How to Protect Your Dental Practice Online
Cyber security for dentists is a crucial, but largely over-looked, aspect of running a dental practice. Your computers, devices and networks hold confidential patient data and sensitive dental records.
With the rise of cyber attacks on medical businesses, the increasing reliance on the cloud for storage & processing and the introduction of legislation like GDPR, it is essential that dentists make sure they have a strategy for cyber security and protecting their digital information.
Cyber Security Threats to Healthcare Businesses
In this webinar, Arun and George discuss several cyber security issues which pose a threat to your healthcare business online.
Preventing cyber attacks
An essential part of any prevention of cyber attacks is using some sort of Anti-Virus software. This is a major contributor to compromises. A decent Anti-Virus software will quarantine a malicious file and ensure it does not have access to a computer, potentially compromising it.
An Anti-Virus works by scanning files or code that being passed through your network. Depending on the company. They build an extensive database of already known viruses and malware and matches the files to these in their database and decides whether to quarantine the file or not.
Users can install a Firewall which is essentially a virtual wall that chooses to allow or decline traffic through your network.
Much like antivirus software’s, Firewalls scan packets for malicious code or attack vectors that have already been identified as established threats. Should a data packet be flagged and determined to be a security risk, the firewall prevents it from entering the network or reaching your computer.
The number one way to prevent cyber attacks is training. It has been said that your own staff are the biggest threat to any business. All it takes is one staff member to click on a link and that can be the entire network compromised. Of course the computers will have an anti-virus which should block any virus that has been allowed to access the computer. But why increase your body armour when you can take the bullets out of the gun?
Spotting a Phishing Email
There are 3 main traits to look out for with Phishing Emails.
- Urgency – Using tight deadlines to create a sense of urgency that distracts you from the rest of the message and pressures you into acting quickly.
- Authority – Using the authority of the sender, such as by pretending to be a senior executive, trusted colleague, or reliable company, to convince you that the message comes from a trustworthy source.
- Imitation – Exploiting ‘normal’ business communications, processes, and daily habits to trick you into reacting to a message. Check who the email is addressed to, if it’s ‘friend’ or ‘valued customer’, then this might be because the sender doesn’t know you.
An obvious one; but having a secure password can be the difference between access and no access.
Nowadays websites ask for a secure password, this includes at least; one capital letter, 6 lowercase letters, and one number. Usually, people like to be able to remember their password so they will use personal names and dates.
A great method for a secure password is using the ‘Three Random Word’ method, this entails of using three completely random words, followed by ideally a random number, but any number would do, even a significant date. Using three different words will greatly increase the prevention for brute force attacks.
Joe Bloggs has a child names Sarah who was born 14/05/07.
Most commonly the password Joe will use is Sarah140507, this way Joe has ticked all the boxes for the website, and its easy to remember. But this password is not very secure.
As of Sept 2021, 78% of the UK population are regular social media users.
Joe Bloggs posted a picture of a birthday dinner for his daughter Sarah on Facebook on 14/05/18 saying, “Happy Birthday Sarah, 11 today!!”. See the issue? Joe told a wannabe hacker exactly the date of his daughters’ birthday. Using a brute force attack, the hacker can now try to force his way into Joe’s account(s) using the information he has gathered.
Allocate responsibilities in your dental practice
When it comes to computer security in a dental practice, it’s crucial to identify what must be done and allocate exactly which team members are responsible for those tasks.
Overall responsibility should rest with a senior manager who has a broad view of all the risks and how to tackle them.
Other individuals can handle particular aspects. For instance, installing security software.
Management should identify which information and technology is really vital to the business, this is where the big risks lie.
For example, damage to your dental practice’s financial or clinical system, or the loss of your dental patient list, could lead to the complete failure of the business.
Other information may be less important. Equally, some computers are probably more critical, or more vulnerable, than others.
Identifying the risks, then establishing what security measures already exist and whether they work, and what extra ones are required, will help you to target your security efforts where they are most needed in your dental practice.
Action: Make a list of all the cyber security steps that need to be taken and make a spreadsheet allocating these tasks to specific members of staff.
Protect your computers and networks in your dental practice
Malicious activity could come from outside or inside your dental practice. Attacks from outside, for example by troublemaking hackers or e even competitors, can be protected against simply by installing a firewall.
This is software or hardware which examines all the computer communications flowing in and out of the business, and decides whether it’s safe to let them through. It can also be used to manage your staff’s internet activity. For instance, by blocking access to chat sites where employees might encounter security risks.
You can configure (set-up) the firewall to allow or prevent certain kinds of activity. There are several different kinds of firewall. The router supplied by your Internet service provider (ISP) may already have one built-in, or you can buy a software firewall solution.
Protecting against illicit activity from inside the dental practice requires other precautions we’ll look at elsewhere in this supplement. All of these also provide extra protection against attacks from outside.
Action: Install a firewall to protect your networks and possibly restrict staff and patient usage of the internet in the dental practice.
Keep your dental practice’s computers and devices up-to-date
Suppliers of PCs, software, and operating systems, such as Windows, frequently issue software updates (patches) to fix minor problems (bugs) or improve security. It’s essential to keep all of the computers in your dental practice (and other devices) up-to-date with the latest patches and software updates.
Normally, they can be downloaded and installed automatically. Remember that just one vulnerable computer puts all the others at risk. It’s important to ensure that all available patches are applied to all of them.
Action: Check for software updates on all the devices in your dental practice and upgrade hardware that is outdated.
Control employee access to computers and dental records
Although your computers should be guarded by a firewall, you should still protect user accounts (each person’s ‘identity’ with which they log on to a computer) and sensitive documents with passwords.
Because each individual should have a unique user name and a password, access to different parts of your IT system can be limited to certain people. It is important to remember that some individuals may have more than one user name and password, perhaps if they have multiple roles.
This not only protects against accidental or intentional damage by staff to systems and information, it also provides further security against outside intrusions. To achieve this, you can use security options built in to operating systems such as Windows, or you can buy specialised software online.
Because you identified your biggest security risks and most vital information in Step 1, you can decide whether password control for a given item should be basic (for instance, one password authorising access to an entire computer) or stronger (each document or application requiring a separate password).
Some individuals designated as computer administrators (admins) may be given access to nearly everything, in order to perform technical work. You should keep the number of admins to a minimum.
Security software will usually generate records showing which employees have used particular computers or documents at different times. This can be useful for pinpointing problems, but access to these records should, of course, be tightly limited – otherwise, people misusing the system could alter them to cover their tracks.
Action: Set up your employee profiles on your CRM, website administration and any other online data storage in your dental practice. Make sure you assign the appropriate roles to each team member.
Protect against computer viruses in your dental practice
Malicious software or ‘malware’ (a category including viruses, Trojans and spyware) may not always be as devastating as the headlines suggest, but can still slow down your systems dramatically, and passing them on to customers will win you no friends.
Fortunately, there is plenty of protection available. Your computers may have been sold with anti-virus software (the generic term, although most products also protect against other kinds of malware). If not, you can easily buy it.
This software regularly scans a computer in search of malware, deleting any that is found. Regular updates to head off new threats are key to anti-virus software. So this is one area where it does pay to stick to the big brand names and to ensure that the software is set to receive updates as regularly as possible (ideally daily).
Extend security beyond the office or dental practice
Today’s employees sometimes work from home or on the road between dental practice sites using their own laptops, phones and tablets. It is difficult to extend the same level of security you can apply to office computers to these devices.
But, you can reduce risk by requiring any personal equipment used for work is approved first by management or IT. It should have the minimum of anti-virus software, password protection and (where applicable) a firewall.
To protect against unauthorised access to information when a device is mislaid or stolen, it should be possible to delete all the information (“wipe” it), even when you don’t have the device.
This capability is built into newer models; software can also be bought to perform remote wiping, but this must be installed before the device is lost. Ensuring the sensitive data is kept in an encrypted area (see section 7) of the computer or device will stop most attempts to access data.
This is easy to set up using off-the-shelf software. Beware of the dangers when connecting to unencrypted public WIFI, as hackers can intercept data. Check the hotspot is genuine and make sure file sharing is off and the firewall is on.
Action: Conduct a review of all the devices your employees use to access or store patient data or dental records. Make sure they all have the proper anti-virus, firewall and data protection features.
Remember the disks and drives you need to protect in your dental practice
Removable disks and drives, such as DVDs and USB sticks, pose security risks in two ways. They can introduce malware into your computers, and they can be mislaid when containing sensitive information.
Ensure that as far as possible, only disks and drives owned by your dental practice are used with your computers. Discourage employees from using them in third parties’ computers (in Internet cafes for example), and set up anti-malware software to scan them whenever they are used in the office.
Action: Establish a plan to track who has possession of each disk or drive at any given time, what information is contained on them and check that all documents are erased from them after use.
Plan for the worst
Following the measures in this guide will help you protect against a major security breach. But no system is 100% secure, so it’s worth planning what you’d do if things went badly wrong. First, define what is ‘major’ for you. Something that puts a non-critical department of the business offline for a couple of hours probably isn’t. But something that prevents you serving customers, or performing vital functions such as payroll, will be.
Establish how you will know that there’s a problem. You shouldn’t have to wait for computers to go down; your firewall or anti-virus software, for example, may provide advance warning that something unusual is going on. Plan your next steps.
What help (perhaps a specialist computer company) should you call in? Do you need to contact key dental patients or suppliers to explain that there is a problem? Can some functions be continued using other computers, or pen and paper, while your systems are repaired?
Finally, ensure that it’s clear who is responsible for doing what in an emergency. Your plan can be laid out in a document, and delivered in training sessions. It may incorporate elements of your plans for other disasters, such as a fire on your premises, and cut-down versions can be applied to less damaging computer incidents.
Action: Create a strategy for how your dental practice will handle a major breach of patient data or dental records. Identify your biggest risks and create an emergency contingency plan.
Educate your dental team about cyber security for dentists
Tell everyone in the business why security matters, and how they can help, using training sessions and written policy documents. This will encourage them to follow practices such as regular password changes. Most will not have to actively work at security. They’ll simply need to be aware of risks. For example, knowing that they should never click on a web link or attachment in an email from an unfamiliar source.
There are non-technical risks, too. One is social engineering, where hackers try to trick employees into revealing technical details that make your computers vulnerable. For example, a hacker might pretend to work for your computer supplier and claim they need passwords to perform maintenance. The casual atmosphere of social media such as Facebook could be conducive to such deceptions, so employees should be especially wary of discussing your systems and practices on social media.
Action: Create a training session to educate your team on their responsibilities and duties regarding dental records and patient data. Deliver this programme regularly.
Keep records and test your dental practice’s cyber security regularly
Security is an ongoing process, not a one-off fix. So it’s important to keep clear records. For example, the decision-making in Step 1 of this guide could help you produce a list of all your hardware and software, along with an indication of how secure each item needs to be.
Similarly, records of software patches and lists of authorised personal devices will help build up a picture of your business’s security status, spot potential weak points, and figure out how any problems arose. Good record keeping will also help you regularly test all your security measures, and ensure that you have functioning, up-to-date software. Any business is only as secure as its weakest link, and testing will make sure that no weaknesses are overlooked.
Action: Create a cyber security strategy for your dental practice by following the steps listed here, creating a plan for each task and regularly testing your systems and strategies.
you can find out more articles on Samera learning centre.
Our Expert Opinion
“Cyber security is hugely important for every business. It’s doubly important for healthcare businesses because they handle patient data as well as their own financial data. If I were to ask you what your cyber security protocol is and you can’t answer off the top of your head – your business is in danger. You can’t rely on a simple anti virus programme. You can’t rely on a simple back-up. You honestly really need to take cyber security seriously.
If the NHS can get hacked then a small dental practice certainly can! It’s not just about hackers either. We at Samera suffered data issues when a fire broke out at one of the servers we were using for back-ups in France. Since then we’ve used a triple back-up system to make sure it never happens again. Don’t take any risks with yours or your patient’s data. Sort your cyber security out as soon as possible – your business could very well depend on it!”
Head of Digital Marketing
Get Started: Cyber Security for Healthcare
Cyber security is an essential part of keeping your patients, data and business protected online.
With Samera Cyber Security, you get the tools you need, the know-how to use them and digital copies of all your data. This three-pronged approach means you can keep your business safe and your data safe.
Contact us today to find out more about how our cyber security training, digital protection products and back-up contingencies can help you.