Does your cybersecurity commitment in 2020 support your orthodontic practice compliance requirements?

Editor’s intro
Identity theft expert Mark Pribish offers guidance of how to recognize and avoid cyberattacks to help safeguard employee and customer information.

Mark Pribish defines terms to help your office recognize and avoid cyberattacks

Most people think identity theft is a problem for the individual consumer only. However, based on “The latest healthcare data breaches in 2019 (https://portswigger.net/daily-swig/the-latest-healthcare-data-breaches-in-2019),” identity theft and data breach events have become a significant compliance and risk management issue for all business sectors, including dental offices and dental patients.

In just the past 4 months, news headlines regarding data breaches have included “dental offices, dental patients, and dental records” including:

 

As an orthodontics practice, you need to pay attention to the unprecedented rash of data breaches and focus on identifying gaps and vulnerabilities to improve your cybersecurity posture to defend against cyberattacks.

That said, let’s begin with four basic information security and governance fundamentals in the orthodontist industry:

  • Orthodontists handle Personally Identifiable Information (PII), including social security numbers, credit card information, bank account information, driver’s license numbers, birth dates, and private health insurance information.
  • Orthodontists use e-mail, computerized accounting, and electronic procurement to store and transfer employee, customer, and member data within and outside their computer networks.
  • Orthodontists fall into the Healthcare business sector where Healthcare data breaches will cost the sector $4 billion this year, with hackers outpacing the security technology and processes of provider organizations.
  • Healthcare organizations, including orthodontists, face financial penalties when a data breach occurs and are accountable to the Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Act (HITECH).

If these four points do not heighten and amplify your concern for your orthodontic practice for better information security and governance, then maybe Experian’s 2020 Data Breach Industry Forecast (https://www.experian.com/content/dam/marketing/na/assets/data-breach/white-papers/Experian-Data-Breach-Industry-Forecast-2020.pdf) will.

According to Experian, “Cybercriminals will get more creative in 2020, harnessing technology and advanced tactics to cause disruption for businesses, governments, and consumers.”

Experian stated the top data breach trends of 2020 include the following:

  • “Cybercriminals will leverage text-based ‘smishing’ identity theft techniques to target consumers participating in online communities, such as those supporting presidential candidates, with fraudulent messages disguised as fundraising initiatives.”
  • “As cities install more free public Wi-Fi systems, hackers will take to the skies via the use of readily available drones to steal consumer data from devices connected to unsecure networks on the streets below.”
  • “Cybercriminals will use so-called ‘deepfake’ video and audio technology to disrupt the operations of large commercial enterprises and potentially create geo-political confusion among nation states, in addition to disruption in financial markets.”
  • “As a form of protest, we will see many burgeoning industries, such as cannabis retailers, cryptocurrency entities, and even some environmental organizations, targeted for cyberattacks as a result of online activism or ‘hactivism.’”
  • “With mobile payment options popping up everywhere from a local café to the beer vendor at a stadium, Experian predicts that there will be a significant spike in identity theft as cybercriminals seek to exploit the convenience of point-of-sale transactions, especially at large venues like concert festivals and sporting events.”

So how can your orthodontic practice stop a data breach event from ever happening? The simple answer is you can’t and you won’t. Just ask Equifax, Capital One, or Delta Dental of Arizona.

All three companies represent the credit bureau, banking, and health insurance business sectors.

These three business sectors have more financial and information technology (IT) resources than any other industry groups, and they could not prevent a data breach event from happening.

Why? Because information security and governance is more than an IT event.

Equifax was initially hacked via a consumer-complaint web portal, with the attackers using a widely known vulnerability that should have been patched along with failing to renew an encryption certificate on one of their internal security tools.

Capital One’s data breach was impacted by the insider threat where a former Amazon cloud employee lacking character and integrity is now being charged with computer fraud.

Delta Dental of Arizona became aware of suspicious activity and learned that a Delta Dental employee fell victim to an “email phishing scheme” that allowed an unauthorized individual to gain access to said employee’s email account.

In each case, each of the three data breach events was preventable except for current and former employee negligence and malice.

The fact is that hackers and the insider threat (current and former employees, vendors, and contractors) will target orthodontic and dental practices along with other healthcare providers because patient records include sensitive data that can be used to commit crimes like identity theft, credit card, and health insurance fraud.

While it is critical for every orthodontic practice to implement and update information security and governance policies and processes, including penetration testing and vulnerability scanning – I believe employee training is the number one defense against the risk of identity theft and data breach events.

Based on the above, I recommend that every orthodontic practice share this Consumer Affairs link (https://www.consumeraffairs.com/finance/identity-theft-statistics.html#) on 2019 Identity theft trends and statistics.

Read the easy-to-read glossary above, and understand identity theft terms to help employees keep up on the current threat environment.

To conclude, the more your employees understand identity theft and cybersecurity terms, the more equipped they will be to help safeguard employee and customer information.

Glossary

Account takeover: An account takeover is when a fraudster uses personal information to obtain products and services. Credit card fraud is the most rampant, but skimming and phishing are also common types of account takeovers.

Credential cracking: Credential cracking describes the various methods — word lists, guessing, and brute force — cybercriminals use to obtain passwords. Credential cracking threats are why it’s important to create varied and complicated passwords for all accounts.

Data breach: A data breach is when private or confidential information is released to an untrusted environment. Cybercriminals can infiltrate a data source physically or remotely bypass network security to expose passwords, banking and credit data, passport and Social Security numbers, medical records, and more.

Dark web: The dark web is the part of the Internet that can only be accessed through browser software, which keeps visitors anonymous and untraceable. It’s not illegal to be on the dark web, but many illegal transactions occur on the dark web (such as buying credit card or Social Security Numbers).

Deep web: The deep web is the part of the Internet that’s not accessible through standard search engines such as Google or Bing. Password-protected and dynamic pages, encrypted networks, and the dark web are all part of the deep web.

Encryption: Encryption is a way to scrambled data using computer algorithms to prevent unauthorized access to data or sensitive information.

Firewall: In computing, a firewall is a software program that blocks unauthorized users from getting in without restricting outward communication.

Formjacking: Formjacking is when a hacker infiltrates an e-commerce checkout page to steal credit card information. Similar to an ATM skimmer for the Internet age.

Ghosting: In the context of identity theft, ghosting refers to when someone steals the identity of a dead person.

Honeypot: A honeypot is a decoy target used to mitigate cybersecurity risks or get more information about how cybercriminals work.

Internet of Things: The Internet of Things, or IoT, describes the interconnectedness of all devices that access WiFieasy, including cell phones, cameras, headphones, and an increasing number of other objects, including washing machines and thermostats.

Keylogger: A keylogger is a computer program that records a person’s keystrokes to obtain confidential data.

Malware: A portmanteau of “malicious” and “software,” malware describes any software created with the specific intent to cause disruption or damage. Trojans, bots, spyware, worms and viruses are all types of malware.

Pharming: Sometimes called “phishing without a lure,” pharming is a type of scam where malicious code is installed onto a device or server to misdirect users onto illegitimate websites.

Phishing: Phishing is a popular type of internet scam in which fraudsters send emails claiming to be from a reputable company to trick individuals into revealing personal information. Phishing attacks decreased from 1 in 2,995 emails in 2017 to 1 in 3,207 emails in 2018.

Ransomware: Ransomware is a type of malware that threatens to expose or block an individual’s or business’ data unless a ransom is paid.

SIM swap scam: Sometimes called a port-out scam or SIM splitting, a SIM swap scam is a complex type cell phone fraud that exploits two-factor authentication to access data stored on someone’s cell phone. Put simply, if a fraudster has your phone number, they can call your phone company and ask to have the number transferred to “your” new phone. The fraudster then has access to all of your accounts that use two-factor authentication.

Skimming: Skimming is a type of credit card fraud in which the victim’s account numbers are copied and transferred to a counterfeit card.

Smishing: Similar to phishing, smishing (or SMS phishing) is when someone attempts to mine sensitive information under a fake identity through text messages.

Spoofing: A spoofing attack is when an illegitimate website falsifies data to appear as a trustworthy easy to read website to visitors.

Spyware: Spyware is any software designed to gather data from an individual or enterprise. The four primary types of spyware are adware, Trojan horses, tracking cookies, and system monitors.

Synthetic identity theft: Synthetic identity theft is when a criminal combines stolen and fake information to create a new, fraudulent identity.

Trojan horse: Like its classical namesake, a Trojan horse is a type of malware disguised to appear like safe software. Cybercriminals use Trojans to access sensitive data and gain access to private systems.

Whaling: Whaling is a phishing attack that targets high-level employees within a company to steal confidential information or sensitive data.

Vishing: Like phishing or smishing, vishing is when an identity thief attempts to gain sensitive information over the phone.

Editor’s call to action
Read 4 data breach best practice tips by Mark Pribish to recognize and avoid cyberattacks.
https://orthopracticeus.com/columns/4-data-breach-best-practice-tips-for-your-orthodontic-practice

Mark Pribish is the VP and ID Theft Practice Leader at Phoenix, Arizona-based Merchants Information Solutions, Inc., an identity theft and data breach risk management firm. He has authored hundreds of articles and is frequently interviewed by local and national media as an ID theft and data breach risk management expert. He is a member of the Identity Theft Resource Center Board of Directors and is a graduate of the University of Dayton.

Stay Relevant With Orthodontic Practice US

Join our email list for CE courses and webinars, articles and mores

Subscribe Today

Orthodontic Practice US is a leading dental journal and your publication for Orthodontic continuing education, Orthodontic case studies, and more. Subscribe to Orthodontic Practice US today!

Online Dental CE

Earn 16 dental continuing education credits as an Orthodontic Practice US subscriber per year.

Other Dental Publications
Dental Sleep Practice
Endodontic Practice
Implant Practice
Orthodontic Practice

MedMark Media is the leading interactive marketing and advertising company specializing in marketing and advertising, custom media, and public relations for the U.S. dental industry.

AGD PACE MedMark White

Copyright © 2024 Orthodontic Practice US - Dental Journal and Online Dental CE | MedMark LLC
15720 North Greenway Hayden Loop, Suite #9 Scottsdale, AZ 85260 | All rights Reserved | Privacy Policy | Terms & Conditions

Scroll to Top