Cyber Security in the Dental Industry

Top 5 Current Cybersecurity Threats Include:
1. Email phishing attacks – an attempt to trick the email recipient into giving out information over email
– appears to come from a trusted source
– usually contains an active link or file that may download malware or access sensitive information
2. Ransomware attacks – a type of malware that uses encrypting to deny access to a user’s system and data until a ransom is paid
3. Loss or theft of equipment or data
Vulnerabilities include:
– lack of asset inventory and control
– failure to encrypt data
– lack of physical security (an open office & poor physical management)
– lack of simple safeguards (computer cable locks)
– lack of effective vendor security management (data and equipment protection and security measures)
– lack of a process to clear sensitive data before IT assets (discarded medical devices that may be transferred or used by other organizations)
4. Insider accidental or intentional data loss
Vulnerabilities include:
– sensitive data files accidentally emailed to incorrect or unauthorized addresses
– lack of adequate monitoring, tracking, or auditing of access to patient information on electronic health record systems
– lack of logging and auditing of access to technology assets (email and file storage)
– lack of controls to monitor emailing and uploading of sensitive data outside the network
– lack of access controls and employee training regarding social engineering and phishing attacks
5. Attacks against medical devices relating to patient safety – a hacker may attempt to gain access to the network to take control of medical devices and place the patient at risk
10 Cybersecurity Practices to Minimize Threats Include:
1. Email protection systems – “free” or “consumer” email systems should be avoided
2. Endpoint protection systems – desktops, laptops, mobile devices, and any other devices connected to the network should be protected and secured
3. Identity and access management – identify users and audit access to data, applications, systems, and endpoints
4. Data protection and loss prevention – categorize data as highly sensitive, sensitive, internal use, and public use and
5. Asset management – integrate daily IT operations into processes to protect IT assets (procurement, deployment, maintenance, and decommissioning of devices)
6. Network management – have strong firewalls in place for proper access inside and outside the organization
7. Vulnerability management – implement processes to classify, evaluate, prioritize, and remedy vulnerabilities in the system
8. Incident response – implement systems to quickly detect cyberattacks and develop processes to quickly respond and resolve the issue allowing the breach
9. Medical device security – any device directly connected to a patient for diagnosis or treatment should always be tested for safety and quality control
10. Cybersecurity policies – cybersecurity roles and responsibilities should be defined
– employees should be adequately trained to handle common cyberattacks
– acceptable use of data, equipment, software, and programs should be definedposition on personal devices should be outlined
– office policy for mobile devices should be provided
– a process for reporting suspicious activity should be in place