What is a Phishing Scam & How Can You Protect Your Dental Practice from It?
As a dental practice owner, you’re running a healthcare organization that houses a wealth of private patient data. From names and home addresses to social security numbers and billing information, just think of your hundreds or thousands of patients captured in your database.
In the wrong hands, the data of your patients, employees, and organization could be maliciously stolen or used against you.
The first step in safeguarding your practice against cybersecurity threats is to educate yourself and your employees about the danger of data breach compromises— and to give the most common hacking scam a name: phishing.
What is a Phishing Attack?
Before a fisherman casts a line, he attaches a tasty piece of bait on the hook. He knows the hungry fish will be fooled by the floating snack, chomping on the worm without noticing that it's attached to a hook, which pierces it and stops it from swimming away.
Hackers/social engineers are like fishermen. They get their name from “engineering” believable social situations to trick unsuspecting targets. Just like a fisherman baits his line, social engineers phish for ways to trick employees with a false narrative. This trick may be a hacker sending an email pretending to be you (the boss), asking your receptionist to transfer over money. Or someone making a phone call posing as a distraught employee from another dental practice, phishing for private information about a patient.
There are a number of ways social engineers can fool your team, but the goal is usually the same: to obtain sensitive information or money from an employee, or to deploy malware onto your dental practice devices to hack in and acquire the data themselves.
Why Are Dental Practices a Prime Target?
Data breaches are an all-too-real problem for dental practices, with over 93% of healthcare organizations reporting a security breach in the last five years, according to Black Book research. And oftentimes, when these breaches hit, they hit hard. According to a 2017 study sponsored by IBM Security and conducted by Ponemon Institute, data breaches cost U.S companies an average of $225 per compromised record. Per patient!
But why dental offices? For starters, the social engineer knows that you store a lot of private patient info in your databases. To them, the more data they can get, the bigger their pay-off when they sell it on the dark web to individual hackers who will steal from your patients or employees.
Secondly, most hackers know that dental practices often don’t financially invest as heavily in cybersecurity measures as do larger healthcare providers. It’s not uncommon for a practice to not have a single IT person on staff, or to not invest a dime in employee security awareness and training. That means all it takes is one successful phishing attack against one employee and the hacker has the keys to your database’s kingdom.
A Few Key Ways to Protect Your Dental Practice
While no practice is completely unhackable, there are a few best practices your dental practice can follow to reduce your chances of falling victim to a malicious phishing scam:
- Educate your employees on cybersecurity threats and best practices for avoiding them. While not all dental practices prioritize investing in cybersecurity awareness training programs, they often do wonders in teaching your team what to look out for. Many are set up like online courses with instructional and educational video content and quizzes to test their knowledge and understanding. If this isn’t in the budget, consider sharing helpful resources with your employees to educate themselves and set aside an hour or so each week of paid learning time for staff. The Federal Trade Commission (FTC) has this great resource: How to Recognize and Avoid Phishing Scams to get you started. And we have an easy-to-understand explanation of one of the most common attacks: ransomware.
- Make immediate process and software updates to increase your cybersecurity. After investing in cybersecurity awareness training, you’re sure to come away with a few important ways to better protect your practice. Set up multi-factor authentication, increase your password strength, install strong security software, routinely install updates, and back up all data! Do whatever you need to make it harder for hackers to breach your practice. Oftentimes, it’s easier to outsource to a partner to help with this, since it would mean a lot of research and tech-savvy implementation on your part. You’re busy enough as is!
- Conduct annual cybersecurity risk assessments. Yearly risk assessments make sure all the private data you house is protected and there aren’t any loose ends for hackers to exploit. This is likely already a required item on your annual checklist for HIPAA compliance purposes, but rarely do practices really analyze the report and make the recommended adjustments beyond the bare minimum to pass compliance. If used to its full potential, the risk assessment will pay for itself time and time again by saving you from the financial and reputational repercussions of a data breach.
- Get a partner for professional IT and security support. Chances are, your practice doesn’t have its own full-time information technology and cybersecurity manager on staff. While you might not have the need for an in-house security specialist, consider outsourcing IT support. This expert would be only a phone call away when you have any concerns or questions and can monitor your protection consistently and remotely to keep your practice’s security airtight. The right partner will even know how to keep your dental practice HIPAA and healthcare compliant, as a win-win for helping you pass your risk assessment with flying colors next year.
- If you suspect a phishing scam, know what to do. Always urge your employees to think before clicking, since the action of clicking or downloading infected files from phishing sites and emails is how a bad actor could download malware onto your device and the rest of your network. If your employees notice a suspicious message, ask them to tell you or your outsourced IT partner immediately, before taking any action. Report the phishing attack to the FTC and do not engage with the bad actor.
Don’t Do it All Alone
Social engineers are always coming up with new and clever ways to trick dental practice employees into sharing access to patient data. But while it’s important to educate your employees on the dangers and what to look out for, it’s only one part of the equation. Your practice also needs strong security defenses in place and someone who can routinely monitor and update them.
Leave the security up to the professionals by outsourcing to a trusted partner to handle your digital security. Here are 5 Reasons To Hire A Managed Services IT Provider For Your Practice to discover all the benefits.