Like other healthcare offices, dental practices are particularly vulnerable to various forms of cyber attacks and breaches, and should carry Cyber Risk Insurance (also called Data Breach, Privacy and Network Security insurance coverage). Dental practices are an opportune target for hackers because of a combination of factors:
- Information – Dental practices will have medical records, and may have credit card information as well. Medical records have a significantly higher value than other forms of data, running in the area of $10 per record, because the individual information is so comprehensive.
- Small size – Smaller organizations generally have less sophisticated IT security and training leading to greater vulnerability, so criminals have increased their focus on smaller organization (see here & here).
- Money – Healthcare organizations have money, which ultimately is what the criminals are after
- Systems – Like many service organizations, a dental office runs on information. Because access to information is valuable, a healthcare organization can be an opportune target for ransomware because it cannot afford to be without its information.
- Third Parties – While many industries share data through vendor and client networks, healthcare is highly networked. So a breach at one entity may lead to a security incident at other entities. In healthcare, these other entities are contemplated in HIPAA, and are often Business Associates (a defined term, see here & here)
If there is any question whether a small to medium sized healthcare organization is a target, see our prior post here.
According to eSecurity Planet, a breach at an Oregon dental service company resulted in 151,000 patient records being accessed by a hacker (see here). The hacker gained access through an employee’s stolen user credentials.
As noted by KrebsonSecurity, a mid-western dental practice was the victim of a $205,000 cyber crime attack (see here). The criminals used malware to grab the practice’s online banking user credentials, and then stripped money out of the account in eleven transfers. The bank denies responsibility because there was no breach of the banks systems – the practice had failed to protect its user credentials.
Many cyber criminals have moved beyond bank account takeover, and on to social engineering fraud. Why go to the trouble of stealing money when you can get the victim to send it to you instead? – they ask. To date, healthcare has not been a primary target for social engineering fraud – probably because other industries offer easier deception opportunities. But social engineering fraud is an exposure to any organization with money (see here & here).
Ransomware, which is software that locks your data and charges (“extortion”) for a key to unlock the data, is the most recent significant threat targeting healthcare specifically (see here). A California dental office was hit with a ransomware attack (see here), and a Georgia dental office was hit with a similar ransomware attack early in 2016 (see here). And the most challenging issue is not paying the ransom, it is making sure the organization can continue to operate during and after the attack.
HIPAA violations can be expensive, as noted in our prior post on the HIPAA fine levied against a Texas pediatric hospital (see here). But the likelihood of HIPAA fines being levied on smaller practices is not clear at this point.
And even unusual attacks can have potential to be damaging. As noted in our prior post, malware was found on thumbdrives distributed by a dental association. While thumbdrives have, for the most part, gone out of favor because of the significant security threat, the networking and connection of devices are a significant threat today.
As noted, third party breaches can lead to a security event if the third party has your information. For example, a dental practice management system had a breach resulting from an unsafe configuration setting (see here & here), resulting in the exposure of 22,000 records. Your own strong IT security is not going to help protect against a breach at a third party. However, appropriately worded contracts, a vendor review process, and Cyber Risk Insurance are all a protection against third party breaches.
It is hard to say whether a data breach or other form of cyber attack will impact ongoing business, or could cause customers to move on. One survey indicates that a breach might have a material impact on customer’s continuation with a doctor (see here).
- A majority of patients (54 percent) are “moderately” or “very likely” to change doctors as a result of a patient data breach.
- Patients are most likely to change doctors if their medical staff caused a data security breach, and least likely to change doctors if hackers were responsible.
Are there ways to prevent cyber risk attacks? Yes, and there are plenty of recommendations. The trick is implementation and employee training. Here are a few:
- Social Engineering Fraud – see here & here
- Assessment & Training – see here
- Hardware Protection – see here
- Ransomware – see here
- HIPAA Rule – see here
- Encryption – see here
In addition to strong IT security, Cyber Risk Insurance is an important financial protection against hacking attacks and employee errors. Coverages vary widely, but comprehensive Cyber Risk Insurance policy forms are available, and are inexpensive for dental practices.
Tennant Risk Services is a specialty wholesale broker and underwriting manager, and delivers expertise, markets and exemplary services to our retail insurance agent clients in the placement of professional liability and specialty insurance (E&O, D&O, EPL, Cyber Risk, Specialty). Cyber Risk Insurance is our specialty.