What is cybersecurity?
Cybersecurity can be defined in a multitude of ways and with varying degrees of scope and technical depth. Because this article is a brief survey of a large topic, the definition here leans toward explaining the scope of the subject, and less toward the technical nuances of implementation. This approach is not unlike how we, as dentists, evaluate crowns or RPD frameworks; at the chairside, it’s more important to make sure the crown margins are sealed than it is to remember the fusing temperature of porcelain.
Protecting your data
With this background in mind, let’s approach cybersecurity as a series of techniques used to protect data—specifically, protecting the confidentiality, integrity and availability of data in the practice. Understanding three points will allow for a better understanding of the types, sources, assessment and prevention of the threats that constantly threaten data.
- In the same way that confidentiality functions in a dental setting to protect patients’ private information from unauthorized eyes, digital confidentiality refers to the practice of limiting team members’ access to only the data relevant to their job. For example, your dental assistants should not have access to the practice’s online banking information, because
- hink about the integrity of your data as you would the integrity of your impression material. You expect that the impression will be as accurate on the laboratory bench as it was chairside. Thus, it is critical to make sure that when you enter information like patient demographic data into your system, the information remains unchanged when you look to retrieve it at a later date.
- Accessibility is a factor often overlooked. The patient may be in the chair but if the lab case is late, you can’t proceed. Similarly, your data is useless if you can’t access when and where you need it.
Categories of threats
With an understanding of what is needed to protect data, it’s easier to examine some categories of threats. While these threats may behave in different ways, their common goals are usually financially motivated or deal in social harm, such as damage to a practice’s reputation.
Hacking: The process by which an unauthorized individual or individuals gain access to a computer network. For example, someone can host an unsecured Wi-Fi connection in a public place, like the airport or a public coffee shop, to steal passwords and login information from unsuspecting patrons who connect to the free, open network.
Viruses, malware and ransomware: Computer programs designed to help an attacker gain access to your data, which makes hacking easier.
Phishing: An identity thief uses an email that mimics a message from a trusted source to trick recipients into clicking a link that compromises their personal information. An example is a fake email “from your bank.”
Social engineering: Someone uses available information—utility bills, social media postings, etc.—to gain access to a computer. For example, a thief will call a victim pretending to be a computer technician and persuade the victim that he needs to install (unknowingly malicious) software on his computer.
Software piracy: Using unlicensed or illegal copies of software. This software can be risky because it may not function as expected, or it may install other software in the background (e.g., a key logger).
Before threats can be combated, it’s important to determine the assets a practice has, which resources are needed to secure (and recover) those assets, and all of the other associated risks.
Physical and digital assets include the hardware in the office and the data stored within it. Hardware includes physical servers, computers and any laptops that leave the premises. Examples of data include the patient database and QuickBooks files.
Physical servers can’t be lost, but they can be stolen. Online backups, meanwhile, can’t be physically stolen, but they can be tampered with or compromised. Don’t use the same password for every website or service the practice accesses as an employee could easily send emails in the doctor’s name. Also, it’s not a good idea to leave passwords written down near workstations.
Resources are the services and people who can assist you with prevention, support and recovery. Examples include your internet service provider; the ADA, AGD or other dental societies (for guides and checklists); and security update announcements from software companies such as Dentrix, Windows, etc.
Origins of threats
Threats come from three main sources. Being aware of these sources can help prevent security problems.
Internal threats originate within your business and they can be malicious or negligent. For example, an employee sells access to patient records, or a team member accesses office email on a public computer.
External threats are from sources outside your network trying to break in. For example, a patient on your guest Wi-Fi network tries to access your office’s private Wi-Fi network.
Third-party threats include those from vendors or contractors you work with in your office. For example, the company that runs your practice management software experiences a data breach that compromises your information.
• Using individual user accounts instead of one shared login for a particular service.
• Limiting where office records can be accessed.
• Limiting or blocking personal use of computers.
• Logging all access to your network.
• Discussing which information can be shared
• Having a procedure for antivirus or firewall notifications or warnings (instead of simply clicking “OK” and hoping it goes away).
To combat external types of attacks:
• Keep Windows or other operating system software up to date, including iOS or Android on any mobile devices.
• Use firewall software on all of your computers.
• Use antivirus software on all of your computers.
• Scan email attachments before you open them, and scan any USB drives or other devices that plug into the computer before you open the files.
• Use on-site backup as an easy method of restoring data.
• Use off-site backup for a secondary method of restoring data.
• Have a password policy that requires secure passwords. A good password protocol is a minimum of ten characters, with a minimum of one capital letter, one symbol and one number.
• Do not use the same password for everything, because if one service becomes compromised, then all of them become compromised.
• Use two-factor authentication (TFA) whenever possible. TFA is an additional layer of security that requires something that only the user has—for example, receiving a text message verification code that’s required after a user enters the service’s password.
Third-party breaches are those in which data is compromised (confidentiality, integrity or accessibility) based on the action or inaction of a third party—usually a vendor. Apply the same ALARA (“as low as reasonably achievable”) concept we use for radiographs to how you share data with third parties and vendors: Provide them with the minimum level of access required to complete the task at hand. If the vendor requests administrator access, be sure to change your password(s) when the job has been completed. While you cannot control a third-party breach, you can minimize your exposure by keeping as much of your online/cloud-based data as possible encrypted.
The concepts illustrated above apply to all data. However, there are particular security considerations to consider when it comes to your website.
HIPAA. There is no clear checklist that will let you know what steps you need to take to make a website “HIPAA-compliant.” Because of this, it’s recommended to minimize the amount of protected health information (PHI) collected through the practice website. Keep website forms brief, and make sure not to collect information such as a patient’s Social Security number, date of birth or medical history. If there is a desire to offer total online form completion, use a vendor that specializes in this type of service and handles HIPAA and security compliance.
Email encryption. All emails sent and received that include PHI should be encrypted. Not all free email services offer encryption standard! If there is a need to send PHI, work with a service that securely stores the information that can be accessed by colleagues.
PCI compliance. If credit cards are accepted on the practice website, follow stringent security requirements. These are expensive to setup and to maintain. Because of cost, and the inherent risks, a practice should consider not accepting payments through the practice website. Like HIPAA compliance, practices should look into reputable third-party vendors that specialize in online payments if a practice chooses to collect them through its website.
Improperly handling payment transaction or transaction data can lead to HIPAA breaches as well as PCI compliance fines, which can be in the tens of thousands of dollars.
Website security/SSL. On top of having strong passwords for the various services accessed from office computers, it’s important to have the same level of security within your website. There are additional steps to take to secure the website, including disabling the admin user account, locking out users who make multiple failed login attempts, and disabling write access to certain files so that they cannot be altered by malicious third parties.
A secure sockets layer (SSL) certificate is also a must. An SSL creates a secure link between a website and the visitor’s web browser. In the past, an SSL certificate (the padlock you see in the top left of the browser bar when you visit online banking or make a secure payment) was used mainly for banking and financial transactions to encrypt the data as it travels from a computer over the internet, and then to the bank’s server.
Google has recently made it known that it would like the entire internet to eventually run more securely, and as such, websites that use an SSL certificate could see a bump in SEO rankings, compared with sites lacking SSL certification.
• Own your own accounts and domain names.
• Have administrator access to your website.
• Have your own backup of your website.
As with all aspects of dentistry, protecting the digital side of your practice is a group effort that requires buy-in from team members and coordination with vendors. Now that you have an overview of the scope of the task ahead, it’s time to put a plan into effect. For example, as a web provider, my team and I have a website security checklist, and our colleagues in the IT field have similar lists of steps to take to secure your network from the inside and out, and to secure your patient information. And once you’ve started the process of putting security at the forefront, run a backup of your office data and your website data, and call it a day.