Monthly Archives: December 2014

RANSOMWARE – CYBER SECURITY BREACHES IN DENTAL OFFICES: What You Must Know TODAY

Dental offices are now being hit with Ransomware (cyber blackmail). If you own or work in a dental practice, you need to know what Ransomware is, and the ramifications of this serious security breach.
Ransomware Trojans are a type of cyberware that is designed to extort money from a dental office. Often, Ransomware will demand a “ransom” payment in order to release the hijacked dental office software. 

 The hijacking of dental office software can include:

  • Encrypting data and software that is used by a dental practice (Eagle Soft or Dentrix) – so that the dental office can no longer have access any type of patient information
  • Blocking normal access to the entire dental office software

How Ransomware Enters Dental Office Computers

The most common ways in which Ransomware is installed are:

  • Via phishing emails, or
  • As a result of visiting a website that contains a malicious program

After the Ransomware has infiltrated a particular computer or network, they leave a ransom message on the computer screen that demands the payment of BitCon Currency in order to decrypt the files or restore the system to its normal function. In most cases, the ransom message will appear when the user restarts their computer after the entire infiltration has taken place.

In order to keep on top of the latest cyber security breaches, we have taken the intuitive to consult with cyber security forensic experts, in order to assist our dental clients, both before the breach occurs [for preventive measures] and after a breach occurs [to determine the extent of the damages].

If a dental office is infected with Ransomware, a practice could suffer a massive security breach, and be subject to huge HIPAA fines [$100.00 to $50,000.00 per violation, as well as $250,000.00 in criminal fines].

Advertisements

Practice Data Security Policy and Standards

Every employee needs to understand his or her obligation in order to protect patient data. Employees also need clear expectations about behavior when it comes to their interaction with sensitive patient data. For that to happen, every practice should have a data security policy. The policy should outline policies and procedures that help safeguard employee, patient and third-party data, and other sensitive information.

The essential elements that form the foundation of a good privacy plan include:

Safeguard data privacy:

Employees must understand that your practice privacy policy is a pledge to your patients that they will protect confidential patient information.

Establish password management:

A password policy should be established for all employees or temporary workers who have access to confidential practice data.

Govern internet usage:

Most employees use the Internet without the thought of potential consequences. Employee misuse of the Internet can place your practice in a costly position.

Manage email usage:

Many data breaches are the result of employee misuse of email, which can result in the loss or theft of data, and the accidental downloading of viruses or other malware.

Govern and manage practice-owned mobile devices:

When practices provide mobile devices for their employees to use, a formal process should be implemented to help ensure that mobile devices are secure and used appropriately.

Establish an approval process for employee-owned mobile devices:

With the increased capabilities of consumer devices, such as smart phones and tablets, it has become easy to interconnect these devices to practice applications and infrastructure.

Govern social media:

A strong social media policy is crucial for any practice that seeks to use social networking to promote its activities and communicate with its patients.

Oversee software copyright and licensing:

Also, employees should not download or use software that has not been reviewed and approved by the practice manager or practice owner.

Report security incidents:

A procedure should be in place for employees to report malicious malware in the event it is inadvertently downloaded on to practice computers.