect, Respond, and Recover.

“If you can create a plan with those five components, it will be easier to break down into tasks that can easily be implemented over time,” Wood says.

1. Identify vulnerabilities

Before you can start making your practice secure, you need to know where potential weaknesses lie. Wood recommends a risk analysis to pinpoint vulnerabilities.

“At this point in time, you shouldn’t be completing a risk analysis yourself,” she says. “It's a lot more complicated than it used to be.”

Wood suggests finding an independent third party to evaluate vulnerabilities.

“Too often, I’ve seen an IT provider do their own evaluations and not understand what they should be looking for, just to make themselves look amazing for job security,” Wood says. “The goal should never be to make anyone look bad, but rather, to find vulnerabilities with the goal of minimizing overall risk.”

2. Protect all of your assets

Nowadays, there’s a lot more that goes into protecting and securing your practice’s data.

“Having antivirus and backups alone is no longer sufficient,” Wood explains. “Think of this as the standard of care for your data. You know that standards change over time with how you treat patients. It’s the same with data security.”

The top priorities Wood encourages you to focus on are antivirus, patching, firewall, backups, passwords, Wi-Fi, and encryption.

“Confusion about this topic has been persistent with dental professionals for decades, because, to be frank, it is confusing,” Wood explains. “The technology itself is complicated and the people that understand it don’t know how to explain it in layman’s terms, so it's no wonder data breaches and security incidents persist.”  

‍

So let’s break down these seven terms:

‍

Antivirus

Antivirus software is designed to prevent viruses from entering your computer and network system. Wood suggests a business-grade antivirus that is updated, monitored, and documented.

‍Patching

Patching refers to a set of changes to a computer program designed to update, fix, or improve it. This includes fixing security vulnerabilities and other bugs. Wood recommends watching for operating system updates and internet program patches and completing those updates.

Firewall 

A firewall is a collection of security measures designed to prevent unauthorized electronic access to a computer and network. Wood describes it as an armed security guard with explicit instructions on who can and cannot enter.

Backups

Backups are devices used as a safety net to store a copy of your data. Wood suggests monitoring and testing your backups regularly. “The current recommendations on backups to address current failures and threats is ‘3-2-1.’ Three kinds of backups, done in two different ways, with one of them offline.”

Passwords

Although they may be annoying, passwords are vital to protecting your practice. Wood says you should utilize password managers to store and help create safe passwords. She also suggests using different passwords at work than for personal use.

Wi-Fi

Wood teaches that Wi-Fi can be separated into segments on your network. “Not everything can or should be connected to the healthcare network,” Wood says. “Isolating devices such as burglar and surveillance systems, audio speakers, and even a Wi-Fi login for team members, will help to limit exposure to hacking.”

Encryption 

Encryption is the process of encoding or converting a message so it can be read only by the sender and the intended recipient. Wood says that encryption is usually easy to do and free. “Servers, backups, email, and mobile devices should all be encrypted. I also recommend setting up multi-factor authentication for bank accounts, social media accounts, and email accounts,” Wood says.

3. Detect anomalies

 “Detecting anomalies is really difficult to do, especially in the dental space,” Wood says. “It is best done by an IT provider that offers this service or an outside party that checks for inconsistencies.” 

4. Make a response plan

Wood calls cyber and technical incidents “predictable failures.”

“You're not going to stop everything, but you can make a plan for putting a bubble around how bad it will be,” she says. “That way it's a minor inconvenience, not a major catastrophe.”

Making an incident response plan is important for planning for these predictable failures.

“This plan should be discussed in great depth with your IT provider to ensure you have the current standard of care,” Wood says.

5. Practice how you will recover

As a dental professional, you know better than anyone that practice really does make perfect. If you've been practicing for 20 years, a filling probably takes you less than half the time it did when you were fresh out of dental school. The same is true for technical emergencies.

“If you are prone to power and internet outages, practice.” Wood says. “If you deal with floods or hurricanes, practice.”

When practicing for these predictable failures, know your top priorities. Wood suggests having answers to the following questions:

• Who do you and your team contact in the case of a technical incident?
• Who is your insurance carrier?
• Who is your IT provider?
• What’s the most likely technical emergency scenario?

Prepare now!

“You have to know that it's not the end of the world if a technical emergency happens,” Wood says.

Wood emphasizes the importance of finding an IT provider that will help protect you.

“Trust your IT provider and build a relationship with them and their company. Know that they are experts in the technical side of things.”

Amy Wood teaches and consults with dental professionals, both by building robust proactive compliance programs as well as reactive data breach mitigation. To learn more about how she can help your practice, check out her website here. Watch our episode with Amy Wood on our podcast Growth in Dentistry here.