What to Consider When Performing a Cyber Security Assessment

A cyber security assessment of your dental practice is much more than a review of your practice software. It’s vital to analyze both technical and non-technical components of your practice on each of the three pillars of cyber security: people, policies, and technology. Here are some important things to consider.

 
PEOPLE EMPLOYEE TRAINING AND AWARENESS:
1. Ask scenario-based questions. Applying an office policy to a real-world situation will help assess your employee’s understanding of your practice’s policies and procedures.
2. Simulate “social engineering” attacks (ex. phishing emails). This will prepare employees for the type of attacks they are likely to face, and will make your entire practice more aware of cyber threats and more vigilant when encountering a real attack.
3. Allocate proper time and resources. Training is often given low priority, but is one of the most essential parts of a cyber security infrastructure. It’s important to spend just as much time assessing an employee’s knowledge of policies and procedures.
POLICIES AND PROCEDURES: 
1. Review all of your policies and procedures regarding your cyber security. Office policies are often scattered throughout a practice (if they even exist).
2. Tailor your cyber security polices and procedures to your own individual practice. Not all practices are the same, so your policies and procedures should be customized to fit your environment. It is important to balance security with usability so that your employees can function productively without compromising data.
3. Be thorough. Your office cyber security guidelines need to be thorough. Your password management policy should outline how employees should create, update, share, and store their passwords.
TECHNOLOGY:
1. Address Network, Server, and Web Application Vulnerabilities. Simple “IT Audits” do not assess potential vulnerabilities that many times go undetected.
2. Perform Penetration Tests. While obtaining a list of vulnerabilities within a practice network is helpful, it does not show which practice data is exploitable. Penetration tests will show which of your vulnerabilities can allow a data breach to occur if you are the target of a cyber attack (not if but when).
3. Do periodic engineering assessments of your network. Networks tend to grow on an “as needed” basis, which causes a “spaghetti effect,” which commonly create security holes and unnoticed vulnerabilities within your system. Keeping your network diagrams up to date allows you to see a more comprehensive picture, and will help you locate and fortify points of weakness within your system.