Julian Perez, Chief Legal Officer, dentalcorp; Jeff Forbes, Chief Technology Officer, dentalcorp
Cybercrime poses an increasingly serious threat to dental clinics. In fact, 61% of Canadian organizations surveyed reported being affected by a ransomware attack in 2021. If patient data has been impacted by a cyber-attack (such as a ransomware event), it may be impossible to provide dental treatment safely. If a dental office’s IT systems or procedural defenses fail, knowing how to react to a cyberattack becomes vitally important.
Hoping for the best, preparing for the worst: what to do if you are hit with ransomware.
The inconvenient truth is that cybercrime poses an increasingly serious threat to dental clinics. The statistics startle: for example, 61% of Canadian organizations surveyed reported being affected by a ransomware attack in 2021.[1] When other varieties of cyber-attacks are considered, like (spear) phishing and malware, a shocking 86% of Canadian companies reported being compromised (in 2021 alone) by at least one successful attack. And dental offices, which are legally required to maintain sensitive patient information for years, make attractive targets for networks of cybercriminals (also known as “threat actors”).
There is no shortage of sobering statistics. Terrifying case studies also abound. Recently, to provide just one example, a Canadian children’s hospital was unable to access its pediatric patients’ records due to cyber-attacks.[2] Cybercrime, which began as a cottage industry, is big business today. Over the last few years, a variety of sophisticated criminal organizations have emerged, some of which boast about “business models” specifically targeting healthcare institutions.[3]
Obviously, the dental profession has tools at its disposal. Resources on how to manage cyber risk exist and specifically address how to prevent the most common cyber-attacks. The US (United States) Government’s Cybersecurity & Infrastructure Security Agency (CISA) provides one such guidebook.[4] Should that sound daunting, many articles (written in layperson’s language) list current best practices for dental offices, such as implementing endpoint detection and response (EDR) in conjunction with a managed security service provider (MSSP).[5] Prevention is undoubtedly the best strategy, and I urge every dental office owner and operator to review and consider the information provided in such resources. Dental offices do not need to be experts in cybercrime; however, teams that fail to do their homework will not have any way to tell whether their current IT partner is doing an adequate job in preparing for and preventing an eventual cyber-attack.
Indeed, custodians of patient records (and those who depend on the successful running of a dental practice) must prepare for the worst. Should a dental office’s defenses fail (or prove inadequate) against evolving cyber threats, knowing how to react becomes vitally important. An effective response to ransomware will protect the clinic’s patient information, operational viability, as well as the reputation of the healthcare professionals involved. Should you arrive at your clinic one morning and find that your files have been encrypted, the steps below will help guide you:
1. Establish the scope of the threat and isolate it.
Not every cyber-attack is created equal. Depending on the point of entry and mechanism of the malware that has infected your systems, the impacted information may be localized to one or a group of workstations. On the other hand, threat actors and the technologies they employ will attempt to compromise and infect any connected networks, servers, and workstations. Therefore, ensuring that system backups are quarantined from the office’s main network is mission critical. When malware is discovered, the first order of business is to get a handle on the scope of the issue and prevent the virus from spreading. A worst-case scenario would be to mistakenly believe that the virus has been isolated, only to find out that it was residing dormant somewhere else in the network and has now infected the backup. To ensure this situation does not get worse, the first call should be to the clinic’s IT services provider and cybersecurity support personnel.
2. Address any clinical risks.
If patient data has been impacted by a ransomware event, it may be impossible to provide dental treatment safely. For example, if the office does not have access to patients’ medical histories, treatment plans and diagnostic imaging, the risk of proceeding with invasive dental surgeries would be significantly increased. When this occurs, there may be no option other than to delay non-urgent interventions or to arrange for patients to be seen at other offices. Although deciding to reschedule patients is difficult, the dentist must put the patients’ best interests front and center. If there are any doubts about whether patients can be safely treated under such circumstances, contacting the College of Dental Surgeons of Saskatchewan (CDSS) and seeking their guidance would make sense.
3. Determine if patient privacy was breached.
One might assume that every successful ransomware attack in a dental office constitutes a breach of patient privacy; however, this is not always the case. It is quite possible that an office’s practice management system (PMS) could be locked or encrypted by a ransomware virus without any of that patient data being accessed or exfiltrated (digitally extracted) by the threat actors. Many ransomware schemes simply charge paralyzed dental practices a fee for the decryption code, which unlocks the affected documents and allows the clinic to regain access to its own patient records. Your IT provider should review your firewall logs to determine which servers and workstations had data exfiltrated. It is important to remember that even if your practice management system was not compromised or exfiltrated, it may be possible that patient information, such as names and addresses, may reside on your workstations or other file servers. If no patient data was breached and the clinic has a viable backup, it may be possible to get back up and running unscathed.
4. If data was breached, contain the breach and implement a breach response protocol.
The office of the Saskatchewan Information and Privacy Commissioner (IPC), which oversees the enforcement of The Health Information Protection Act (HIPA), has published Privacy Breach Guidelines for Trustees.[6]According to these guidelines, when patient privacy has been breached, “it is best practice to inform affected individuals and the IPC.” When the number of patients whose data has been impacted is small and discrete, a dentist or dental officer operator could follow the guidelines provided by the IPC. When hundreds or thousands of charts have been affected, promptly contacting a privacy lawyer would be wise. Failing to notify the necessary persons and stakeholders, which may include the CDSS and police, or doing so inadequately can lead to a whole new crisis. Note that the RCMP regularly monitors cybercriminals’ web presence. And since such organizations often announce the identities of the companies they have compromised, the police may become aware of the breach before the clinic ever contacts them. Both legal and public relations experts offer invaluable services to businesses going through such a crisis for the first time. It is important not to go it alone in such situations.
5. To pay the ransom or not?
In situations where threat actors have stolen patient data, they may demand a “double ransom” or payment in exchange for a promise to not publish the clinic’s patient records on the dark web. This has become increasingly common and puts dental offices in an exceedingly difficult predicament. On the one hand, paying the ransom means funding a malicious criminal organization and teaching the threat actors that targeting dental offices pays. On the other side, a healthcare business is expected to do everything it can to prevent its patients’ records from being published online. As above, consulting with a privacy lawyer is well advised. Additionally, there are third party agencies that employ cyber-security experts and digital forensic professionals who have conducted extensive research into the big players in the ransomware world. Such organizations can assist with negotiating for the destruction of the stolen patient data. They may be able to advise which ransomware collectives are known for “honor among thieves,” i.e., has a reputation of destroying the ill-gotten information upon receiving payment. Notifying patients should be considered whenever data is exfiltrated. If a clinic chooses not to pay the ransom and patient data is published, ethically, the dental clinic would be expected to notify the impacted individuals. Depending on the data leaked, it may be wise to provide them with protection against identity theft.
6. Complete the investigation and prevent future attacks.
Once the emergency portion of the cyber-event has passed, several steps remain to close the loop. Now is the time to complete a more extensive investigation into how the malware was able to penetrate the office’s defense systems and to fix any gaps in the clinic’s technologies or processes. Finger-pointing is not the purpose of this exercise, but it is fair to ask whether the IT support you received prior to and during the attack could have been better. Training for office personnel on how to avoid phishing schemes or downloading viruses should be part of the remedial plan; indeed, cybersecurity training for healthcare workers should be provided periodically and included in the onboarding of new team members. Once a clinic is up and running again, it may be tempting to try to put the matter in the past and hope lightning does not strike twice. This is an understandable but mistaken impulse. The IPC advises that while proactively reporting incidents may not be mandatory, “it is a good idea to prepare a privacy breach investigation report,” which identifies “the root and contributing causes of the incident.”[7] Analyzing such investigations and the resulting root cause is instrumental in helping a clinic prevent future attacks.
7. Ensure patient health information is stored in an appropriate location and only once.
Finally, clinic management should consider how it handles patient health information. Documents with patient health information should be stored in the PMS and nowhere else. Temporary working documents containing patient health information, e.g., AR reports, should be deleted and destroyed after they are used. Report letters from specialists, for example, should be uploaded to the PMS document center for the relevant patients and destroyed. The more places patient health information resides, the greater the risk.
[1] Cyberedge Group, 2021 Cyberthreat Defense Report, https://cyber-edge.com/wp-content/uploads/2021/04/CyberEdge-2021-CDR-Report-v1.1-1.pdf.
[2] Ransomware attack delays Toronto’s SickKids lab results, systems could be offline for weeks, December 22, 2022, Global News: https://globalnews.ca/news/9367174/ransomware-attack-sickkids-toronto/.
[3] Royal & BlackCat Ransomware: The Threat to the Health Sector January 12, 2023, Health Sector Cybersecurity Coordination Center, https://www.hhs.gov/sites/default/files/royal-blackcat-ransomware-tlpclear.pdf.
[4] Ransomware Guide, https://www.cisa.gov/stopransomware/ransomware-guide/.
[5] How dentists can protect themselves from the cyberattack epidemic, Chris Jordan, July 7, 2021 https://www.dentaleconomics.com/money/article/14206308/how-dentists-can-protect-themselves-from-the-cyberattack-epidemic.
[6] https://oipc.sk.ca/resources/resource-directory/privacy-breach-guidelines-for-trustees/.
[7] https://oipc.sk.ca/resources/resource-directory/privacy-breach-guidelines-for-trustees/.