Once the ransomware is deployed, a ransom note appears on the screen saying, “We’re the ABC ransomware gang. We’ve hacked your system. Go to this dark web website to chat with us and we’ll tell you how to get your system back online.” It takes about 3 days for a cybersecurity company to scour the network and figure out how bad the event was. They determine if it was localized to a couple machines and a couple servers, or if it’s systemic and 100% of all computers and servers are impacted.

For some of the DSOs hit recently, every location, either regionally or nationally, was taken down. Some DSOs do not have connected networks, but the mid-size to large DSOs typically do.

So, for the first couple of days, we’re collecting forensics data to determine if the attack is a reportable event, meaning that the State Attorney Generals of the states involved, or the Office for Civil Rights, which is the enforcement branch of Health & Human Services that oversees HIPAA, must be notified.

We put together a corrective action plan, which is telling the government the problem and all the things we’re doing to prevent this from happening again. The DSO will then undergo a full investigation, which can take a few months or up to a year and a half. The government will determine whether the DSO was doing what is necessary to comply with the laws to protect patient data or if they were negligent. From a compliance perspective, the ransomware attack is bad enough, but the aftermath from a legal perspective could be a total nightmare.

Meanwhile, the cyber company initiates negotiations with the hackers. They tell us their demands, how much they want, and how they will return the “keys” to unlock your encrypted data. Then a crypto payment must be made; most hackers are paid in Bitcoin. Either the DSO or the insurance company pays the cyber company the ransom, which is then transmitted to the hackers. When the hackers receive it, that triggers the destruction of the data and the release of the keys to unlock the data on the network.

Then, we start rebuilding the network and servers, reinstalling software, and getting systems back online. The bigger you are, the bigger the pain. A small dental group with 10 computers might take a couple of days. For a large DSO with hundreds or thousands of computers that need to be rebuilt, it’s a daunting task. Some DSOs are down for 3 or 4 weeks, because the number of resources required to rebuild these networks and the infrastructure is overwhelming. On average, most healthcare entities are down for a minimum of 10 days—and literally unable to do anything. They can’t access x-rays, do billing or scheduling, or run reports. Many of them can’t even do payroll. Sometimes their phone systems are down. These strikes can be very systemic—think about how interconnected all these systems are.

One of the worst things is that patients keep flowing through the doors because you can’t access your appointment book to see who to cancel. You may have 60 or 70 patients scheduled per day, or thousands, if you’re larger. You also can’t schedule patients who are calling because the system is down. Imagine thousands of patients every day trying to come in for treatment and nothing works.

CareCredit is Financing Simplified Revolving line of credit patients can use for their ongoing care needs.   Stable - 35+ years in healthcare financing. Strong - 12.7+ million total open accounts & $40B total available credit of all cardholders.  It’s financing simplified.

DSOPro: What can be done to protect a DSO from this happening?

Most of our work is on the prevention side—but it’s not as simple as just installing some software tools and hoping it catches any hacking attempts. Black Talon secures about 34,000 devices in the dental space. We focus on two primary areas, which we define as offensive and defensive capabilities. Hackers typically break into networks by tricking people into giving them access. It’s known as “social engineering,” using phishing, spear phishing, phone calls, and text messages to get people to give up information. Team members may click on links that download malicious code right into the system that executes a ransomware attack. Staff may fall for an email telling them to punch in their username and password to authenticate access to their email or reset their password. And of course, the first question is, what is your current password? Responding to a phishing email may give complete access to the computer or to their email account, and now the hacker masquerades as them and has access to the PMS, digital imaging, email, accounting, payroll, finance, etc. They can cause a tremendous amount of damage in a short amount of time because they have full access to whatever that person had access to.

We address the social engineering component through cybersecurity awareness training, which is actually required under HIPAA. You must train your doctors and teams on various cyberthreats so they can identify phishing and spear phishing emails.

Spear phishing is targeted attacks against individuals. Often hackers go to social media platforms and look up the key individuals within the DSO organization and go after the CEO, CFO, or CTO. They craft and send very creative emails and hope they’re going to click on a malicious link to download a payload or fall for the “give me your username and password” trick. The hackers know these individuals have access to highly valuable information or administrative access to the network. Once a hacker gets administrative access to a network, it’s game over. They’re going to get everything.

Spear phishing can also appear to have come through internally. A hacker could gain access to the CEO’s email and send an email to the CFO saying, “I need you to wire $2.5 million for this new acquisition. Here’s the routing number, the bank name, and the bank account number.” Then the CFO thinks it came from the CEO, has heard they are closing on a big deal, and executes a $2.5 million wire to the hackers. Or they target the CTO—who they know probably has access to all the systems—to gain access to his or her account, which then provides them with a conduit to the entire environment. These types of attacks are extremely common and relatively easy to execute.

Phishing is kind of “spray and pray,” meaning hackers get thousands or even millions of email addresses and send out a more general type of message. But people are becoming smart about that, and hackers realize it’s not as effective as it used to be. Although, now threat actors are using AI to quickly craft phishing attempts that are worded more as a native English speaker would write and with a higher sophistication in the aesthetics of the email, making it more believable for targets to think it’s legitimate.  

It is important to send out simulated phishing emails that test the employees’ resilience, to see if they are still clicking on things they shouldn’t be. Simulated phishing emails appear to be legit. The cyber company can detect whether an employee clicked on a link or did something they’re not supposed to. If they did, they get retrained on the mistake they made.

Discover a great ROI with glidewell.io™ After just four months of ownership, offices delivering same-visit BruxZir® crowns with the glidewell.io™ In-Office Solution reported monthly savings of 65% or more. How much could you be saving?

Our training platform is a learning management system. The employees and doctors watch training videos and take tests afterward. The platform periodically sends them reminders to redo their training. We’re also constantly sending out security bulletins and alerts. The DSO has the ability to self-monitor as well. The HR compliance department will want to ensure all employees have done everything they need to do for compliance.

DSOPro: Explain why cyber security can no longer be viewed as just an IT issue, but as a compliance and operational issue.

The cybercrime industry is a $1.5 trillion dollar industry. Unfortunately, the level of software development, strategy, and organization that exists is astounding and promises to evolve rapidly. Just as restorative dentists require the expertise of a dental specialist to treat patients, IT resources require the expertise of a cybersecurity specialist to protect the DSO against modern cyberthreats.

I think that’s a big challenge for DSOs, especially the small and medium ones. When DSOs are hit with ransomware or their email accounts are compromised, their executives often thought their IT resources had this under control. It is a mistake to solely rely on either internal or external IT resources to provide cybersecurity. Often, they don’t understand the regulations around compliance or the advanced types of cyberthreats that DSOs are being impacted with.

Part of a multi-layered security approach is knowing where you’re vulnerable. Adding antivirus software or AI threat detection into your network is a defensive measure, meaning hopefully it’s going to react when something bad is happening. But some hackers can definitely bypass that technology.

A security risk assessment is part of being HIPAA-compliant. It’s required under the law. Offense is simulating attacks against the network through penetration testing and scanning the computers every 4 hours looking for vulnerabilities or a defect hackers can find, exploit, and use to gain access to the network and data.

The technology we’re now using in DSOs tells us what the problem is, what the impact is, and then we fix it for you. Our technology can go to Google, pull down the fix for that vulnerability, and repair that vulnerability autonomously. Think of it as a self-healing network.

We are one of the few companies in the world doing this autonomous remediation and can go from vulnerability identification to fix within minutes or hours. Hackers are taking, on average, 10 days to exploit a vulnerability and break in. So being able to do this in near real-time is extremely powerful and should be part of every DSO’s strategy. I think the very large DSOs get it—and they likely have a cybersecurity strategy in place. I’d argue that a lot of small to mid-level DSOs either don’t have a strategy or they think they do but it will likely fail to protect them when it matters most.

It is critical to consider executive and board level accountability. When a DSO is breached, the CEO, C-suite, and/or the board are ultimately responsible. The executive team needs clear visibility into what their security risk is to make business decisions on how to address it. Not being cyber security aware is a big problem across all industries, not just in the dental space.

SPONSORED

Get your Philips Sonicare trial offer For over 30 years, Sonicare has been innovating new solutions to transform patients’ oral care. Now’s your opportunity to experience it for yourself. Contact Philips for trial offers on your own Sonicare power toothbrush and Power Flosser.

DSOPro: Does a cyberattack impact the dental team as well?   

In almost every ransomware attack, the doctors and the team are also personally impacted because the HR files, which include banking information, are on the network. Dealing with the fallout of that as well is a huge stressor for the practice owners. Now they must tell their employees their personally identifiable information is completely compromised, and they could be the victim of identity theft.

DSOPro: Any additional advice or trends?

I’m seeing more DSOs adopt the concept of “trust but verify” and the true importance of having an independent cyber company monitor security across their networks. If your IT department set up its own security and is the only one testing it, they can’t self-audit. In most industries, especially the medical space, this doesn’t fly anymore. Many healthcare groups have their own internal IT folks and maybe some internal cyber folks, but all testing and validation is done by an independent, outside firm that will give them a true picture that is not biased.

Another big thing is “cyber due diligence.” DSOs should be doing cyber due diligence when buying a practice because if its systems were breached prior to closing, you own that breach after you close. That could cost you thousands or millions of dollars in the future. Patient records, accounting, and dental equipment and technology are all components of a practice that are evaluated and assessed prior to purchase. We offer the ability to assess the cybersecurity posture and cyber event history of a practice prior to purchase.

Cyber due diligence conducted by a cyber company identifies whether it will be a risky acquisition, or the systems look clean and good to go. Today, private equity companies conduct very rigorous cyber due diligence before acquiring DSOs. If they feel that a DSO does not have proper cyber technology and solutions in place, it may delay the deal, lower the acquisition price, or even cancel the deal altogether because it’s a higher risk.

Part 1 of this article appeared in the August 2023 Technology edition of DSOPro.