KDA Today

KDA Today

For Immediate Release

Date: Oct 22nd, 2018
Contact: Dr. Beverly Largent
Phone: 800-292-1855
Email: kda@kyda.org

Cybersecurity 101

Does the topic of cybersecurity interrupt your sleep? Have you given serious thought to the possibility of a cyberattack of your office records? If you think you are immune, then pause and reconsider. Small business-like dental offices suffer more than 40% of all attacks. The federal government estimates that there are more than 4,000 daily attacks of ransomware in the United States. In 2016, there was a 300% increase in cyberattacks over the previous year. (1) Because the depth of information included in dental records is so great, dental offices are at an increased risk of attack due to the value of the information.

The HIPAA Security Rule requires implementation of various security measures to protect personal information gathered in the dental office. Some of the required measures included in the HIPAA fact sheet are:

* Implementing a security management process, which includes conducting a risk analysis to identify threats and vulnerabilities to electronic protected health information and implementing security measures to mitigate or remediate those identified risks;

* Implementing procedures to guard against and detect malicious software;

* Training users about malicious software protection so they can assist in detecting malicious software and know how to report such detections; and

* Implementing access controls to limiting access to electronic protected health information to only those persons or software programs requiring access. (1)

The cost of a cyberattack to a dental office can be devastating. Besides investigating the attack, recovering lost information can take up to two weeks, even with good back up, which could potentially destroy the work flow and income of a small office. Every patient whose personal information has been stolen must be contacted in writing. Some sources place this cost at $1,000 per breach. (2) If found to be in violation of HIPAA rules regarding protected health information, the dentist could be liable for HIPAA fines from $100 to $50,000 per violation, as well as $250,000 in criminal fines. (3) The total cost for a cyberattack quickly adds up to a devastating financial loss for the dentist. The loss of personal reputation can possibly be the greatest cost and can include personal law suits.

Know the Language
To fully grasp the implications and causes of a cyberattack, one must understand the language. Malware is an overarching term used to describe malicious breaches in a dental office cyber security system. It can describe spyware, which can infect a system without the user’s knowledge and sell the information gained on the dark web.

Another type of malware is ransomware, which is the most common attack to affect dental offices. Ransomware usually infects the dentists’ system through e-mail. It can exist in the program for months without the user’s knowledge. The full-blown attack occurs seemingly out of the blue, when all the information on the system is encrypted, and the message appears on the screen that a ransom is due to obtain the key to unlock the encryption. The ransom is usually requested in cryptocurrency such as Bitcoin. (Bitcoin is cryptocurrency, a form of electronic cash. It is a decentralized digital currency without a central bank or single administrator that can be sent from user to user on the peer-to-peer bitcoin network without the need for intermediaries. Wikipedia) The popularity of ransomware is, in part, because of the value of patient data to identity thieves. Dentists are often lured to pay the ransom because of their need to resume their day-to-day activities. As can be expected, ransomware is evolving, and some newer types break into the office’s IT support system.

Other terms include phishing, pharming, vishing and smishing. The term phishing has been known for some time and involves seemingly innocent e-mails to lure readers into believing that it is a safe site, (baiting) and then hooking the reader with the phishing e-mail, which most often includes opening an attachment. Pharming implants a malicious code in systems, much like phishing. The code redirects your activities to another website without your consent or knowledge. The term vishing is like phishing but occurs with a phone call. The caller usually pretends to be someone else, perhaps someone from the dentist’ software company offering an update. Callers are sophisticated and can often enter your software system with your consent. Smishing uses text to gain information. A smishing message usually involves a URL or phone number that the receiver must contact immediately. (4)

Protected Health Information guidelines come from the United States Department of Health and Human Services’ Office for Civil Rights. The U.S. Department of Health and Human Services, Office for Civil Rights enforces federal civil rights laws, conscience and religious freedom laws, the Health Insurance Portability and Accountability Act, Privacy, Security, and Breach Notification Rules and the Patient Safety Act and Rule, which together protect fundamental rights of nondiscrimination, conscience, religious freedom, and health information privacy at covered entities. (5)

While knowledge of the malware that can corrupt an office system may lead to a feeling of being overwhelmed, dentists do have preventive measures at their disposal which will possibly prevent an attack or at least keep them in compliance with the HIPAA Regulations.

Top Ten Cybersecurity Tips (7)
The first line of defense for the dental office is an antivirus software. Every computer in the dental office should have HIPAA compliant, enterprise-level antivirus software installed and monitored. The HIPAA rule is that antivirus software is addressable, not required. The standard is that you have a method for reporting malicious software. An antivirus software is the most reasonable method for this and is best addressed with the office’s IT support. Free antivirus software may or may not offer reporting of the malicious software. If a third party enters into the antivirus protection plan (an IT company separate from the dental office), a Business Associate Agreement is required. There is very little argument against having a high-quality antivirus software installed in all office computers. Enterprise level antivirus software is made to handle multiple computers. Currently, there are ransomware-specific antivirus protection systems available. It is a HIPAA requirement that the systems be updated on a regular basis. This is called “patch management.”

A firewall is a software that enforces a previously determined set of rules about what will be allowed to enter or leave a network. Like the physical barrier that limits the damage of a fire, a virtual firewall protects the damage from a malware attack. A firewall can be built into a networking or can be purchased as a standalone system. There are numerous types of firewalls and best use for a dental office can be determined with IT assistance.

Encryption of data is an important part of cyber security. Encryption changes sensitive information to an unreadable state and can be accessed only with a “key.” Dental software may have a built-in encryption for data at rest and data in motion. Computers that run Microsoft Windows 7 Ultimate, Windows 8 Professional, Windows 10, Server 2008, Server 2012, or Server 2016 have a program called Bitlocker that comes preinstalled with the operating system. (6)

Wi-Fi networks should be secure and hidden. To hide a Wi-Fi network, set up your wireless access point or router so it does not broadcast the network name, known as the Service Set Identifier. Password protect access to the router. (7)

Dental offices should establish policies and security practices for employees to protect sensitive information. These policies should be clearly outlined, and employees should be held accountable. Examples of such policies include each employee having his/her own password and not allowing employees to access their private e-mail accounts from the office computer network. Most data breaches occur when staff members do not follow procedures or exercise poor judgement. It is imperative that computers with ePHI are locked with intricate passwords. Laptops should be secured so that theft is not likely and computer screens cannot be viewed by the patient.

Dental staff members should be educated about cyberthreats and be held accountable. In July of 2017, the Office for Civil Rights released guidance on training employees regarding cyber security. In part, the release states, “Training on data security for workforce is not only essential for protecting an organization against cyberattacks, it is also required by the HIPAA Security Rule.” The Office of Civil Rights release includes recommendations on what health providers should consider:

* How often to train workforce members on security issues. Many entities have determined that biannual training and monthly security updates are necessary, given their risk analyses.

* Using security updates and reminders to quickly communicate new and emerging threats.
* What type of training to provide, whether it be computer-based, classroom training, monthly newsletters, posters, email alerts and team discussions. The Office of Civil Rights offers training resources at hhs.gov.

* How to document training.

Strong Passwords that are changed often are important to cyber security. Consider multifactor authentication that requires additional information beyond a password.

Be certain that best practices are used for credit card payments. Contact the bank or the credit card processor to make sure the latest anti-fraud systems are in use. Do not use the same computer to process payments that is used to surf the internet.

It is of utmost importance that data is backed up on a timely basis. Copies of data should be stored off site or in the cloud. Encrypted back up adds another layer of security. To be effective, all backup copies of data must be verified. Some sources recommend two backup plans, one on the cloud and one local backup. A signed Business Associates Agreement is necessary to be HIPAA compliant.

Prevent access or use of business computers by controlling physical access to computers and network components. Laptops or iPad type devices are easily stolen, so protect them with encryption and locks. Again, strong passwords are necessary.

Dental offices with mobile devices should have a mobile device action plan. These devices can be lost or stolen, so encryption of the data is necessary. Security apps on these devices can protect information when these devices are on public networks. There should be a lost or stolen reporting policy in place for all mobile devices.

Do not overlook public facing web pages. These pages are open to cyber-attack and should be secure.

Know the Law
HIPAA requires that you do a formal risk assessment and develop a management plan. Evaluate your firewalls, anti-malware software, and backup and disaster recovery systems in place, as well as your system for patching your software. Breaches of ePHI must be reported to the Office for Civil Rights. If any electronic Personal Health Information is stolen, this must be reported to the individuals affected and the local news media.

“Security incident procedures, including procedures for responding to and reporting security incidents are also required by HIPAA. An entity’s security incident procedures should prepare it to respond to various types of security incidents, including ransomware attacks. Robust security incident procedures for responding to a ransomware attack should include processes to:

* Detect and conduct an initial analysis of the ransomware;

* Contain the impact and propagation of the ransomware;

* Eradicate the instances of ransomware and mitigate or remediate vulnerabilities that permitted the ransomware attack and propagation;

* Recover from the ransomware attack by restoring data lost during the attack and returning to ‘business as usual’ operations; and

* Conduct post-incident activities, which could include a deeper analysis of the evidence to determine if the entity has any regulatory, contractual or other obligations as a result of the incident (such as providing notification of a breach of protected health information), and incorporating any lessons learned into the overall security management process of the entity to improve incident response effectiveness for future security incidents.” (1)

Resources
The American Dental Association provides a step-by-step HIPAA compliance program called ADA Complete HIPAA Compliance Kit (J598) which can be ordered online at ADACatalog.org. The HIPAA web site has the entire rule, although it is difficult to interpret.

The Kentucky Dental Association has joined with PCIHIPAA to help protect practices.
It offers HIPAA compliance and patient data protection.

PCIHIPAA is offering Dental Association members the following:
⦁ A complimentary 2018 HIPAA risk assessment (now mandatory) at http//www.pcihipaa.com/Kentucky
⦁ A 23-Page Risk Analysis Report
⦁ Free 30-minute HIPAA Risk Consultation
⦁ One Year of Free Identity Restoration Protection with OfficeSafe
⦁ A Free HIPAA Checklist at https://pcihipaa.com/kentucky/

The company also offers a $250,000 Data Breach and Network Security Policy and can be reached at (800) 588-0254. See their article in the July/August issue of KDA TODAY online at http://publications.virtualpaper.com/kdatoday/986997/#1/

The Kentucky Dental Association has also joined with Commonwealth Technology to help protect practices.
It offers IT Services and Security, HIPAA compliance and patient data protection, backup & disaster recovery.

Commonwealth Technology offers:
⦁ 24/7 proactive computer and network monitoring
⦁ Unlimited remote and on-site technical support
⦁ Average one-hour response time
⦁ Competitive rates
⦁ Sign up for Monthly Online Tech Tips & Tricks. View them on YouTube at https://www.youtube.com/playlist?list=PLqyutVzr5Dvw6E-sqWPXug8wMDswfwTiT

Contact them at 859-817-2070 or http://www.commonwealthtechnology.com/kda

References
1. HIPAA Fact Sheet: Ransomware and HIPAA; https://www.hhs.gov/sites/default/files/RansomwareFactSheet.pdf
2. Krehel, Onderj; Cyber Security. A Rising Threat for Dental Offices; Dentists’ Quarterly, December 2016; https://lifars.com/wp-content/uploads/2016/12/NYCDS-DQ-Winter-2016-Cyber-Security.pdf.
3. Obrman, Stuart J.; Ransomware—Cyber Security Breaches in Dental Offices. What You Must Know TODAY; GAGD Explorer; Spring 2015; https://georgiaagd.wordpress.com/2015/05/02/ransomware-cyber-security-breaches-in-dental-offices-what-you-must-know-today/; posted May 2, 2015; Accessed September 3, 2018
4. Everitt, Kathy; Could Your Cyber Security be at Risk?; Professional Solutions Insurance Company; https://www.psicinsurance.com/posts-articles/dentists/office-staff/could-your-cyber-security-be-at-risk.aspx; posted 2/7/ 2017.
5. U.S. Department of Health and Human Services, Office for Civil Rights; https://www.hhs.gov/ocr/index.html,
6. accessed 9-15-18.
7. Cybersecurity Needs in Dentistry; Dentistry Today; http://www.dentistrytoday.com/viewpoint/10445-cybersecurity-needs-in-dentistry; Posted June 1, 2018; accessed 9-7-18.
8. U.S. Small Business Administration Top Ten Cybersecurity Tips; https://www.sba.gov/managing-business/cybersecurity/top-ten-cybersecurity-tips

Press Releases