This is an article written for Sally McKenzie’s newsletter The Dentist’s Network which can be found Here
By Mike Whaley, Director of IT Security for CRC Technologies and DIA Member
It has been estimated that it can cost the victim of a healthcare data breach (the patient) $13,500 to recover after their medical data has been stolen. A Ponemon Institute Study on Medical Identity Theft (publication date 2015) compiled these costs based on credit restoration, reimbursement to healthcare providers for fraudulent claims, and correcting inaccuracies in health care records. Due to HIPAA privacy regulations, victims of medical identity theft must be involved in the resolution of the crime. Those who have resolved their crime spent, on average, more than 200 hours working with their insurer or healthcare provider to make sure their personal medical credentials are secured and can no longer be used by an imposter, and verifying their personal health information, medical invoices, claims and electronic health records are accurate.
Dental professionals are keepers of some very sensitive, embarrassing, and potentially discriminatory data. Dental professionals are also keepers of enough information for one person to easily create a false identity – therefore it is necessary to take measures to keep patient data safe.
Most of a dental practice’s technical security controls are provided by their IT vendor, such as firewalls and antivirus. Hopefully the practice is already taking their IT vendors technical security control recommendations seriously and implementing them. Controls are also driven by the practice, such as security cameras or security policies and procedures, and access controls like door locks and server room locks. Even if a practice has their security locked down, it could easily take only one of their employees to accidently download and run a malicious program delivered by email or a website and BOOM – the practice data is ransomed, or the computers are suddenly being remotely viewed and staff keystrokes logged while login credentials are stolen.
If properly trained, staff can become the biggest guard against cybersecurity threats. They will become the human firewall. Security threats can come from many different directions like email phishing, the internet, phone calls, or an in-person visitor. Training employees on a regular basis about cybersecurity threats is called Cybersecurity Awareness Training.
Ongoing cybersecurity training helps to prevent bad outcomes from threats like phishing, which is when the bad guys trick a person into following a malicious link in an email or downloading an email attachment. A study reported by the INFOSEC Institute reports that, “…26% to 45% of the employees of the chosen companies were susceptible to phishing. With the security awareness program, that percentage decreased by 75%.”
Ransomware is a big moneymaker for the bad guys. If a practice downloads malware that ends up encrypting their patient data and demands money to unencrypt the data, this can cost a practice thousands of dollars in ransom to decrypt the data. Plus, if hit by ransomware, HIPAA requires practices to prove their data wasn’t taken by the bad guys, so it could be a double whammy with fines.
Cybersecurity Awareness Training programs aren’t expensive and there are plenty of options out there. Implementing a Cybersecurity Awareness program shouldn’t be a one-time event, it needs to be ongoing and training needs to take place quarterly at a minimum to be effective. The National Institute of Standards and Technology (NIST) of the U.S. Department of Commerce recommends training modules, testing users, simulations, posters, and newsletters as part of the program.
Popular security awareness training vendors include KnowBe4 and PhishMe. KnowBe4 includes phishing, fake voice calls, and they can even send a USB drive to the practice to see if staff will plug it in. PhishMe is one of the more senior companies in the space and has perfected the phish and training that goes along with it. If an end user clicks on a link in a phishing email, it will send them to a training web site. One organization to consider is SANS for their cybersecurity training. They are an organization made up of cybersecurity professionals and have a good reputation for being on the forefront for training end users.
Practices should be on the lookout for cybersecurity training that is offered from their HIPAA consultants or their bank if enrolled in a PCI compliance program. They may have training modules included with their online solutions. The practice’s IT vendor might have some good options for cybersecurity awareness training programs and may already have a program they can refer to or administer.
Rather than a costly breach or a down server do to ransomware, Cybersecurity Awareness Training can help build the human firewall and keep out the bad guys. Loss of patient data can cost not only the practice time and money, but it can cost the patients time and money also. Training programs are easy to find and easy to administer. Stay safe out there!
Mike Whaley is the Director of IT Security for CRC (www.crctechs.com ), a managed service provider based in Seattle, Washington. Mike has more than 20 years of client and project management along with a formalized education in Network Administration.
CRC is a proud member of the Dental Integrators Association, a network of leading independent dental technology integration firms from across the country. It was formed to create and deliver a higher standard of quality and care for dental practice technology integration.
Mike can be reached at: firstname.lastname@example.org