Safeguarding the Modern DSO from Ongoing Cyber Threats
The dental industry is currently at a unique inflection point. There is increased demand for data, increased cybercrime, and ongoing privacy concerns, which together challenge practices — and their brands — like never before. The transition to digital has improved the ability to collect and process data and empowers dental practices to provide a better experience for their patients, employees, and partners. However, it has also created new vulnerabilities that can significantly impact EBITDA and the “brand trust” they work so hard to create.
Data has never been more important. The role of data — its quality and security — is instrumental to fueling technology, running operations, automating processes, enhancing experience, and improving decision-making. Data is, indeed, the linchpin for innovation in the industry.
Unfortunately, this data is of value to both your organization and to outside threats. Healthcare organizations store immense patient data, making them attractive targets for cybercriminals. Cyberattacks, data breaches, and ransomware represent real threats to your data and business. Ransomware attacks alone have tripled (246%) in volume over the past five years and top the list of biggest perceived security threats. Needless to say a breach can lead to severe financial and reputational damage to a DSO, regardless of size.
Gary Salman, CEO of Black Talon Security, emphasizes the importance of cybersecurity for DSOs. “Protecting your investments and critical patient data is paramount. Cybersecurity is not just about safeguarding sensitive information but also about preserving the trust and integrity that are fundamental to patient care. A robust cybersecurity strategy ensures that DSOs can operate securely and confidently in a landscape where data breaches and cyber threats are increasingly prevalent.”
The often uncomfortable conversations about cybersecurity can no longer be ignored. It is no longer just about meeting compliance, but it is about safeguarding the lifeblood of your organization and demands attention and engagement from the highest levels of corporate leadership. When it comes to cybersecurity, there are three big questions every C-Level leader should feel comfortable answering. Leaders, it is time to get informed of the risks and equip yourselves with the right questions and tactics to disarm cyber threats.
What’s at risk if I don’t invest in cybersecurity?
Your patient’s financial and medical data is at risk.
Patient records, including personal and medical information, are among healthcare organizations’ most valuable assets. Healthcare data is attractive to cyber criminals because it contains financial and personal data, can be used for blackmail, is ideal for fraudulent billing, and is regulated by HIPPA law.
Your brand reputation is at risk.
Building a positive brand image is a gradual task that takes years. Within days, a cybersecurity breach can undo brand perception, severely damage an organization’s reputation, and erode patient trust. While security starts with internal commitments and discipline, to the outside world, security plays a significant role in achieving customer satisfaction — infusing trust into each interaction with your brand.
You risk regulatory fines and legal action.
With the increasing number of data privacy regulations, compliance has become a significant concern for all healthcare leaders. Implementing a strong cybersecurity strategy is not only a best practice but also a legal necessity to avoid the possibility of hefty fines and legal repercussions.
You risk significant financial loss.
Cyberattacks can have devastating financial consequences. The impact ranges from large ransom payments and business disruption to costs for remediation, legal fees, possible regulatory fines, and potential class action lawsuits. Revenue cycle is impacted often creating difficulty making payroll and paying expenses. A 2020 estimate from IBM placed the average monetary cost of a data breach in a company with fewer than 500 employees at $2.64 million.
A hard-hitting example of what’s at risk:
In mid-October 2023, a multi-specialty DSO with 15 locations running a Cloud-based EMR system was the victim of a significant ransomware attack.
The first indications of the event were ransom notes and encrypted files on almost all of their 400+ computers, which employees discovered upon arriving at their desks. Internal IT was immediately contacted, and the ransom notes and encrypted files were quickly confirmed as real. The hackers accessed their data and downloaded patient records via workstations within the DSO. The hackers also installed screen-sharing applications on the computers, providing them persistent access to the network.
After a week, a difficult recovery process began. Since each machine was impacted, all workstations and servers needed to be rebuilt from scratch. The rebuilding process took two weeks due to the size of the organization.
The ransom demand was more than $2,000,000, and the hackers provided a detailed list of all the patient records and files they stole. The DSO chose to negotiate and pay the ransom in order to get the decryption code to unlock their data. This also mitigated the chances of the hackers publishing and selling the stolen patient and operational data. The hackers agreed to accept $1,400,000, utilizing Bitcoin (BTC).
After four weeks, the DSO had exhausted its $3,000,000 cyber insurance policy. It was paying out of pocket an average of $250,000 per day for mitigation and recovery while generating $0 in revenue due to closed offices. This DSO experienced a total loss of over $5,000,000 from
operational outages due to the inability to see and treat patients, collect accounts receivable, office closures, legal fees, restoration expenses, and the ransom payment.
The IT department was not necessarily negligent; they were simply unaware of the sophistication of modern-day ransomware attacks and missed critical components of a robust security stack. A comprehensive offensive and defensive security stack could have prevented the intrusion and exploitation of the network.
This real-life example is not an outlier. Unfortunately, it is all too typical. Operational shutdown is a likely and immediate consequence for DSOs with more than five locations — lasting 7-10 business days. Generally, every workstation and server are impacted and requires a replacement or rebuild. Also, nearly all healthcare breaches involve patient data theft which requires forensic investigation. Painfully, no data can be moved or accessed until the investigation concludes. Engaging a cybersecurity firm for threat negotiations and forensic investigation is crucial and expensive. Ransoms for large dental organizations start at around $1 million.
Beyond the immediate aftermath, recovery is lengthy and expensive. DSOs can potentially be required to notify patients of the breach, offer ID monitoring, be subject to compliance fines, and possibly class-action lawsuits due to data theft and exposure. Often, the reputational harm of the events presents PR nightmares and the possibility of patient attrition when not handled properly.
Are we equipped to handle a cyberattack?
As a C-suite executive, you may not be a cybersecurity expert but it’s crucial for you to understand your organization’s cybersecurity
posture and potential vulnerabilities. To ensure that your organization is adequately protected, begin by asking your IT resources the following questions:
- Where is our organization most vulnerable to cyberattacks?
- When was our last vulnerability scan and what action was taken with these results?
- Do we have continuous, 24/7/365 monitoring of our network and data?
- Do we have a complete inventory of our data locations and the assurance that it is protected everywhere?
- What is the status of our cybersecurity awareness training at all levels of the organization?
- When was our last third-party security risk assessment conducted?
- Do we have a comprehensive response plan and protocol for handling a cyber intrusion?
- When was our last penetration test performed?
- Do we have a data map showing where all our data is stored?
- Do we have KPIs and Business Intelligence showing us trends in our security risk?
The answers to these questions will provide valuable insights into your organization’s security posture and help to highlight areas that may require immediate attention.
What is our approach to preventing security threats?
Consult with experts and take a proactive, data-driven approach to prepare for the unexpected. An excellent place to start is a conversation with your IT resources and cybersecurity provider to assess gaps, prioritize focus areas, and implement changes accordingly. Meanwhile, there are also several proactive steps to consider. Start on these sooner rather than later.
It’s essential to distinguish the difference between IT resources and dedicated cybersecurity firms. IT companies concentrate on managing and maintaining your overall infrastructure, which includes tasks like managing firewalls, traditional antivirus protection, maintaining hardware, software updates, and backups. In contrast, cybersecurity companies go beyond traditional IT measures and specialize in safeguarding your data against threats and breaches. They employ highly credentialed security engineers who utilize advanced security measures such as intrusion detection, encryption, and conduct regular security audits, penetration testing, and vulnerability assessments to ensure comprehensive protection.
Empower employees
Foster a security-conscious culture within the organization where every employee understands their role in protecting its information assets. Educate them on the latest cybersecurity threats and train them to thwart cyber risks, social engineering, and other common threats. Conduct regular simulated security and phishing tests to reinforce this training measure performance.
Conduct vulnerability scans
Exploiting technical vulnerabilities is the second most common way hackers successfully target healthcare organizations. Vulnerability scans are a way to be aware of your wide-open “doors and windows” on your network before a hacker finds them. Using continuous vulnerability scanning tools helps identify weaknesses before hackers can exploit them. Vulnerability scans should be performed daily against your entire IT infrastructure, including all workstations, servers, and firewalls.
Implement advanced XDR and MDR anti-virus technology
Traditional anti-virus (AV) software has been a great tool for the past 30 years to defend organizations; however, it is not designed to protect DSOs from modern-day cyberattacks. Criminal groups that target healthcare organizations are well-funded, sophisticated, tech-savvy gangs of cyber criminals. They own most of the AV programs on the market and know how to re-engineer their malicious code to become invisible to traditional AV.
Upgrading your defense to Extended Detection and Response (XDR), or Managed Detection and Response (MDR) can significantly increase your chances of fending off an attack. XDR and MDR uses advanced analytics, machine learning algorithms and threat intelligence feeds to detect and prioritize security threats, isolate endpoints and notify who is responsible for network monitoring. An effective MDR solution should include 24/7 monitoring by a human security professional.
Conduct security risk assessments (SRAs)
Engage with a third-party expert to perform a SRA against your DSO. This assessment should involve a thorough analysis of your organization’s security posture, including identifying threats, vulnerabilities, operational risks, and lack of controls and SOPs. The third-party will provide you with a risk register, how to prioritize risks based on their potential impact, and recommend appropriate mitigation strategies and controls to address the identified risks. Commit to annual assessments and consider increasing their frequency after major changes such as mergers, technology integrations, and changes in the threat landscape. It’s especially crucial during the due diligence process to complete a comprehensive SRA before proceeding with an acquisition, as you don’t want to inherit any security breaches (or “buy a breach”).
Develop an incident response plan
The time to plan for a cyber incident is not in the middle of the crisis. It is critical to have a plan in place before an incident occurs. Develop a detailed incident response plan highlighting the steps for detecting, responding to, and recovering from different types of cyberattacks. Ensure that everyone in your organization is aware of their roles and responsibilities during a security incident.
Commit to implementing and validating
Once you’ve committed to implementing these top strategies, develop a way to track and verify that the money you are spending for protection is being used effectively. Modern security professionals are looking at ways of reducing redundant toolsets, increasing visibility into their blind spots and monitoring from a “single pane of glass.”
Develop security metrics
Security metrics allow you to base decisions on actionable data. Executive teams often make cyber decisions based upon “feelings” instead of developing a way to quantify risks and impacts. Cyber resilient DSOs monitor and track:
- Real-time security metrics through actionable dashboards that ingest data from all your computers, servers, firewalls, anti-virus, and people. This provides organizations with a clear picture of where you have security risks so you can either accept or remediate them.
- Current and historical data so leadership can ensure their IT and cybersecurity investments produce results.
- A cybersecurity risk score based on vulnerabilities from computers and firewalls, threats stopped, cybersecurity training, simulated phishing, open ports on firewalls, and more. This risk score helps non-technical leaders grasp the overall risk and helps them align budgets to address it or ask more follow-up questions.
Today’s prevention secures tomorrow’s future
As stewards of the organization, executives set the tone for their organization to follow. Incorporate cybersecurity and risk management into your strategic planning. The outlook may seem bleak, but attacks are preventable. Implementing robust preventative measures will significantly reduce your risk. In these changing times, reevaluate your cybersecurity strategy to safeguard your revenue cycle, EBITDA, and growth plans against the consequences of inaction or outdated security practices.
This article is sponsored by Black Talon Security, the recognized cybersecurity leader in the dental/DSO industry. With deep roots within the dental and dental specialty segments, Black Talon understands the unique needs that DSOs and dental groups have when it comes to securing patient and other sensitive data from hackers. Black Talon’s mission is to protect all businesses from the devastating effects caused by cyberattacks—and that begins with a robust cyber risk mitigation strategy.
To evaluate your group’s current security posture visit www.blacktalonsecurity.com.
