Is your office aware of Ransomware? Do you know the damage that it can and does cause to your work flow, and the safety of your patients data? Steve White from Rescue DDS and I had a great conversation about how this sneaky process can attack your dental practice and take your Dentrix software and patient data hostage.
We read about the impact Ransomware attacks have had on gas pipelines and distribution of beef but what you don’t read in the papers or hear on the nightly news is that Healthcare is the number one industry hit by Ransomware and has been since 2019. Ransomware is attacking dental right along with the rest of Healthcare.
Ransomware is the number one threat to the security of your patient data, the number one cause of your network to go down, and the number one reason that a dental office reports a major HIPAA data breach.
Ransomware by the numbers:
- 2019 Healthcare became the #1 industry hit by ransomware
- 2020 the number of successful ransomware attacks on Healthcare more than doubled
- Ransomware is the #1 reason for dental networks to go down
- 55% of Dental breaches reported are due to hacks by ransomware
How are Ransomware attacks launched?
- 91% of all ransomware attacks in Healthcare come from spoof/camouflaged emails that come from a company, office, or individual that you trust. Ex: your bank, FedEx, Amazon Prime, a referring office, a trusted patient. In each case this spoof email will present a very motivated reason to click on a link or to download a file. Once the link is clicked on ransomware is launched and it will encrypt key server files (practice management software, image files, Microsoft, ect.) and leave them encrypted until a ransom is paid. The ransom will need to be paid in cryptocurrency and has been running from a low $5,000 to over $10,000 per attack.
How does an office defend against a Ransomware attack?
- The best first step is to have a proper, enterprise level HIPAA Risk Assessment run by a third party. A proper assessment will do a deep dive into the office network, find out what security you presently have on your network and where there are areas where security is lacking and may need to be improved.
- If done properly this will meet the HIPAA requirement for a risk assessment and needs to be done once every 12 months. The lack of a proper risk assessment is the single largest deficiency found in audits according to the Office of Civil Rights.
- From the assessment a Management Plan is developed on how to become HIPAA compliant and accomplish good, sound cybersecurity.
- The Management Plan needs to address all the steps in a layered approach to the security of your data. Keep in mind that there is no single step that can be taken to insure that your office is secure from attack.