RANSOMWARE – CYBER SECURITY BREACHES IN DENTAL OFFICES: What You Must Know TODAY

Dental offices are now being hit with Ransomware (cyber blackmail). If you own or work in a dental practice, you need to know what Ransomware is, and the ramifications of this serious security breach.
Ransomware Trojans are a type of cyberware that is designed to extort money from a dental office. Often, Ransomware will demand a “ransom” payment in order to release the hijacked dental office software. 

 The hijacking of dental office software can include:

  • Encrypting data and software that is used by a dental practice (Eagle Soft or Dentrix) – so that the dental office can no longer have access any type of patient information
  • Blocking normal access to the entire dental office software

How Ransomware Enters Dental Office Computers

The most common ways in which Ransomware is installed are:

  • Via phishing emails, or
  • As a result of visiting a website that contains a malicious program

After the Ransomware has infiltrated a particular computer or network, they leave a ransom message on the computer screen that demands the payment of BitCon Currency in order to decrypt the files or restore the system to its normal function. In most cases, the ransom message will appear when the user restarts their computer after the entire infiltration has taken place.

In order to keep on top of the latest cyber security breaches, we have taken the intuitive to consult with cyber security forensic experts, in order to assist our dental clients, both before the breach occurs [for preventive measures] and after a breach occurs [to determine the extent of the damages].

If a dental office is infected with Ransomware, a practice could suffer a massive security breach, and be subject to huge HIPAA fines [$100.00 to $50,000.00 per violation, as well as $250,000.00 in criminal fines].

Practice Data Security Policy and Standards

Every employee needs to understand his or her obligation in order to protect patient data. Employees also need clear expectations about behavior when it comes to their interaction with sensitive patient data. For that to happen, every practice should have a data security policy. The policy should outline policies and procedures that help safeguard employee, patient and third-party data, and other sensitive information.

The essential elements that form the foundation of a good privacy plan include:

Safeguard data privacy:

Employees must understand that your practice privacy policy is a pledge to your patients that they will protect confidential patient information.

Establish password management:

A password policy should be established for all employees or temporary workers who have access to confidential practice data.

Govern internet usage:

Most employees use the Internet without the thought of potential consequences. Employee misuse of the Internet can place your practice in a costly position.

Manage email usage:

Many data breaches are the result of employee misuse of email, which can result in the loss or theft of data, and the accidental downloading of viruses or other malware.

Govern and manage practice-owned mobile devices:

When practices provide mobile devices for their employees to use, a formal process should be implemented to help ensure that mobile devices are secure and used appropriately.

Establish an approval process for employee-owned mobile devices:

With the increased capabilities of consumer devices, such as smart phones and tablets, it has become easy to interconnect these devices to practice applications and infrastructure.

Govern social media:

A strong social media policy is crucial for any practice that seeks to use social networking to promote its activities and communicate with its patients.

Oversee software copyright and licensing:

Also, employees should not download or use software that has not been reviewed and approved by the practice manager or practice owner.

Report security incidents:

A procedure should be in place for employees to report malicious malware in the event it is inadvertently downloaded on to practice computers.

Cyber Security for Dental Practices  

The provision of healthcare is changing at a rapid pace as healthcare providers endeavor to maintain maximum efficiency while navigating the technology rich climate. As a result of the reliance on electronic data, dental offices have become vulnerable to cyber security threats. The growing volume and sophistication of cyber-attacks suggest that dental practices will have to grow increasingly vigilant to ward off these threats. A breach of cyber security will inevitably lead to significant expenses, both financial and reputational, which can wreak havoc on a dental practice.

Many dentists believe that cyber criminals are not a threat to their small dental offices. However, when choosing between a large corporation or bank with security teams and firewalls preventing access to databases and a dental office with no firewall or security team, the dental practice will be the chosen target. In fact, many hackers specifically target small dental offices because they believe that the small business may not have the resources for sophisticated security devices and do not enforce employee security policies.

Dental practices are an increasing target for cyber criminals. These offices hold a vast amount of data, including names, health history, addresses, birthdates, social security numbers, and even banking information of hundreds, if not thousands, of patients. The threat of this information being stolen by a staff member or a cyber-criminal is great, and dental practice owners must address this concern before a theft creates a legal nightmare for the dental practice.

Healthcare organizations make up roughly 33% of all data security breaches across all industries and the healthcare industry is the most breached industry in the United States. According to the US Department of Health and Human Services, almost 21,000,000 health records have been compromised since September 2009. It has been shown that human error causes the majority of personal health information data breaches, and that actions of healthcare employees cause 3 times as many breaches as external attacks. This being the case, the question has to be asked: have you thought about looking into managed security services? This solution will manage threats and protect your customers’ data.

The most common causes of data breaches in healthcare organizations are theft, hacking, unauthorized access or disclosure, lost records and devices, and improper disposal of records. A significant proportion of healthcare breaches are a result of lost or stolen mobile devices, tablets and laptops. In addition, security breaches are not solely inflicted upon the large HMOs, as more than half of all organizations that suffer from security breaches have fewer than 1,000 employees.

The Health Insurance Portability and Accountability Act requires healthcare providers to maintain the privacy of patient health information and to take security measures to protect this information from abuse by staff members, hackers, and thieves. The penalties imposed upon health care providers for HIPAA violations are great. The monetary penalties can range from a fine of $100 to a fine of $50,000 per violation, with a $1,500,000 maximum annual penalty. In addition to the federal penalties, dentists may face penalties imposed at the state level as well as lawsuits filed by disgruntled patients whose health information has been compromised.

It is crucial for dentists to take steps to ensure that their practice is in compliance with HIPAA provisions regarding computer security. Because the majority of data security breaches occur when staff members fail to follow office procedures or exercise poor judgment, the location of computers in the dental office is key. All computers should be placed in areas where the computer screens are not visible to patients and visitors, and encrypted passwords should protect access to each computer. Passwords should contain mixed-case letters and include numbers or symbols and should be changed regularly. In addition, passwords should not be written down under keyboards or kept on desks or surfaces where the public may be able to access them. Dentists should ensure that all staff members understand the importance of maintaining the privacy of patient health information.

Every dental practice should have a policy that includes steps for safeguarding patient information and educate staff members as to how to comply with the office policy. A strict Internet and computer use policy should be enforced that prohibits staff members from checking personal e-mail accounts or visiting Internet sites that aren’t work-related. It is also important that dentists ensure that all firewalls, operating systems, hardware and software devices are up to date, strong and secure and that wireless networks are shielded from public view. Antivirus software should be installed on every computer, kept updated, and checked regularly.

When accessing office data remotely, dentists should use only trusted Wi-Fi hot spots and never use shared computers. Smartphones and tablets should be password protected to prevent easy access to patient information in case the device is lost or stolen. In addition, all hard copies of documents with patient information should be shredded. Finally, to ensure that your dental practice is HIPAA compliant, data transmitted to payers, health plans, labs and other healthcare providers may need to be encrypted to ensure that a hacker will not have access to this data.

Because dental practices are subject to heightened government enforcement and the scope of fines and penalties for data breaches have increased, many dental practices have relied on cyber insurance for protection in the event of a breach of cyber security. These insurance policies cover the cost of investigating a theft, compensate the insured for all state and federal fines and penalties imposed, and fund all related lawsuits and legal fees, thus relieving dentists of the financial and time burdens imposed as a result of the breach in security.

It would be prudent for all dentists to invest in data security and in the proper training of staff members as to acceptable use of office computers. If plans and policies are put in place proactively and steps are followed to ensure HIPAA security compliance, a dental practice should be able to prevent the significant cost and headache involved in responding to a cyber-breach. It wouldn’t be a bad idea to consider Azure monitoring tools to keep better track of your practices network traffic.

If a security breach in a dental office does occur, it is imperative that appropriate action is taken immediately, which includes determining how the breach occurred, and the extent of the security breach. In addition, if a security breach does occur, the owner of a dental practice must be very careful whom they initially contact and provide information to. Any improper or accidental disclosure to a third-party other than legal counsel for the dental practice owner may be subject to the rules of discovery if litigation occurs, which could increase the liability exposure of the practice owner. Having an ISMS system that is fully compliant with ISO 27001 ISMS will significantly reduce the chance of information breaches.

Stuart J. Oberman, Esq handles a wide range of legal issues for the dental profession including cyber security breaches, employment law, practice sales, OSHA, and HIPAA compliance, real estate transactions, lease agreements, noncompete agreements, dental board complaints, and professional corporations.

For questions or comments regarding this article please call (770) 554-1400 or visit www.obermanlaw.com

Oberman Law Firm is proud to be a sponsor

Oberman Law Firm is proud to be a sponsor of the 2014 AB Cooper Seminar through the North Georgia Dental Society. We look forward to seeing our friends and colleagues at this great event Friday, November 21. If you still need to register visit northgeorgiadentalsociety.org.

Protecting Practice Assets

Protecting Practice Assets:
What Every Practice Owner Needs to Know

In today’s digital society, protecting confidential and proprietary practice information is next to impossible. Employees on a daily basis have access to an employer’s confidential information.  Electronic information can be stored on a smart phone, flash drive, and in the cloud.

In many states, trade secrets are protected by the Uniform Trade Secrets Act.  Generally, a practice’s patient list and other sensitive practice information are protected by the Act. The term trade secret is defined as technical or nontechnical data, a formula, a pattern, a compilation, a program, a device, a method, a technique, a drawing, a process, financial data, financial plans, product plans or a list of actual or potential patients or suppliers, which is not commonly known by or available to the public.

When a practice takes reasonable measures to protect its valuable and confidential information, and if the information is generally not known to the public, then a practice’s trade secrets will most likely be protected. In addition to patient lists and related data, many other forms of information may also be protected, such as business plans.

It is extremely important for a practice to have policies, procedures and agreements in place in order to protect a practice’s assets and intellectual property, before an employee leaves. Below is a checklist of items that a practice should consider in order to protect its valuable assets.

Confidentiality and Return of Records Policies.
A practice should have policies and procedures in place that clearly identify what is considered a protected trade secret [patient list, pricing, vendors, referrals, marketing data, business plans and projections, etc…]. In addition, if an employee resigns or is terminated, the practice should have a written procedure in place that will require the former employee to immediately return to the practice, all protected and confidential information.

Confidentiality and Non-Disclosure Agreements.
In order to protect a practice’s trade secrets, every employee should sign a confidentiality and non-disclosure agreement. The confidentiality and non-disclosure agreement may be part of a well prepared employee manual or a separate document.

Keep Confidential Information Confidential.
Information that is identified by a practice as a trade secret or considered confidential should be treated as such by all employees, or it may lose its confidential status.  A practice should train it’s employees to take the necessary precautions in order to protect against the wrongful disclosure or misuse of confidential information.

Bring Your Own Device or Employer Provided Device Policies.
If a practice permits an employee to use their own personal electronic devises for business purposes [cell phones, iPads, laptops, etc…], then a practice should have a written policy in place that will permit a practice to periodically inspect an employees electronic devise in order to ensure that confidential practice information is protected and secure.

In addition, if an employee resigns or is terminated, a practice should also have a written procedure in place that outlines specifically how a practice will be permitted to purge confidential information from the employees personal electronic devise upon departure. The information must be purged immediately upon an employee’s departure.

Non-Solicitation and Non-Compete Agreements.
A practice should have its key employees sign a non-solicitation and/or non-compete agreement.  A non-compete agreement will prevent an employee from performing the same or similar services for a competitor, for a certain period of time, within a certain specified geographical area, for specific clients or other confidential relationships.  A non-solicitation agreement will prevent a current or former employee from soliciting or contacting the practice’s patients. Both types of agreements must be designed to protect legitimate practice interests, be reasonably limited in duration and geographic scope, and be applied consistently, in order to be enforceable.

Immediately Cut Off System Access.
A practice should immediately cut off an employee’s access to information upon an employees planned or unplanned departure [or even in advance of an employee’s departure, if at all possible]. In addition, a practice should immediately change all of its passwords upon an employee’s departure, especially in those areas where the employee has access to confidential and protected practice information.

Reminder Letters.
After an employee is no longer employed by a practice, the practice may want to consider sending out a reminder letter to the former employee, that sets forth the former employees post-employment contractual obligations [i.e., non-compete, non-solicitation, and non-disclosure of confidential information, etc…].

In many cases, the most valuable assets of a practice, is the practice’s intellectual property [patient lists, confidential company data, software, business plans, etc…], and the protection of these valuable assets may very well be necessary in order to ensure the viability of a practice. If a practice takes the required steps in order to protect its assets, then a practice should be in good position to prevent a devastating and potentially costly loss in the event of an employees departure.

Stuart J. Oberman, Esq. handles a wide range or legal issues for the dental profession including cyber security breaches, employment law, practice sales, OSHA and HIPAA compliance, real estate transactions, lease agreements, non-compete agreements, dental board complaints and professional corporations.

For questions or comments regarding this article please call (770) 554-1400 or visit www.obermanlaw.com.

If you would like Stuart J. Oberman, Esq. to speak at an event for your organization, please contact Amanda Lussiana, Marketing Coordinator (amandal@obermanlaw.com)

Ebola Precautions for Dental Practices

According to the American Dental Association, as of October 17, 2014,
dental professionals are advised of the following:

A person infected with Ebola is not considered contagious until symptoms appear. Due to the virulent nature of the disease, it is highly unlikely that someone with Ebola symptoms will seek dental care when they are severely ill. However, according to the Centers for Disease Control and Prevention and the ADA Division of Science, dental professionals are advised to take a medical history, including a travel history from their patients with symptoms in which a viral infection is suspected.

As recommended by the ADA Division of Science, any person within 21 days of returning from the West African countries Liberia, Sierra Leone and Guinea may be at risk of having contacted persons infected with Ebola and may not exhibit symptoms. If this is the case, dental professionals are advised to delay routine dental care of the patient until 21 days have elapsed from their trip. Palliative care for serious oral health conditions, dental infections and pain can be provided if necessary after consulting with the patient’s physician and conforming to standard precautions and physical barriers.

An elevated temperature (fever) is often a consequence of infection, but Ebola is not the only infection that may have similar signs and symptoms. The most common signs and symptoms of Ebola infection are:

  • fever (greater than 38.6°C or 101.5°F) and severe headache
  • muscle pain
  • vomiting
  • diarrhea
  • stomach pain or unexplained bleeding or bruising

You are advised not to treat dental patients if they have these signs and symptoms for Ebola. If a patient is feeling feverish and their travel history indicates they may be at risk of Ebola, dental professionals and staff in contact with the patient should:

  • immediately protect themselves by using standard precautions with physical barriers (gowns, masks, face protection, and gloves)
  • immediately call 911 on behalf of the patient
  • notify the appropriate state or local health department authorities
  • ask the health department to provide you and your staff with the most up-to-date guidance on removing and disposing of potentially contaminated materials and equipment, including the physical barriers.

The Ebola virus is spread through direct contact (through broken skin or mucous membranes) with blood and body fluids (urine, feces, saliva, vomit and semen) of a person who is sick with Ebola, or with objects (like needles) that have been contaminated with the virus. Ebola is not spread through the air or by water or, in general, by food. Again, there is no reported risk of transmission of Ebola from asymptomatic infected patients.

Information and resources on Ebola are posted on the CDC’s website at cdc.gov. A checklist for healthcare providers (PDF) specific to Ebola is included on the site.

To view this article and other American Dental Association Recommendations please visit: www.ada.org

Stuart J. Oberman, Esq., handles a wide range of legal issues for the dental profession, including cyber security breaches, employment law, practice sales, OSHA and HIPAA compliance, real estate transactions, lease agreements, non-compete agreements, dental board complaints, and professional corporations.
For questions or comments regarding this article please call (770) 554-1400 or visit www.obermanlaw.com.
If you would like Stuart J. Oberman, Esq. to speak at an event for your organization, please contact Amanda Lussiana, Marketing Coordinator (amandal@obermanlaw.com)

Risk Management Webinar

Stuart J. Oberman, Esq, [Oberman Law Firm], will be conducting  a Risk Management webinar, in conjunction with Entrepreneur MD, a nationally recognized informational and interactive website for the dental industry.

Visit https://plus.google.com/events/csbrbe52po8o0pqueiolom0blks to join the webinar. Risk Management Oct 16 2014

Protecting Business Assets

In today’s digital society, protecting confidential and proprietary business information is next to impossible. Employees on a daily basis have access to an employer’s secret and extremely confidential information.  Electronic information can be stored on smart phones, flash drives, in the cloud, and on employer and employee cell phones.

In Georgia, trade secrets are protected by the Georgia Uniform Trade Secrets Act.  Generally, a company’s customer list and other sensitive company information are protectable by the Act. Under the Georgia Trade Secrets Act, the term trade secret is defined as technical or nontechnical data, a formula, a pattern, a compilation, a program, a device, a method, a technique, a drawing, a process, financial data, financial plans, product plans or a list of actual or potential customers or suppliers, which is not commonly known by or available to the public.

When a company takes reasonable measures to protect its valuable and confidential information, and if the information is generally not known to the public, then a company’s trade secrets will most likely be protected. In addition to customer lists and related data, many other forms of information may also be protected, such as business plans, research and development data, product manuals, personnel information, designs, blueprints, schematics, ingredients, formulas and manufacturing techniques.

It is extremely important for a company to have policies, procedures and agreements in place in order to protect a company’s assets and intellectual property, before an employee leaves. Below is a checklist of items that a company should consider in order to protect its valuable assets.

Confidentiality and Return of Records Policies.   A company should have policies and procedures in place that clearly identify what is considered a company’s protected trade secret [customer list, pricing, vendors, referrals, marketing data, business plans and projections, etc…]. In addition, if an employee resigns or is terminated, the company should have a written procedure in place that will require a former employee to immediately return to the company all protected and confidential information.

Confidentiality and Non-Disclosure Agreements.  In order to protect a company trade secrets, every employee should sign a confidentiality and non-disclosure agreement. The confidentiality and non-disclosure agreement may be part of a well prepared employee manual or a separate document.

Keep Confidential Information Confidential.  Information that is identified by a company as a trade secret or considered confidential should be treated as such by all employees, or it may lose its confidential status.  A company should train it’s employees to take the necessary precautions in order to protect against the wrongful disclosure or misuse of confidential information.

Bring Your Own Device or Employer Provided Device Policies.  If a company permits an employee to use their own personal electronic devises for business purposes [cell phones, iPads, laptops, etc…], then a company should have a written policy in place that will permit a company to periodically inspect an employees electronic devise in order to ensure that confidential company information is protected and secure.

In addition, if an employee resigns or is terminated, a company should also have a written procedure in place that outlines specifically how a company will be permitted to purge confidential information from the employees personal electronic devise upon departure. The information must be purged immediately upon an employee’s departure.

Non-Solicitation and Non-Compete Agreements.  A company should have its key employees sign a non-solicitation and/or non-compete agreement.  A non-compete agreement will prevent an employee from performing the same or similar services for a competitor, for a certain period of time, within a certain specified geographical area, for specific clients or other confidential relationships.  A non-solicitation agreement will prevent a current or former employee from soliciting or contacting the company’s customers. Both types of agreements must be designed to protect legitimate business interests, be reasonably limited in duration and geographic scope, and be applied consistently, in order to be enforceable.

Immediately Cut Off System Access.  A company should immediately cut off an employee’s access to company information upon an employees planned or unplanned departure [or even in advance of an employee’s departure, if at all possible]. In addition, a company should immediately change all of its passwords upon an employee’s departure, especially in those areas where the employee has access to confidential and protected company information.

Reminder Letters.   After an employee is no longer employed by a company, the company may want to consider sending out a reminder letter to the former employee, with sets forth the former employees post-employment contractual obligations [i.e., non-compete, non-solicitation, and non-disclosure of confidential information, etc…].

In many cases, the most valuable assets of a company, is a company’s intellectual property [customer lists, confidential company data, software, business plans, etc…], and the protection of these valuable assets may very well be necessary in order to ensure the viability of a company. If a company takes the required steps in order to protect its assets, then a company should be in a good position to prevent a devastating and potentially costly loss in the event of an employee departure.

Stuart J. Oberman, Esq. handles a wide range of legal issues for the business community including business transitions, sales, real estate transactions, lease agreements, employment law and entity formation. For questions or comments regarding this article please call (770) 554-1400 or visit www.obermanlaw.com

Please visit us at: Corporate Facebook: www.facebook.com/obermanlaw
Twitter: twitter.com/obermanlaw
LinkedIn: www.linkedin.com/in/stuartobermanlaw
Blog: obermanlawfirm.wordpress.com/

1 2