Cyber security for dentists is a crucial, but largely over-looked, aspect of running a dental practice. Your computers, devices and networks hold confidential patient data and sensitive dental records.
With the rise of cyber attacks on medical businesses, the increasing reliance on the cloud for storage & processing and the introduction of legislation like GDPR, it is essential that dentists make sure they have a strategy for cyber security and protecting their digital information.
ALLOCATE RESPONSIBILITIES IN YOUR DENTAL PRACTICE
When it comes to computer security in a dental practice, it’s crucial to identify what must be done and allocate exactly which team members are responsible for those tasks.
Overall responsibility should rest with a senior manager who has a broad view of all the risks and how to tackle them.
Other individuals can handle particular aspects. For instance, installing security software.
Management should identify which information and technology is really vital to the business, this is where the big risks lie.
For example, damage to your dental practice’s financial or clinical system, or the loss of your dental patient list, could lead to the complete failure of the business.
Other information may be less important. Equally, some computers are probably more critical, or more vulnerable, than others.
Identifying the risks, then establishing what security measures already exist and whether they work, and what extra ones are required, will help you to target your security efforts where they are most needed in your dental practice.
Action: Make a list of all the cyber security steps that need to be taken and make a spreadsheet allocating these tasks to specific members of staff.
PROTECT YOUR COMPUTERS AND NETWORKS IN YOUR DENTAL PRACTICE
Malicious activity could come from outside or inside your dental practice. Attacks from outside, for example by troublemaking hackers or e even competitors, can be protected against simply by installing a firewall.
This is software or hardware which examines all the computer communications flowing in and out of the business, and decides whether it’s safe to let them through. It can also be used to manage your staff’s internet activity. For instance, by blocking access to chat sites where employees might encounter security risks.
You can configure (set-up) the firewall to allow or prevent certain kinds of activity. There are several different kinds of firewall. The router supplied by your Internet service provider (ISP) may already have one built-in, or you can buy a software firewall solution.
Protecting against illicit activity from inside the dental practice requires other precautions we’ll look at elsewhere in this supplement. All of these also provide extra protection against attacks from outside.
Action: Install a firewall to protect your networks and possibly restrict staff and patient usage of the internet in the dental practice.
KEEP YOUR DENTAL PRACTICE’S COMPUTERS AND DEVICES UP-TO-DATE
Suppliers of PCs, software, and operating systems, such as Windows, frequently issue software updates (patches) to fix minor problems (bugs) or improve security. It’s essential to keep all of the computers in your dental practice (and other devices) up-to-date with the latest patches and software updates.
Normally, they can be downloaded and installed automatically. Remember that just one vulnerable computer puts all the others at risk. It’s important to ensure that all available patches are applied to all of them.
Action: Check for software updates on all the devices in your dental practice and upgrade hardware that is outdated.
CONTROL EMPLOYEE ACCESS TO COMPUTERS AND DENTAL RECORDS
Although your computers should be guarded by a firewall, you should still protect user accounts (each person’s ‘identity’ with which they log on to a computer) and sensitive documents with passwords.
Because each individual should have a unique user name and a password, access to different parts of your IT system can be limited to certain people. It is important to remember that some individuals may have more than one user name and password, perhaps if they have multiple roles.
This not only protects against accidental or intentional damage by staff to systems and information, it also provides further security against outside intrusions. To achieve this, you can use security options built in to operating systems such as Windows, or you can buy specialised software online.
Because you identified your biggest security risks and most vital information in Step 1, you can decide whether password control for a given item should be basic (for instance, one password authorising access to an entire computer) or stronger (each document or application requiring a separate password).
Some individuals designated as computer administrators (admins) may be given access to nearly everything, in order to perform technical work. You should keep the number of admins to a minimum.
Security software will usually generate records showing which employees have used particular computers or documents at different times. This can be useful for pinpointing problems, but access to these records should, of course, be tightly limited – otherwise, people misusing the system could alter them to cover their tracks.
Action: Set up your employee profiles on your CRM, website administration and any other online data storage in your dental practice. Make sure you assign the appropriate roles to each team member.
PROTECT AGAINST COMPUTER VIRUSES IN YOUR DENTAL PRACTICE
Malicious software or ‘malware’ (a category including viruses, Trojans and spyware) may not always be as devastating as the headlines suggest, but can still slow down your systems dramatically, and passing them on to customers will win you no friends.
Fortunately, there is plenty of protection available. Your computers may have been sold with anti-virus software (the generic term, although most products also protect against other kinds of malware). If not, you can easily buy it.
This software regularly scans a computer in search of malware, deleting any that is found. Regular updates to head off new threats are key to anti-virus software. So this is one area where it does pay to stick to the big brand names and to ensure that the software is set to receive updates as regularly as possible (ideally daily).
Action: Install and run anti-virus software on all your devices regularly to check for any issues or threats.
EXTEND SECURITY BEYOND THE OFFICE OR DENTAL PRACTICE
Today’s employees sometimes work from home or on the road between dental practice sites using their own laptops, phones and tablets. It is difficult to extend the same level of security you can apply to office computers to these devices.
But, you can reduce risk by requiring any personal equipment used for work is approved first by management or IT. It should have the minimum of anti-virus software, password protection and (where applicable) a firewall.
To protect against unauthorised access to information when a device is mislaid or stolen, it should be possible to delete all the information (“wipe” it), even when you don’t have the device.
This capability is built into newer models; software can also be bought to perform remote wiping, but this must be installed before the device is lost. Ensuring the sensitive data is kept in an encrypted area (see section 7) of the computer or device will stop most attempts to access data.
This is easy to set up using off-the-shelf software. Beware of the dangers when connecting to unencrypted public WIFI, as hackers can intercept data. Check the hotspot is genuine and make sure file sharing is off and the firewall is on.
Action: Conduct a review of all the devices your employees use to access or store patient data or dental records. Make sure they all have the proper anti-virus, firewall and data protection features.
REMEMBER THE DISKS AND DRIVES YOU NEED TO PROTECT IN YOUR DENTAL PRACTICE
Removable disks and drives, such as DVDs and USB sticks, pose security risks in two ways. They can introduce malware into your computers, and they can be mislaid when containing sensitive information.
Ensure that as far as possible, only disks and drives owned by your dental practice are used with your computers. Discourage employees from using them in third parties’ computers (in Internet cafes for example), and set up anti-malware software to scan them whenever they are used in the office.
Action: Establish a plan to track who has possession of each disk or drive at any given time, what information is contained on them and check that all documents are erased from them after use.
PLAN FOR THE WORST
Following the measures in this guide will help you protect against a major security breach. But no system is 100% secure, so it’s worth planning what you’d do if things went badly wrong. First, define what is ‘major’ for you. Something that puts a non-critical department of the business offline for a couple of hours probably isn’t. But something that prevents you serving customers, or performing vital functions such as payroll, will be.
Establish how you will know that there’s a problem. You shouldn’t have to wait for computers to go down; your firewall or anti-virus software, for example, may provide advance warning that something unusual is going on. Plan your next steps.
What help (perhaps a specialist computer company) should you call in? Do you need to contact key dental patients or suppliers to explain that there is a problem? Can some functions be continued using other computers, or pen and paper, while your systems are repaired?
Finally, ensure that it’s clear who is responsible for doing what in an emergency. Your plan can be laid out in a document, and delivered in training sessions. It may incorporate elements of your plans for other disasters, such as a fire on your premises, and cut-down versions can be applied to less damaging computer incidents.
Action: Create a strategy for how your dental practice will handle a major breach of patient data or dental records. Identify your biggest risks and create an emergency contingency plan.
EDUCATE YOUR DENTAL TEAM ABOUT CYBER SECURITY FOR DENTISTS
Tell everyone in the business why security matters, and how they can help, using training sessions and written policy documents. This will encourage them to follow practices such as regular password changes. Most will not have to actively work at security. They’ll simply need to be aware of risks. For example, knowing that they should never click on a web link or attachment in an email from an unfamiliar source.
There are non-technical risks, too. One is social engineering, where hackers try to trick employees into revealing technical details that make your computers vulnerable. For example, a hacker might pretend to work for your computer supplier and claim they need passwords to perform maintenance. The casual atmosphere of social media such as Facebook could be conducive to such deceptions, so employees should be especially wary of discussing your systems and practices on social media.
Action: Create as training session to educate your team on their responsibilities and duties regarding dental records and patient data. Deliver this programme regularly.
KEEP RECORDS AND TEST YOUR DENTAL PRACTICE’S CYBER SECURITY REGULARLY
Security is an ongoing process, not a one-off fix. So it’s important to keep clear records. For example, the decision-making in Step 1 of this guide could help you produce a list of all your hardware and software, along with an indication of how secure each item needs to be.
Similarly, records of software patches and lists of authorised personal devices will help build up a picture of your business’s security status, spot potential weak points, and figure out how any problems arose. Good record keeping will also help you regularly test all your security measures, and ensure that you have functioning, up-to-date software. Any business is only as secure as its weakest link, and testing will make sure that no weaknesses are overlooked.
Action: Create a cyber security strategy for your dental practice by following the steps listed here, creating a plan for each task and regularly testing your systems and strategies.