In response to multiple news reports that hundreds of dentist’s offices have been attacked by ransomware this week as a result of software providers Digital Dental Record and PerCSoft, two Wisconsin-based companies who collaborated on DDS Safe a dental records and patient information back-up and security organization. An expert with the Shared Assessments Program, the member-driven leaders in third party risk management, offers perspective.
Information Security Buzz (aka ISBuzz News) is an independent resource that provides the experts comments, analysis and opinion on the latest Information Security news and topics
Ransomware operators, while for the most part are opportunistic, there has been a pattern emerging of late whereby they are attacking certain specific sectors such as cities, schools, and, in this case, dentist offices. The unfortunate fact that this is the third time this has happened to MSPs since June means that operators are evolving their attacks faster than organisations are able to implement defences.
When we look at a number of these attacks, most are successful not because of any advanced techniques, but rather through tried and tested methods and by exploiting well-known vulnerabilities. While it is impractical for companies to keep up-to-date with every single exploit and patch available, it is worth assessing those vulnerabilities that have the biggest impact and deploying controls that have the best return on investment.
One of the challenges is that technology offerings alone have not been able to prevent the spread of ransomware. Therefore, it is just as important that all staff receive appropriate training and awareness so that they are less likely to fall victim to phishing attacks, which are often the cause of ransomware attacks.
Dental offices that file claims, verify eligibility, or make digital treatment authorizations are operating under the HIPAA regulation and must ensure they have appropriate security and privacy practices in place. There is a perception that dental practices have been flying under the OCR’s radar (the Office of Civil Rights investigates HIPAA violations) for years and this announcement may bring this under renewed scrutiny. As more private dental practitioners migrate to larger managed organizations, emphasis on adequate enterprise-wide security and privacy practices should be top-of-mind for their senior leadership.