Ransomware is a type of software used by cyber criminals to lock you out of your computers and servers. These criminals then demand a large amount of money to unlock your data. Many people do pay these ransoms, although there is no guarantee that you will get all or even some of your data back. Here we look at two cases of attacks on dental practices in Ireland and ask what dentists can do to protect themselves.
One morning in 2013, Dr Patricia Shalloe from Cork came into her practice and found she couldn’t get onto her computers: “We contacted our IT consultants and they quickly figured out that we had been attacked with ransomware”.
The attackers encrypted all her data, deleted her back-ups and asked for a ransom of €5,000, which she didn’t pay. Patricia did have an off-site back-up from six months before the attack. As a periodontist, she also kept all her pocket charting, which allowed her to continue to work on patients: “I had to wing it. We didn’t have an appointment book. We had nothing. We didn’t know who was coming in from one hour to the next or how to prepare so as you can imagine, it was extremely stressful”.
Dr Patricia Shalloe
Because Patricia had IT support and back-ups, she felt she was on top of the situation. Her IT consultant informed her that SMEs are attacked regularly: “If you look at your server, it is under constant attack from people trying to hack into it. If you don’t have something protecting you, you’re going to get ransomware. It’s not a question of if, it’s a question of when”.
Patricia had to report the incident to the Data Protection Commissioner (DPC), Dental Protection, the Dental Council and the Gardaí. However, there is no way of knowing where in the world these attackers are based.
Even if your practice is not fully computerised, nearly all practices will have some kind of computer, even if it is just for accounts or email, and Patricia says: “If you have a computer, it doesn’t matter what you keep on it, if it’s anything to do with your work, you need to have a plan”.
Ransomware attacks are not easily preventable because it takes money and time to get the appropriate IT in place, but it is worth doing. Patricia says the most important thing for dentists is to have a back-up plan, and have off-site and cloud-based back-ups. You should have anti-ransomware software wherever you keep data. It’s important to have good anti-viral software and firewalls. Good staff training and good computer hygiene are also very important. Staff should know when to open emails and if anything looks suspicious, not to open it. The dentist should have final say and staff should know if that they’re unsure about something, they should not open an email or click on a link unless they speak to the dentist first. She also believes you need to have someone to advise you because although you may think you’re good with a computer, dentists aren’t in the cybersecurity business.
Patricia has given two talks on this subject in Ireland and says one of the reasons she did those was to help other people to avoid this experience, because it was awful: “It was a devastating event in my career. It took a year, at least a year, to recover. It was a hugely stressful time for me, probably one of the most stressful in my career, far more stressful than any clinical episode”.
For another dentist, who wished to remain anonymous because he is still dealing with the fallout of a recent attack, cyber criminals got access to the practice’s server through a weakness in the firewall. One employee who works in administration was working from home and had remote access to the server, and there was a weakness in this remote access.
Again, the hackers got into the practice’s system and encrypted all the data. The dentist explains that when they arrived in work the next day, they could get into their computers but they couldn’t access their practice management software. They rang their IT consultant, who told them they’d had a cyber attack. The criminals were demanding $100,000 in bitcoin to unencrypt the data.
Again, the Gardaí, Dental Protection and the DPC were notified. The Gardaí took a statement and passed it to the National Cyber Crime Bureau in Harcourt Street. An investigation was carried out but whoever was behind the attack was never brought to justice, although it was discovered that the person was in Russia.
The Gardaí informed the dentist that this type of crime has increased significantly since the start of the Covid-19 pandemic. With more people online, there is more opportunity, and probably less chance to engage in ‘normal’ criminality.
The practice had two back-ups. The attackers had encrypted one of these as well, but there was another cloud-based one, which had a lot of data but not everything. The dentist says they lost three or four years of clinical notes and x-rays.
There was huge disruption, he says: “For about a week, we had people walking into the surgery. We didn’t know who they were, what they were here for. It was a nightmare”.
They were able to painstakingly scan in some data, which they had on file in other places. The practice also had a separate server for CBCT scans. Unfortunately, this worked off the main system, so the computer didn’t know where to put these scans because the main database was gone. Patients had to be notified and the dentist is still in the process of doing this.
The dentist says that Dental Protection were very helpful. His advice to the IDA is to get the word out to members about the risk of these attacks. He says that he did not realise that he was so vulnerable: “If I had only known I was so vulnerable, I would have had five or six back-ups… I would say to any other practitioner: get your IT guy to show you how they’re going to retrieve the data. Don’t trust anyone. Go down to your server and say: ‘Re-establish me’”.
The dentist says that if the criminals had asked for an amount around €20,000, he probably would have paid it and that it has cost him more than that to restore the data and notify all the patients. He emphasises good IT advice and recommends having at least four back-ups, with one off site. Data insurance is also available and he advises dentists to get this.
He thinks that dental practices are extremely vulnerable to this type of attack: “I just did not know how vulnerable I was. I did not know how much hassle it is. It costs an awful lot of money”.
One positive he says is that patients have been extremely understanding: “They’ve been way more understanding than I thought they would be. When you explain to them that their data isn’t there and that you might need to take a new x-ray, they’re fine about it”.
Bill Holohan, solicitor with Holohan Law
If you are subject to an attack, you must notify the DPC within 72 hours. You should also contact the Gardaí, your indemnity provider and the Dental Council.
Bill Holohan is a solicitor with Holohan Law and previously gave a presentation to the IDA Munster Branch on this subject. He explains: “When someone collects and uses/processes personal data, they have a legal duty of care to protect it. There are also strict limitations to how the data can be used, and companies must make it clear to the person whose data has been retained how the data will be used at the point it is collected, and they must give express permission for those purposes”.
Bill says all businesses should carry out a cyber risk assessment and has six tips for ensuring good cyber security:
- Install a good firewall system.
- Back up your data.
- Keep your network up to date.
- Create an acceptable user policy.
- Insist on strong passwords.
- Make sure that you have appropriate insurance cover in place to cover cyber attacks.
Dr Mark Sanchez, orthodontist and founder of orthodontic practice management system, tops Software, recently spoke to the Irish Orthodontic Society on this subject. He says there are two main weaknesses that small businesses experience in their network security: poor password management; and, lack of training and understanding of phishing (when someone tries to gain access to your system through email or SMS by posing as someone you know or as a legitimate organisation).
Mark explains that the main problems with passwords are that people use passwords that are: too short; single words; used across multiple accounts; shared with others; sent via SMS or email; and, have been hacked previously and now populate widely circulated lists of known passwords. Mark says: “The only way to manage this properly is to use a password management tool like 1Password and/or use a practice management system that has single sign-on built in, as tops Platform One does”.
When it comes to training staff on phishing, Mark says that all staff need to learn and exercise good email hygiene. His advice is to never click on a link in an email or an SMS message: “If you think you really do need to click on that link, know how to verify that the link is okay. Know the signs that give away almost every phishing attack”.
Dr Mark Sanchez, orthodontist and founder of orthodontic practice management system, tops Software.
Mark says dental practices need to protect themselves: “Without question, our practices are prime targets. We aren’t experts in the area of cybersecurity, but we tend to manage our networks ourselves or with the help of someone local. While some have the knowledge and skill, many are self-educated on these topics and don’t pursue study with the passion needed. If your network tech is your brother-in-law’s cousin, you’re likely at risk”.
Bill agrees that dental practices are at risk and says: “Carry out a risk assessment, and if you don’t know where to start, then you need to contact a good IT support service provider who can do that, and install a firewall and antivirus software immediately. Dental practices are especially at risk since healthcare information, such as patient addresses and social security numbers, is worth up to 10 times more than credit card data on the black market. An example was the Wannacry virus attack on the NHS a couple of years ago. Yet few practices have even the basic level of security in place to ensure there are no holes in the net”.
Mark recommends this resource from the US National Institute of Standards and Technology, which has good advice on protecting your business: www.nist.gov/itl/smallbusinesscyber.
Using a dental analogy, Mark compares cybersecurity to flossing: “It’s actually quite easy to do once you’ve been shown how, and it’s even easier not to do. Take a small amount of time to arm yourself with knowledge, and then just use simple discipline to never skip the easy steps of good cybersecurity hygiene”.