Is your orthodontic practice a target for cybercriminals in today’s COVID-19 workplace?

Cybersecurity expert Mark Pribish says that awareness of data breaches is imperative in today’s technologically active practice

Introduction

Most small- to medium-sized businesses, including orthodontic practices, do not believe their orthodontic practice is a target for cybercriminals and/or the insider threat. Unfortunately, the cyber-risk threat landscape keeps expanding and evolving with hackers and the insider threat contributing to an endless number of data breach events and even regulatory actions.

And now the new COVID-19 working environment has businesses and consumers becoming more reliant on technology than ever before — which makes having an incident response plan to respond and recover from a data breach event more important than ever.

In just the past 4 months, these five news headlines and notifications rocked the business world, including the dental business sector.

• One Million US Dental Patients Impacted by Data Breach https://infosecurity-magazine.com/news/1m-us-dental-patients-impacted-by/
• FireEye, a Top Cybersecurity Firm, Says It Was Hacked by a Nation-State https://www.nytimes.com/2020/12/08/technology/fireeye-hacked-russians.html
• New McAfee report estimates global cybercrime losses to exceed $1 trillion https://www.financialexpress.com/industry/technology/cybersecurity-the-hiddencosts-of-cybercrime/2153819/
• Risk Based Security releases its Year-End 2020 Data Breach Report https://www.securityinfowatch.com/cybersecurity/pressrelease/21207207/riskbased-security-risk-based-security-releases-itsyearend-2020-data-breach-report
• FBI Private Industry Notification: Cyber Criminals Exploit Network Access and Privilege Escalation
  https://www.ic3.gov/Media/News/ 2021/210115.pdf

Summary: cyber-related news headlines and notifications

In October 2020, Dental Care Alliance

This dental support organization — with more than 320 affiliated dental practices across 20 states working with more than 700 dentists — started notifying over 1 million dental patients that their data may have been exposed as the result of a cyberattack. While Dental Care Alliance discovered that it was a victim of a hacking event on October 11, the hack itself had begun on September 18.

When Dental Care Alliance finally contained the cyber intrusion by October 13, a total of 26 days gave hackers the time to steal patient data, including names, addresses, patient account numbers, billing information, bank account numbers, the name of the patient’s dentist, and health insurance information.

Surprisingly, Dental Care Alliance saw no need to offer remediation services such as credit monitoring to patients impacted by the data breach event since the company saw “no specific evidence that personal information was used for malicious purposes.” Unfortunately, when a breached organization states that it has no specific evidence showing personal information was used for malicious purposes, it is shortsighted and careless.

The final story for most data breaches rarely reflects the initial forensic assessment and news report and speaks of what’s known at the moment, but never follows up and discusses the long-term impact to affected individuals such as these dental patients. The fact is that the threat of a data breach or an identity theft event can be a lifelong problem that may affect you (and me) long into the future and in ways you (and I) likely haven’t even thought about.

As a sidenote, the Dental Care Alliance data breach happened 2 months after a medical software company’s database containing the personal information of more than 3.1 million patients for medical and dental practices was left exposed online without the need for a password or other authorization (https://healthitsecurity.com/news/medical-software-database-exposes-personal-data-of-3.1m-patients).

In December 2020, FireEye

FireEye — one of the leading international cybersecurity firms in the world with $3.5 billion in annual sales — reported that it was hacked by a nation-state.

The big and shocking news is what was hacked — digital tools that replicate the most sophisticated hacking tools in the world — where most of the tools are based in a digital vault that FireEye closely guards. The company said “hackers used “novel techniques” to make off with its own tool kit, “which could be useful in mounting new attacks around the world.”

This was a stunning cyber intrusion for a company known for identifying some of the elite cybercriminals in the world and for managing some of the most well-known data breaches such as Equifax and Sony. Essentially, FireEye, which is a network security company that prides itself on providing automated threat forensics and dynamic malware protection against advanced cyber threats, could not protect itself from being hacked.

In December 2020, McAfee

McAfee, a leading cybersecurity firm, released a report titled “Cybersecurity: The Hidden Costs of Cybercrime” on the significant financial and unseen impacts of cybercrime.

The report, conducted in partnership with the Center for Strategic and International Studies (CSIS), concludes that cybercrime costs the world economy more than $1 trillion annually. In addition, the report stated that 56 % of organizations said they do not have a plan to prevent and respond to a cyber incident.

Key findings in the McAfee report included two-thirds of surveyed companies reported some kind of cyber incident in 2019 with an average interruption to operations at 18 hours and average cost more than half a million dollars per incident.

The survey also revealed 92% of businesses felt there were other negative effects on their organizations beyond financial costs and lost work hours after a cyber incident such as lost revenue, lost customers, and negative public relations.

As a sidenote, Cybersecurity Ventures, a leading researcher for cybersecurity facts, figures, and statistics, states that McAfee vastly underestimates the cost of cybercrime at $1 trillion annually and that the number is closer to $6 trillion a year (https://cyber securityventures.com/mcafee-vastly-underestimates-the-cost-of-cybercrime/).

In January 2021, Risk Based Security

Risk Base Security — a global leader in vulnerability intelligence, breach data, and risk ratings — released its 2020 Year End Data Breach QuickView Report, revealing that “the volume of publicly disclosed data breaches fell by 48% in 2020 compared with the previous year, leading to 3,932 in total.”  That was the good news.

“However, the volume of records that were compromised by these breaches jumped by 141% to a whopping 37 billion records, the largest number seen by Risk Based Security since 2005.” That was the bad news.

Part of the reason for the staggering increase in breached records of our personally identifiable information (PII) can be attributed to the COVID-19 pandemic as numerous organizations relaxed their security policies for employees to work from home and students to study remotely and unwittingly exposed their networks to compromise.

Interestingly enough, Inga Goddijn, Executive Vice President at Risk Based Security, commented: “We do not believe fewer breaches are happening.” Instead, “disruptions at certain governmental sources, delayed reporting, and declining news coverage have all contributed to fewer breaches coming to light in 2020, but that is only a part of the story. More complex and damaging attacks have also contributed to lengthy and complex investigations.”

In my view, the single largest highlight from this year’s Risk Based Security report is that healthcare was the most victimized sector in 2020, accounting for 12.3% of reported breaches.

In January 2021, the FBI Released Private Industry Notification (PIN)

In PIN notification 20210114-001, the Federal Bureau of Investigation (FBI) Cyber Division issued a warning of vishing attacks stealing corporate accounts. Vishing (also known as voice phishing) is a social-engineering attack in which attackers impersonate a trusted entity during a voice call to persuade their targets into revealing sensitive information such as banking or login credentials.

The notification warned of ongoing vishing attacks attempting to steal corporate accounts and credentials for network access and privilege escalation from U.S. and international-based employees.

According to PIN 20210114-001, “The threat actors are using Voice over Internet Protocol (VoIP) platforms (aka IP telephony services) to target employees of companies worldwide, ignoring their corporate level.” In addition, this is the second warning alerting of active vishing attacks targeting employees issued by the FBI since the start of the pandemic after an increasing number of employees began working remotely from home.

In August 2020, the FBI and the Cybersecurity and Infrastructure Security Agency (CISA) issued a joint advisory warning remote workers of an ongoing vishing campaign targeting companies from several U.S. industry sectors as cybercriminals mined the victim company databases for their customers’ personal information to leverage in other attacks.

So what can be done? Your orthodontic practice needs to create a new security culture with a new sense of urgency for both your business and its employees.

First, understand that cyber thieves and ID theft criminals are constantly evolving and diversifying to find new ways to monetize the phishing (fraudulent emails), vishing (fraudulent phone calls and voicemail messages), and smishing (fraudulent text messages) threat landscape.

Second, ask the orthodontic practice that you work for what is the formal response and recovery plan that is in place in the event of a data breach event? With more people working from home due to the COVID-19 crisis, the risk of financial and non-financial identity theft, fraud, and scams for both individual consumers and small businesses have significantly increased.

To help your orthodontic practice learn more about common scams and crimes, I have included this FBI link (https://www.fbi.gov/scams-and-safety/common-scams-and-crimes/internet-fraud) with a focus on internet fraud, including several high-profile fraud methods provided by the FBI.

• Business Email Compromise (BEC): A sophisticated scam targeting businesses working with foreign suppliers and companies that regularly perform wire transfer payments. The scam is carried out by compromising legitimate business email accounts through social engineering or computer intrusion techniques to conduct unauthorized transfers of funds.
• Data Breach: A leak or spill of data which is released from a secure location to an untrusted environ Data breaches can occur at the personal and corporate levels and involve sensitive, protected, or confidential information that is copied, transmitted, viewed, stolen, or used by an individual unauthorized to do so.
• Denial of Service: An interruption of an authorized user’s access to any system or network, typically one caused with malicious intent.
• Email Account Compromise (EAC): Similar to BEC, this scam targets the general public and professionals associated with, but not limited to, financial and lending institutions, real estate companies, and law firms. Perpetrators of EAC use compromised emails to request payments to fraudulent locations.
• Malware/Scareware: Malicious software that is intended to damage or disable computers and computer systems. Sometimes scare tactics are used by the perpetrators to solicit funds from victims.
• Phishing/Spoofing: Both terms deal with forged or faked electronic documents. Spoofing generally refers to the dissemination of email which is forged to appear as though it was sent by someone other than the actual source. Phishing, also referred to as vishing, smishing, or pharming, is often used in conjunction with a spoofed e-mail. It is the act of sending an e-mail falsely claiming to be an established legitimate business in an attempt to deceive the unsuspecting recipient into divulging personal, sensitive information such as passwords, credit card numbers, and bank account information after directing the user to visit a specified website. The website, however, is not genuine and was set up only as an attempt to steal the user’s information.
• Ransomware: A form of malware targeting both human and technical weaknesses in organizations and individual networks in an effort to deny the availability of critical data and/or systems. Ransomware is frequently delivered through spear phishing emails to end users, resulting in the rapid encryption of sensitive files on a corporate network. When the victim organization determines they are no longer able to access their data, the cyber perpetrator demands the payment of a ransom, typically in virtual currency such as Bitcoin, at which time the actor will purportedly provide an avenue to the victim to regain access to their data.

Lastly, help your employees and patients respond to the threat to their personal information in 2021 by considering these personal privacy tips.

• Cut your cyber- and identity-theft risks by learning about the Internet of Faking and Extortion occurring through social media, as it has become a new profit center for ID theft criminals.
• The Internet of Things or “IoT” adds tremendous benefits through devices and apps, but these “things” also create opportunities for hackers and ID theft criminals to steal and use your information.
• While IT and hacking are the sizzle that continues to create data-breach headlines, most data-breach events are caused by lost devices, human error, and malicious intent. Only 50% of breaches are caused by IT and hacking.
• As the use of Telehealth and health-related services and information via electronic information and telecommunication technologies increases, medical ID theft will continue to Be more vigilant in securing and monitoring your medical information.
• The use of apps and social media are priority targets for cybercriminals, and you need to limit the information you share.
• No password is “unbreakable,” but do not make it easy for ID theft criminals to get a pass into your personal information with weak or overused passwords.

Why is all of this important? Because cyber-thieves and ID theft criminals never rest, and they continue to stay ahead of law enforcement, businesses, and consumers.