Liability
Cyber Threats and Your Dental Practice
IN THIS ISSUE Cybercrime and your dental practice 3 Training your practice team to combat cyber threats 5 Cyber liability insurance is a necessity 9 Choosing effective cybersecurity software 11 Data backup and your practice’s cybersecurity plan 11 Data backup: What’s your risk tolerance? 11
Vol. 4 2023
79%
of all data breaches were healthcare entities. 600 events involving over 26 million people
A masked figure, dressed in black, nimbly bypasses high-security laser beams with the soundtrack of Mission: Impossible playing in the background. Upon reaching a sterile room with a towering wall of screens, the intruder quickly obtains access to the database, aided by a quirky sidekick working from a van packed with high-tech equipment. If this is the scene that comes to mind when you hear the term “cyberattack,” you may be ignoring the very real threat of cybercrime to your dental practice. The reality of today’s cyberattacks is that they are no longer committed by a handful of elite, rogue hackers. Contrary to that image, most cybercriminals and hackers work in groups, often small to midsize organizations that mimic the structure of the businesses they aim to defraud. Dental practice owners often have a false sense of the security when it comes to their own cyber safety, imagining that hackers go after larger, more lucrative targets. However, recent statistics underline the alarming
2
rise in cyberattacks on healthcare institutions, including dental offices. In fact, there were over 600 healthcare cyber data breaches in the United States, affecting more than 26 million individuals, according to the 2021 Healthcare Data Breach Report by Fortified Health Security. The same report highlights that healthcare entities accounted for nearly 79% of all reported data breaches. Recently, the U.S. Department of Health and Human Services warned of new ransomware operators that aggressively target the health care sector with increasingly sophisticated methods. Even the American Dental Association dealt with a cyber incident in 2022 that disrupted services and potentially affected members’ information. Cyber criminals are recognizing the value of patient data stored within dental office systems. This data,
including a combination of personal, financial and records, is a prime target for ransomware attacks or theft, leading to substantial financial losses and reputation damage. In addition, many dental practices fall within both of top two industries named most vulnerable to cyberattack: small businesses and health care. In an age where digital transformation significantly enhances the efficiency and accessibility of dental practices, the looming threat of cyberrelated risks cannot be overlooked. Cybersecurity is no longer an optional investment; it's an essential shield against sophisticated threats targeting healthcare sectors, including dental practices of all sizes. Implementing robust cybersecurity in your dental practice involves regular staff training on recognizing and mitigating potential cyber threats, investing in reliable cybersecurity software and insurance policies, encrypting sensitive data and maintaining secure backups.
Lifeline Liability
Cybercrime and your dental practice Health care is especially vulnerable to cyberattacks because hackers know they can potentially access patients’ protected health information and financial records. Even if your practice does not have a website or make financial transactions online, you can still be at risk simply by using the internet and working in a digitally connected office. Ignoring the prevalence and complexity of cyberattacks could lead to dire consequences making safeguarding against cyber risks an essential aspect of modern dentistry. The most common cyberthreats dental practices — and other businesses — currently face are data breaches, malware and ransomware. Familiarize yourself and your practice team with the very real threat of cybercrime and how it could potentially occur in your practice. Ransomware
Ransomware cases are considered the top cybersecurity threat for the health care industry. A ransomware scenario occurs when hackers infiltrate a system and block access and then demand a ransom be paid to lift the restriction. Hackers will generally ask for the ransom to be paid via bitcoin or other untraceable digital currency, making funds unrecoverable once distributed. In a case reported to TDIC’s Risk Management Advice Line, a practice’s software was encrypted by ransomware. Although the dentist paid the ransom demand, he did not receive the encryption key to regain
access. Even an outside computer repair technician was unable to recover the data still on the practice’s server. Ultimately, the dentist had to escalate the matter to the police and suffered from a significant recovery expense. Even if the hackers did reestablish access once the ransom was paid, there was no guarantee that the recovered data would be “clean” or intact. Once a system is compromised, there is no assurance that it won’t get hacked again. Malware and Data Breaches
Another threat to business owners is malware, short for “malicious software,” which can infect computers through
intrusive emails, web links and pop-up alerts. The malware can be downloaded without the user’s knowledge to capture private information. A dentist called TDIC's Advice Line after discovering her email account was hacked. An email containing an encrypted PDF was sent to 122 of her patients. The email instructed the recipient to download a program to access the PDF. The dentist was concerned that her patients would not realize it was a fraudulent email and would download the program and inadvertently infect their own personal computers. She was advised by the risk management analyst to notify her patients of the fraudulent email and establish a new continued on page 4
3
continued from page 3
email account as soon as possible to minimize any damages. The Department of Health and Human Services’ Office for Civil
Rights received reports of 707 data breaches within the health care industry in 2022 alone. While this number may not seem alarming, research published by IBM Security
found that the average cost of a health care data breach reached almost $11 million in 2023, almost double compared to the cost of breaches in the financial industry.
Proactive Protection While cybercriminals are becoming more aggressive and infecting more computer systems, simple human error and misplaced trust are still the leading factors in many data breaches. Thankfully, you can take steps to help protect yourself and your practice from cybercrimes. Strengthen passwords.
Initiate cyber safety protocols.
Make sure each employee has a unique password that contains a combination of lowercase and uppercase letters, numbers and special characters to deter potential hackers from gaining access. Security experts suggest shifting to a “passphrase.” A passphrase is a password composed of a sentence or combination of words. Passphrases are longer than the average password, making them harder to crack and increasing the overall security of a user’s account. An example of a strong passphrase with a few random words stitched together is “R3dEleph@ ntPizzaIsDelicious.”
Educate your staff on the latest cyberthreats and include your practice’s cybersecurity policies and training protocols in your employee manual. Employ a multi-user system for the release of sensitive
Back up your data. You can back up your files and data on a networkattached storage device, portable hard drive, USB flash drive or online through sites like Google Drive, Dropbox and Mozy. It’s a good idea to back up files daily, which will make recovering data easier in the case of cyberattacks or computer system damage. Use safety features. Install antivirus and antimalware software for all your devices and update when available. Use an encrypted virtual private network (VPN) when connecting to an unfamiliar Wi-Fi network to ensure a secure connection. These measures will help prevent your data from being compromised.
4
information. For example, make it a policy that two employees must sign off before providing anyone with secure information, such as passwords or file access, to prevent falling victim to a cyber scam and jeopardizing your computer system.
Lifeline Liability
Training your practice team to combat cyber threats You and your practice staff are already on the frontlines of the fight against tooth decay. During your training to become dental professionals, you likely didn’t expect the need to master fighting cybercrime as well. In the digital age, dental practices must fortify their defenses against evolving cyber threats. The good news is that the skills necessary to prevent cyberattack are not unlike those needed for establishing an oral health routine. Education, regular care and healthy habits top the list. Here are several ways dental practice owners can empower their teams to enhance cybersecurity: Education on common threats.
Initiate training by educating your staff about prevalent cyber threats. Provide examples of phishing emails, ransomware and other types of cyberattacks to illustrate how these threats can manifest in a dental practice setting. Offer insights into the tactics cybercriminals use to deceive and compromise systems. One great resource comes from the podcast “Nobody Told Me That!” In episode 113, Teresa Pichay of the California Dental Association and Colette Johnson of TDIC share reallife stories and offer valuable insights into protecting sensitive patient information and staying compliant with HIPAA regulations. Regular training sessions.
Conduct periodic training sessions to keep your staff updated on the
latest cybersecurity practices and threats. Cybersecurity is an evolving landscape, so continuous education is key. Encourage active participation and provide resources to reinforce the training material. Simulated phishing exercises.
Implement simulated phishing exercises to test your staff's ability to recognize and respond to phishing attempts. This hands-on approach allows employees to experience real-life scenarios in a controlled environment, helping them identify red flags and respond appropriately. Many cybersecurity consultants offer security awareness training and simulated phishing exercises.
Establish protocols and reporting mechanisms. Make sure your staff
have clear protocols to follow in a suspected cyber threat. TDIC’s Cyber Event Checklist is a good place to start when establishing your own protocols. You can also post in your office the seven steps to take if you experience a cyber breach (see Liability Lifeline 2023 Volume 3, page 11). Encourage open communication and provide a straightforward reporting mechanism for any potential security concerns. Ensure all staff members understand the escalation procedures. Access control and password management. Train your staff
in secure access control and password management. Emphasize continued on page 9
5
Earn C.E., plus a discount on professional liability insurance.
NEW TDIC SEMINAR
Communication, Care and Clear Protocols
Ensuring Safety for Patients of Every Age Through an engaging, self-guided course, learn how to sharpen your critical communication and documentation skills to lessen potential complaints, claims or lawsuits. Take all the course modules at once or study them as time allows, at your own pace from the comfort of your home or office. Upon course completion, earn 3.0 units ADA CERP C.E. and a 5% Professional Liability premium discount.* Learn more and register online at tdicinsurance.com/seminars.
SCAN HERE
*THIS COMMUNICATION IS FOR THE PURPOSE OF SOLICITING SALES OF INSURANCE PRODUCTS. Void where prohibited. Not available in all states. For full rules, visit tdicinsurance.com/RMdiscount. CA Lic #: 2361-4. The Dentists Insurance Company, 1201 K Street, 14th Floor, Sacramento, CA 95814
Protecting dentists. It’s all we do. ®
At The Dentists Insurance Company, our name is our promise. Practice with the confidence that you’re covered by TDIC, and our singular focus is you. Unique understanding of dentists’ needs Unmatched experience and proven expertise Earned dental association endorsements Comprehensive coverage at a fair price Rated A by AM Best for 29 years in a row See the difference at tdicinsurance.com. . @TDICinsurance | tdicinsurance.com | Lic # 2361-4
AM Best Company rating effective February 2023. For the latest rating, access ambest.com.
Cyber liability insurance is a necessity Not only is the risk for targeted cyberattacks high in health care, TDIC’s Risk Management experts warn that when a dental practice is victim of a cyberattack, their business grinds to a halt. With more practices going to fully electronic business practices with, scheduling software and electronic charting and billing, it’s likely that without their data, staff can't even set up the rooms for patients. In short, being victimized is costly for unprotected dental practices.
Did you know ... 50-70% of connected devices in dental offices have vulnerable security. Cyberattacks have increased by 400% since 2020. The average cost per patient whose data is compromised in a data breach is $400. In one recent cyber claim handled by TDIC, the total costs to conduct a forensic IT investigation, get systems back online and cover lost business neared $100,000.
8
Despite the rising threat and potentially catastrophic costs of cybercrime, a 2021 survey by AdvisorSmith reported disheartening statistics on the financial preparedness of small businesses:
it comes to mitigating the damage of an actual cyberattack, the importance of a cyber liability insurance policy cannot be overstated.
• 72% of small businesses that purchased cyber insurance only did so after experiencing a cyberattack.
TDIC’s Risk Management analysts point out that many practice owners mistakenly assume that losses from cyber incidents will be covered by their business owner’s policy. Since cyber coverage is not standard to most business policies, assuming it is included in your existing policy can lead to a significant coverage gap. Contact your insurance advisor to see if you are adequately covered.
Maintaining robust cybersecurity in your dental practice can help prevent cyber threats. However, when
TDIC offers a Cyber Suite Liability policy built just for TDIC Business Owner’s policyholders.
• 64% of small businesses are not sure what cyber insurance is or what it covers. • Only 17% of small businesses have some form of cyber insurance coverage.
Lifeline Liability
continued from page 5
the importance of strong, unique passwords and the necessity of regularly updating them. Implement two-factor authentication for added security. To assist in creating and using strong passwords, consider using a password-saving program like LastPass or 1Password. Software updates and patch management. Educate your team on the significance of timely software updates and patch management. Ensure they understand the role these updates play in fixing vulnerabilities and protecting the practice's systems. Patch management is simply the process of applying updates to software, drivers and firmware for
protection against possible weaknesses. In addition to enhancing security, patch management also guarantees the best operating performance of digital systems, boosting practice productivity. You can work with your IT provider on patch management, or a class of software called “managed services” can automate the process for you. Cybersecurity best practices in patient interactions. Train
staff on maintaining patient data confidentiality and secure data transmission. Highlight the significance of secure communication channels and the secure handling of patient information. For more guidance on protecting patient data,
register for TDIC’s on-demand course, "Anti-SLAPP, HIPAA and How to Respond to a Negative Review." It doesn’t take a cape or mask to fight cybercrime. Cybersecurity is an ongoing effort, and regular training and education are crucial to staying ahead of the evolving risks. For additional protection, risk management experts recommend investing in the services of online security consultants, industry webinars and online training platforms that offer cybersecurity courses tailored for health care professionals. TDIC policyholders can contact the Risk Management Advice Line for additional guidance.
Cyber Suite Liability coverage What is it? This type of policy provides tools for responding to and recovering from cyber incidents with the range of coverage varying by insurer. A TDIC Cyber Suite Liability policy goes beyond data breach. It covers the costs related to breach of information, unauthorized intrusion or interference with computer systems, damage to data and systems from computer attacks and related litigation. In most cases, general liability policies do not fully cover cyber incidents, so adding cyber coverage to your Business Owner’s policy is a good defense against the financial effects of cyberattacks. Who needs it? Practices of every size need comprehensive cyber protection because dental offices are particularly vulnerable businesses when it comes to cyberattacks due to handling both financial and sensitive HIPAA information.
How does it protect you? Proactively adding cyber coverage helps protect your records, reputation and practice costs. The immediate cost of a data breach can be significant; the latent costs can be devastating without coverage. What should you look for in your coverage? Every state has laws that require businesses to notify consumers of data breach — as a minimum. Choosing a comprehensive, cyber-specific policy ensures you not only have the means to comply with the law, but also can protect your records and reputation while responding to and recovering from a broad range of incidents. In addition to financial protection, as part of TDIC’s risk management resources for policyholders, you have access to reference tools, guides and checklists for navigating cyber threats. Contact your insurance advisor to learn more about cyber liability coverage from TDIC.
9
In doubt about how to navigate an issue? We’re here for you! The Dentists Insurance Company offers tools to navigate potential liabilities in the areas of documentation, employment, patient care, property and more. TDIC policyholders can tap into resources, guidance and education to mitigate the risks of practicing dentistry today. Time-saving Resources • Dentistry-specific reference guides • Multilingual informed consent forms • State-specific forms and templates One-on-One Guidance • No-cost Risk Management Advice Line • Dedicated analysts with unique expertise • Convenient online appointment scheduling Ongoing Education • C.E.- eligible live, expert-led seminars • Convenient on-demand eLearning options • Articles and insights on trending risk topics Plus, policyholders can earn C.E. and lock in discounts on professional liability premiums by completing a risk management seminar. Explore the benefits at tdicinsurance.com/RM.
Scan here:
@TDICinsurance | tdicinsurance.com | CA Lic # 2361-4
Terms and conditions may apply. Visit tdicinsurance.com/Seminars for additional details.
Lifeline Liability
Choosing effective cybersecurity software
Selecting reliable cybersecurity software is essential for protecting sensitive patient data and ensuring the smooth functioning of your practice. Consider the following guidance when choosing and investing in security software.
• Before selecting software, assess your practice's specific security needs. Consider factors such as the volume of patient data, the number of devices connected to your network and potential vulnerabilities. Determine if you need antivirus, anti-malware, firewalls, encryption or comprehensive cybersecurity protection. • Ensure that the software you choose complies with health care and dental industry standards and regulations, such as HIPAA. Verify that the software helps to maintain patient confidentiality and meets the necessary legal requirements for handling sensitive health data. • Look for software that offers ease of use and seamless integration into
your practice's existing systems. It should not disrupt day-to-day operations and should be easily manageable by your staff. • Opt for software that provides regular updates and robust customer support. Cyber threats evolve continually, and timely updates are critical in addressing emerging vulnerabilities. Confirm the software vendor offers consistent support to resolve any issues that may arise. • Choose software that can grow with your practice. As your practice expands, the cybersecurity software should be scalable to accommodate the increased need for data and device security.
• While cost is a consideration, focus on the value the software provides. Compare different options, weighing their features, support and reliability against the cost. Investing in comprehensive, reliable software might initially cost more but can potentially provide significant savings in the long run. • Prior to committing, take advantage of trial periods or demos offered by the software vendors. Trials allow you to test the software's compatibility with your systems. Additionally, seek reviews and recommendations from other dental practices or professional organizations to understand realworld performance and reliability.
11
Data backup: An essential element in your practice’s cybersecurity plan Data loss is more than just an inconvenient disruption. It can throw the entire dental practice into a state of panic. Imagine arriving at the office to learn that you are unable to pull up the schedule to determine which patients are coming in, what procedures will be performed or even how the rooms should be set up. As more offices move to electronic records, data backup plays a crucial role in mitigating the impact of a cyberattack by offering a lifeline to restore and recover data, systems and operations. Here's why data backup is so instrumental: • Data recovery. In the aftermath of a cyberattack, especially in cases of ransomware or malware, attackers might encrypt or compromise data and make it inaccessible. Having a recent, secure backup allows practices to restore their data to a point before the attack, thereby regaining access to critical information without having to pay ransom or rebuild from scratch. • Business continuity. Cyberattacks often disrupt normal business operations, causing downtime that can lead to financial losses and damage to a practice's reputation. With proper backups in place, a practice can swiftly recover and resume operations, minimizing downtime and maintaining continuity even in the face of an attack.
12
• Preventing data loss. Backups serve as a safety net against permanent data loss. In case of accidental deletion, corruption or destruction of data during a cyberattack, having copies of information stored off-site or in secure locations ensures that vital data is readily recoverable. • Reducing recovery costs. Recovering from a cyber incident can be expensive. Data backups minimize recovery costs by enabling a faster restoration process, reducing the need for extensive resources to rebuild systems and recreate lost data. • Avoiding ransom payments. In ransomware attacks, cybercriminals demand payment in exchange for decrypting data. With a secure backup, businesses can restore their systems without resorting to paying the ransom, thwarting financial losses and discouraging further criminal activities. • Rebuilding trust and reputation. Swift recovery from a cyber incident is vital in maintaining the trust of patients and other providers. With data backups, practices can minimize the impact on their reputation by demonstrating resilience and a commitment to data security.
Along with a robust cyber liability insurance policy, data backup serves as a critical safeguard against the disruptive and damaging effects of cyberattacks.
Lifeline Liability
Data backup: What’s your risk tolerance? Data loss is not solely due to cyberattacks. Hardware failures, natural disasters or human error can also lead to data loss. Regular backups safeguard against these unforeseen events, ensuring that essential information is recoverable. TDIC’s Risk Management Advice Line reports one California dentist lost all his patient records when his hard drive crashed. When he attempted to restore the data by accessing his backups, the dentist discovered his system had not been backing up for two years. “Having a backup system for storing information is critical, but it is also critical to check those systems,” said Sheila Davis, assistant vice president of TDIC’s Risk Management department. “If you don’t perform regular backups, and you don’t check to make sure those backups are functioning, you run the risk of losing everything.” In the case above, the dentist did lose everything — and then some. Not only did he have to spend thousands of dollars to rebuild his system, but he also had to recreate patient files. Because dental benefit companies require documentation for claim reimbursement, he had to retake patient radiographs. Furthermore, the dentist had to cross his fingers and hope that his patients were honest enough to pay what they knew they owed because he had no billing records. “There was a chance he would have to write off a significant amount of income should patients refuse to pay their bills,” Davis said. “Most people
are understanding when it comes to computer glitches, but it’s still a risk.” Whether from human error, viruses, technical malfunctions, natural disasters or theft, data loss can have a huge impact on any business. In fact, nearly half of all small businesses in the U.S. have experienced some form of data loss according to online backup provider Carbonite. Luckily, there are ways to avoid
complete devastation. Topping the list is making sure your backups are running regularly and accurately. “Too often, people forget to check their backups,” Davis said. “Backups are a fail-safe. But even fail-safes should be double checked.” John Christopher, senior manager of marketing communications at DriveSavers Data Recovery, said one of the biggest mistakes small business continued on page 14
13
continued from page 13
owners make is failing to monitor the performance of their backup systems. “Backups are not routinely evaluated for effectiveness,” he said. “Often, data is lost when the administrator of a computer system believes the backup system is functioning when it is not. Then, when the primary system fails, there isn’t a backup. Backup systems must be regularly maintained, and files that have been backed up must be regularly reviewed to ensure that scheduled backups are functioning properly and all copied data is corruption-free and useable.”
don’t provide full protection. Real-time backups make the difference. “What could be more time consuming than having to rebuild your entire system and reconstructing all of your patient records?” Davis asked. Most experts recommend real-time backups, also known as continuous backups, in which changes are automatically saved as they are made. That way, if a data loss does occur, there will be no gaps in data recovery. Other options include conducting a full backup at a set time, such as once a day or once a week.
Cost is one of the major reasons business owners fail to back up their computers. There are upfront costs, such as hardware, and ongoing costs, such as monthly monitoring fees and storage fees. But the costs associated with a data loss are much greater, so maintaining backups is a small price to pay. “Dentists with up-to-date backups can be back to work within a few days,” Davis said. “Those without can spend weeks trying to get up and running again.” Another reason dentists fail to back up their data simply comes down to frequency and continuity. Recent studies of businesses found that 41% of users “rarely or never” back up their data. Of those who do, only 10% back up their data daily, while 34% run data backup monthly. Despite the efforts of users who do back up data, one survey found that 79% of businesses have experienced a cloud data breach, and 43% have experienced more than 10 breaches in recent years. Why the discrepancy? Half-measures
“The real question is, what’s your risk tolerance? How much data are you willing to lose? A week’s worth? A month? A year?” Davis asked. Another consideration is where to store your backups. Many practice owners use external hard drives, but these can also fail if they are connected to a network when a virus strike or a malfunction occurs. Many business owners are now opting for cloud-based storage, which allows continuous backup and access to data at any time. HIPAA
considerations apply when choosing cloud storage, and dentists should sign a business associate agreement with any cloud service provider. Prior to signing any contract or agreement with a cloud service provider, TDIC’s Risk Management analysts recommend reviewing the contract carefully to understand the terms and conditions of data storage, access and security measures to ensure that the contract aligns with your office's security requirements. Learn more about business associates’ compliance requirements in the U.S. Department of Health and Human Services’ guidance on HIPAA and cloud computing or the ADA's HIPAA resources. State laws regarding how patient medical information should be kept private are sometimes even more stringent, and providers must abide by both state and federal rules. “We advise dentists who perform hard backups to disconnect the drive and store it off-site in a secure location. Better yet, we recommend investing in a HIPAA-compliant cloud-based data backup service,” Davis said. Christopher notes that it’s best to have multiple backups stored in multiple locations. “Keep one backup off-site in case some type of accident or disaster occurs,” he said. “Automate your backup system so there is less likelihood of human error. Regularly check the data on your backup devices to ensure it is useable and to ensure that backups are performing as expected.”
Lifeline Liability
Liability Lifeline is published by: The Dentists Insurance Company 1201 K Street, 14th Floor Sacramento, California 95814
©2023, The Dentists Insurance Company
Endorsed by: Alaska Dental Society California Dental Association Hawaii Dental Association Idaho State Dental Association Illinois State Dental Society Nevada Dental Association New Jersey Dental Association Oregon Dental Association Washington State Dental Association Also in: Arizona, Minnesota, Montana, North Dakota, Pennsylvania and Tennessee
TDIC reports information from sources considered reliable but cannot guarantee its accuracy.
Need one-on-one risk management guidance? • Get answers to your critical questions through a confidential phone consultation with an experienced TDIC risk management analyst. • Request a consultation at a time that’s convenient for you at tdicinsurance.com/RMconsult or by calling 877.269.8844.
Protecting dentists. It’s all we do.
®
Risk Management Advice Line | 877.269.8844 | tdicinsurance.com
@TDICinsurance