Cyberattacks: Prevention May be the Cure from Ransomware

By Robert McDermott, President/CEO, iCoreConnect

Just as you wash your hands regularly so you don’t get sick, it’s critical to adopt good habits of “digital hygiene” to prevent cyberattacks on your practice. The “illness” threatening your practice is called malware. Malware is an umbrella term for any malicious software criminals use to steal your or your patients’ data.

Ransomware, a particularly sinister malware, burrows into your system and begins encrypting all your data so you can’t access it. Then a cybercriminal holds your data for ransom, demanding you pay a hefty sum of money for them to give you access to your own files.

Just like a human virus sometimes can be undetected, malware can be in your computer system long before you realize it. By the time you see symptoms, it’s too late. Cybercriminals are continually developing sophisticated methods for infecting computers and servers without you catching on. There are two primary ways malware gets into your system and holds your practice ransom.

HACKING

Hackers secretly tap into your data by exploiting weaknesses in your IT security. Outdated, unmaintained systems often make smaller, older practices particularly easy targets. Working with a proactive team of IT experts, known as managed IT services providers (MSP), is an important layer of defense against attacks. These folks can save you money, time and headaches over the long run. They detect threats early to eliminate or reduce damage well before it gets out of hand.

A particular vulnerability is how you are using email. Only use Gmail, Hotmail, Yahoo, etc. for personal or non-patient specific messages. For anything beyond that, set up a fully HIPAA-compliant, cloud-based email system that protects your information whether it’s sitting in your inbox or sending to another doctor’s inbox. There are big differences between an encryption-only email for general security and a truly HIPAA-compliant email fulfilling every HIPAA security requirement. These requirements range from verifying recipient identity to making sure no email is altered.

PHISHING

Phishing occurs when a criminal tricks any employee into thinking something is a trustworthy source, then convinces them to click a corrupt link or provide sensitive information directly (like a credit card number). The attacker is preying on a lack of awareness on the part of you or a staff member. You must educate your whole team to recognize suspicious messages, links and questions to avoid falling victim. If the sender is unknown or claims to be your IT person, MSP or someone in your office yet asks you to click an unusual link, verify the email first with the actual person on your team.

No one is inherently immune from cyberattacks. Take action now by working with a qualified dental IT services provider to assess, boost and maintain your IT immune system. Work directly with your staff to understand what to look for and how to prevent these types of criminals from getting in the door. Healing from an attack is much more difficult and costly than preventing it in the first place.


iCoreConnect, an FDA Crown Savings merchant, specializes in comprehensive software that speeds up workflow for dentists. The FDA endorses these products from iCoreConnect: iCoreExchange HIPAA-compliant email and iCoreDental cloud-based practice management. FDA members receive substantial discounts on both products. Book a demo at icoreconnect.com/fda or call 888.810.7706.

Top 6 Ways to be Prepared for a HIPAA Audit

By Abyde

Let’s be real — there’s probably a few things in life we all have an “Oh, it won’t happen to me” mentality about. For many medical professionals, that may be exactly how you feel about HIPAA audits, yet HIPAA investigations are becoming more common than you might think. 

While the odds of facing a totally random HIPAA audit might not be high, they increase significantly when you factor in additional investigation triggers like data breaches, cyber attacks, and patient complaints — none of which a dental practice is immune to.

Proactively preparing for anything that might be thrown your way is imperative for your practice to have the ability to handle a HIPAA audit without the consequence of a hefty violation. Here are the top six things you should have in place before a breach, complaint or audit investigation occurs:

1. Security Risk Analysis
The first thing the OCR looks for upon investigation is a properly documented and up-to-date Security Risk Analysis. This shows that you’ve assessed your practice operations and identified any vulnerabilities — before an audit occurs. While it’s the first step of HIPAA compliance, only 17% of practices audited by the OCR met this requirement.

2. Practice-specific Policies and Procedures
Proper documentation is key for all aspects of your compliance program, including your practice-specific HIPAA policies and procedures. These policies and procedures serve as the guidelines for how protected health information (PHI) should be handled within your practice and the proper documentation is necessary to prove the expectations and standards you have set for your organization. 

3. Disaster Recovery Plan
Disasters happen, most of the time without warning. Having a disaster recovery plan in place is important to ensuring continuity of patient care and continued access to important medical records. As the saying goes, if you fail to plan, you plan to fail.

4. Implement Proper Administrative, Technical and Physical Safeguards
Securing all forms of PHI with the necessary safeguards already implemented within your practice is essential to successfully meeting HIPAA requirements, and ultimately protecting your patients.

5. Staff HIPAA Training
Properly train your staff on all HIPAA privacy and security policies and procedures. This training should be ongoing to ensure that staff is staying up to date with any changes to HIPAA regulations or practice operations.

6. Business Associate Agreements
It’s important to be on the same page with everyone who has access to your patient’s secure information. Implementing the proper business associate agreements with all third-party vendors that could potentially access PHI ensures patient data is secure while also offsetting liability to business associates should they be the cause of a data breach.

There’s a lot that goes into your HIPAA program, even more than the top six items listed here, which is why it’s all the more important to have a true culture of compliance in place and a complete HIPAA program to prevent and minimize threats to your patients’ data.


Abyde is an FDA Crown Savings Endorsed Partner and the Abyde software solution is the easiest way for any sized dental practice to implement and sustain comprehensive HIPAA compliance programs. FDA members save 20% on Abyde services that help their practices meet government-mandated HIPAA standards that protect patient health information by identifying and correcting key security safeguards. Visit fdaservices.com/abyde or call 800.594.0883.

This article was originally posted on Abyde’s blog on Aug. 14, 2020. Reprinted with permission.

I Need a Hero

By Dr. John Paul, FDA Editor

I was wearing a long face and being generally disgruntled by all the goings on in this great country when I walked into the room with one of my favorite patients and longtime advisors, Ima Mae Gruntbuns, a great American. Not being one to let me rest on my laurels or rain on any parade she is enjoying, she questioned my lack of enthusiasm for being alive one more day. I complained that people just seem to being sliding back into the slime. Folks I know and like are being nasty to one another. Others think they can run amok, spouting hate and destroying things that don’t belong to them. When one side behaves badly, the other side tries to top them and then the “news” tells you about the worst of us every hour on the hour in gory detail with plenty of video from every angle.

Mrs. Gruntbuns pulled me up short. She said, “Son, you are looking in the wrong place for inspiration. Just because you get elected or you are famous or someone points a camera your way, doesn’t make you a leader or a hero. All those pictures on your Marvel comics scrub top are fiction.”

That was a little disheartening because my wife thinks I look like Thor now that I wear a beard, but Mrs. Gruntbuns wasn’t slowing down.

“Turn off the TV and put down the phone. Last April when no one knew who had or who might die from the coronavirus, who opened his office and removed that fish bone stuck between Mr. Gruntbuns’ teeth?” she continued.

I replied, “Well, I did Mrs. Gruntbuns, but he’s a friend and I was just doing what I know how to do with the tools I have on hand …”

“Yes, Doc — but you did it. You came in and got him out of pain. He carries that bone around in his wallet and he’s still telling people about it.

“Who grabs people’s tongues with a piece of cotton, pulls it out past their nose and stares at that hangy-down thing and whatever else is in the back of our mouths to make sure we don’t have cancer, or at least catch it early so we can cure it?”

“Well, we dentists do, Mrs. Gruntbuns, but it’s just what we were taught to do in school and it’s the right thing to do,” I responded.

She went on. “Have you counted up the lives you’ve saved, the suffering you prevented? There is a hero or two in every dental office. Every once in a while, an ‘Atta-girl/boy’ and a pat on the back goes a long way, but you don’t need the satellite truck and the pretty newsreader to verify what you do. Just keep doing it for all of us regular folks who may not be famous either but deserve your best effort every day.”

It’s hard to argue with someone who is so right.


Reprinted from Today’s FDA, Jan/Feb 2021. Visit floridadental.org/publications to view Today’s FDA archives.

Your Technological Legacy to Your Children and Grandchildren

By Larry Darnell, FDA Director of Information Systems

You might imagine since I am knowledgeable about technology that at least one of my three daughters might share that gift. Sadly, that is not so. It’s not because I didn’t try to make it so. I consistently provided them with above average technology (usually my hand-me-downs, but still). Often referred to as Techno Dad, I was available to answer any and all questions about technology they had. Once again, few questions arose. Perhaps technological ability skips a generation because two of my three granddaughters have picked up technology and have done things with it that I could never have dreamed about when I was 4 or 7 years old.

Every year before school starts, many law enforcement agencies put out a list of 15 or so apps you should be concerned about that your kids might be using. Google it, it’s easy to find that list. I bet you may recognize five of those. The other 10 you’ve probably never heard of at all. The list probably scares you into checking their devices just to see.

The real question is, how much are you paying attention to what your children and grandchildren are doing with the advanced technology they have at their disposal literally from birth? Do they have limits about when, where and how often they can use the technology? I’m no medical doctor, but I hear reputable people talk about the addictive effects this technology has on children. I see it with my own eyes, and I can’t help but wonder what that will mean for them as they grow older. We’ve had the opioid crisis and I’m afraid a techno crisis is coming soon.

I’m convinced I bought my teenage daughters smartphones so they could text me from their rooms 10 feet away. I know technology is not evil unto itself. It’s a tool. But like any tool, it can be misused, so you need to keep tabs on when, how and for what purpose it’s being used. I heard Simon Sinek in a video recently say, “They are children, you can take it away.” Talk about starting World War III. So, as parents or grandparents, what are we to do? Here are three things to consider.

First, set limits when the phone can be used.

There are technological solutions to this (setting up systems that permit use during certain time frames, etc.) or there is the Sinek method and just take the phone away. However, allowing children unfettered access to technology is not the best idea even if it seems to make your life easier now.

Secondly, determine where those devices can be used.

At the dinner table? Never. School? Limited usage. In their rooms overnight? NO. Teach your children and grandchildren proper use etiquette, but realize you’ll have to adhere to that, too. No “do as I say not as I do” with this stuff.

Lastly, see what they are doing on their devices.

The best way I could do that was have all the devices funneled through one account. If my kids or grandkids wanted some app, they had to ask me to get it for them. Did I track their website usage? You bet I did. I knew when and where they went on the web. I know all the bad stuff out there. I know the horror stories of people trying to get to our kids through technology. Occasionally, I physically inspect all their devices. I pay for it, so I can have access at any time. They knew this when I entrusted them with it. I’m the parent and I have the responsibility to do my best to protect them.

Our children are too precious to imagine that Google, Facebook, Snapchat or whatever is next will look out for their best interests. That’s our job, and it’s time we start doing it.


Reprinted from Today’s FDA, Jan/Feb 2021. Visit floridadental.org/publications to view Today’s FDA archives.