Webinar Recap: Ransomware – Protecting Your Dental Practice from Attack

Ransomware attacks are up 300% and hackers aren’t playing around. They’re demanding tens of thousands of dollars from dentists and dumping patient data on the black market.

You can prevent it, safeguard your data, and easily restore your data with the right protections and a current valid backup. In Ransomware: Protecting Your Dental Practice from Attack, Neel Kothari of Practice-Web, along with John Zanazzi of Dental HIPAA & IT, walk you through the basics. Read the recap here for a high-level overview or watch the full webinar to learn:

• The risks of ransomware and how hackers get in.
• How to secure systems to prevent ransomware attacks.
• Best practices for data backups and how to perform backups in Practice-Web to prevent data loss and quickly restore.

Please note this content is for general information only. We recommend that you work with an IT professional to create a custom solution for your office. If you have legal questions, consult an attorney.

Resources from the Ransomware Webinar

Resources mentioned in the webinar are listed below.

General Resources

• Renew Practice-Web Support
• Get a free Practice-Web Demo
• Contact Practice-Web Support
• Learn more about John Zanazzi and Dental HIPAA & IT

Security Resources

• Microsoft Windows Defender
• Untangle Firewall
• How to Upgrade Practice-Web (video tutorial)
• Practice-Web User Security and Permissions (video tutorial)

Backups Resources

• Database Backups (Help Guide)
• Database Backups (video tutorial)
• Carbonite Cloud Backups
• Disaster Recovery Audit (free downloadable worksheet)

Risks of Ransomware to Your Dental Practice

Hackers steal or encrypt practice data and demand payment to return it, often expecting tens of thousands of dollars. They sell patient data on the black market and destroy it too.

• Healthcare data breaches are very common.
• There are 84% more breaches so far this year compared to this point last year.
• The OCR has reports of more than 400 breaches this year impacting over 28 million patients.
• Hacking incidents account for the largest share of breaches and are growing in frequency.
• Dental practices have seen a 127% rise in data breaches compared to two years ago.
• Hacking used to account for around one-third of these breaches but now accounts for around three-quarters.
• There are 4,000 ransomware attacks daily, a 300% year-on-year increase.
• Ransomware attacks impact all dentists, from large clinics to solo general dentists.

You have an obligation under HIPAA guidelines to report breaches/ hacking incidents to the OCR and provide any patients whose data may have been compromised with details about the attack. The OCR will also publish your practice info online with details about the attack. In addition to anything the hacker does, you may be subject to fines and penalties.

You (the practice owner) are ultimately the one responsible for your data security. Even if you have an IT person managing it, don’t assume you’re protected and have backups. Unless you have a written agreement with them and you’re personally checking to see that they’re following through, they may not be.

Many dental practices do not recover after a ransomware attack due to financial and reputation losses.

How Ransomware Works and Hackers Get In

1. The hacker gains access to your system. This is usually done through:
   • Phishing emails (posing as another entity to get someone on your team to click a link).
   • Impersonation (pretending to be someone who needs access to your system, such as your IT person, and convincing you to allow a remote access session).
   • Downloads (files you download online).
   • Unsecure practice wi-fi (allowing anyone to use your wi-fi; always have a separate network if you offer free wi-fi to your patients).
   • Brute force (hacking tools that crack passwords).
2. The hacker installs malware. Either manually or through automated means, a malicious program is installed on your computer.
3. The malware goes to work. Hackers usually use one of these approaches:
   • Completely locking you out of your system/ blocking access.
   • Copying your data to their server and deleting it from yours.
   • Leaving your data on your system, but encrypting it so you can’t use it.
4. You’re instructed to pay the hacker. Oftentimes, this is done through a pop-up that tells you that you’ve been hacked and how to pay, though they sometimes use other methods.
5. You decide whether to pay or not pay.
   • If you don’t pay:
     • The hacker usually sells your patient data on the black market.
   • If you do pay:
     • The hacker may demand more money or destroy/ sell your data anyway.
     • The hacker will sometimes provide a solution, such as giving you the encryption key to unlock your data. In these cases, you can lose a day, a week, or more unencrypting your data.
     • The hacker almost always leaves themself a back door into your data, so they can return and demand more money later.

Securing Your Systems

• Antivirus and Firewall: Your best line of ransomware defense is to keep the hacker out with a quality antivirus program and firewall.
• Backups: You must have a recent “clean” backup to restore from, so you can get your data back without the hacker’s help if one manages to get in anyway.
• Security Officer: Your practice must have a dedicated security officer who is personally responsible for your security. This is usually the office manager.
• Continuity: You must have a written continuity plan for how your practice will address issues if they happen. You can use a Disaster Recovery Audit like the one we provided to identify weak points and create your plan.
• Training: Teach your team about data security and how to prevent issues.
• Updates: Ensure your firmware, hardware, and software is always up to date. Oftentimes, updates come with security patches that eliminate vulnerabilities hackers might otherwise exploit.
• Set Security User Access Limits in Practice-Web: Ensure all system users have strong passwords and that people can only access the data required to do their jobs.
• Use Audit Trails in Practice-Web: The Audit Log will help you identify suspicious activity.
• Spam Filters: Set up strong filtering in your email program to prevent phishing emails from getting through– just be sure to add businesses you work with (like Practice-Web) to your contacts or safe senders list to ensure important messages get through.
• Workstations: Don’t forget to protect your workstations in addition to your server.

Use Firewalls and an Antivirus to Keep Hackers/ Ransomware Out

Antivirus

An antivirus program will help you:

• Detect, block, quarantine, and remove viruses, malware, and ransomware.
• Block phishing and fraud.
• Warn you about dangerous websites and links.

We recommend Windows Defender because it usually “plays nice” with other programs/ doesn’t block programs that it shouldn’t and is free.

Firewall

A firewall creates a “moat” around your practice, stopping malicious communication from going in or out. John Zanazzi, the IT pro on the webinar, recommends Untangle. As an IT pro that focuses on dental, he’s using it in multiple offices.

Backing Up Your Patient Data to Ensure You Have Good Restore

Backups

Remember, you can only restore data you’ve backed up. That means if you haven’t backed up in six months, you’ll lose six months of data if you need to restore. If you haven’t backed up in a week, you will lose a week of data. For this reason, you must back up all your data at least daily. Some practices also do minor backups (backups without images) throughout the day.

• Thumb Drives: Thumb drives are good for storing minor amounts of data, like your mid-day backups. If you use thumb drives, ensure yours has encryption, otherwise, anyone who finds your thumb drive has access to your data.
• External Hard Drives: If you’re backing up data in-office, external hard drives are a good option. Use at least two and rotate between them. That way, you can restore to an older backup if the newer one is impacted by malware or corrupted.
• Cloud Backups: Cloud backups are often the best solution because they can be automated and often come with a guarantee. Many companies offer cloud backups and storage. Be sure to choose a HIPAA-compliant option. Carbonite is one possible solution. John Zanazzi also offers a backup and restore program for dentists.

Restoring

Test your backups periodically to ensure you’re getting good, clean backups. You’ll do this by using the restore option in Practice-Web (see video above) to restore the backed-up data to a system and checking to see if everything imports correctly.

Get Help Securing Your Systems and Protecting Your Practice from Ransomware

Our team is happy to train you on the Practice-Web features outlined here and help you get them set up. If you’re not already signed up for Support, renew here first. Get contact info or open a ticket on our Support page.

Not using Practice-Web yet? These features are only the tip of the iceberg. Our software is loaded with features and tools to help your office run more efficiently, boost production, and increase profit. Request a free demo to learn more.

If you’d like a complimentary consultation with John Zanazzi, get in touch with him at DentalHIPAAIT.com.