Common Mistakes Dental Offices Make - and How to Avoid Them
Dental practices across Canada have become a favorite target for hackers, and ransomware has become one of the biggest threats. The consequences of any type of cyber-attack can be extremely expensive and disruptive.
It is not unusual that practice leaders don’t know whether their systems meet the minimum PHIPA security requirements.
To understand the main types of cyber attacks, there are several areas we’ve identified here that can help you better understand some of the mistakes practices make and how a Managed IT security provider using Zero Trust principals can mitigate your risks.
When looking at what can be done to protect dental practices from hacks we put together a list of some of the most common mistakes firms make in the management of their IT systems.
Here is a list of the Top 10 IT Mistakes Dental Office Make – and How to Avoid Them
1) Weak Threat Hunting Tools
Threat hunting tools include Antivirus, Intrusion detection, anti-phishing, EDR (End point Detection & Response) & MDR (Managed Detection & Response) services.
Free AV is not effective and if you are using that, it needs to be changed immediately. PHIPA legislation requires it. Make sure you have a good AV program and that it is running on all workstations at all times.
Effective anti-Virus will detect known threats before they become attacks. This can provide protection to a little over 50% of the bad code often attached to phishing emails.
2) Weak Perimeter Protection
Most firms have some type of firewall in place. A secure firewall should be capable of segmenting your network, allowing VPN connections, logging traffic and other features to secure your perimeter.
It should also have a live subscription for additional threat hunting tools like web filtering and traffic inspection.
Securing the perimeter of your network is basic security hygiene and is a PHIPA requirement.
If you don’t have a newer Next generation Firewall, you should deploy one immediately. It is too easy for a hacker to bypass basic firewalls and gain access to your entire network.
3) Weak Passwords
The most commonly used password is “Password”. Hard to believe, but it’s true.
For IT security professionals, we are forced to think like the hackers in order to combat them.
We would be remiss if we didn’t tell you that password compromise is one of the most common ways an attack starts.
In the current environment we are in, we strongly recommend the use of 2 factor Authentication. This is becoming a must to protect access to your systems and data and is one of the most effective ways to stop a compromise.
4) Weak IT Hygiene
Users sharing passwords, leaving desks with patient data on the screen, sending unencrypted data over email, leaving patient data on the printer, trusting to much in people, programs and processes.
The combination of Threat hunting, User training and Controls make up a solution stack that is called a Zero Trust IT Managed Service.
Major corporations and even the entire US government have mandated the use of this approach and it is something all practice owner should do also.
Deploying this methodology takes the guesswork out of managing your environment and protects you against extortion.
5) Weak Remote Access Tools
Controlling remote access is critical to securing your network. You need remote access capability so IT firms set up a VPN or use remote access tools like TeamViewer.
These are less than secure connections and you have no way to know if your data is encrypted while you are accessing your systems remotely. They are also prone to slower connection speeds and drop with annoying regularity.
The best way to connect remotely is through a Zero Trust secure remote access tool. These tools verify the user and the machine, allow access only to approved resources and can be set with time limited access and are fully encrypted.
6 ) Weak Application Controls
Application whitelisting simply means that only approved programs are allowed to run on your systems. Any unapproved file or program that has an executable, is denied the ability to run. This prevents the users from intentionally or otherwise, running anything that practice owners are not aware of or don’t approve of.
This is a powerful way to stop any bad files that manage to get through your defenses from causing any problems.
7) Weak Storage Controls
Allowing access to all storage medium like file shares, hard drives, USB drives presents a challenge to many practices. How do you restrict what needs to be restricted while allowing users to complete the tasks they need to do?
Zero Trust Storage controls does this by taking a very granular approach to your file systems. It allows approved users to access what they need only and denies all other access.
This is one of the best ways to ensure that no unauthorized applications are installed, no files can be copied to USB drives and no one can delete files from your main data repository.
8) Weak Application Elevation Control
Allowing programs to run without elevation controls is the cause of many of the breaches happening today.
Programs like Zoom, Office documents like Word and excel need access to certain operating system files to run, but they shouldn’t be allowed to make changes to things like your backup data files or establish outside connections to the internet.
Hackers are weaponizing legitimate tools like this to compromise your systems and these types of attacks escape detection because the are not considered malware by your threat detection tools.
Elevation controls limit what the programs you run can do, giving them access only to what they need and nothing more.
This stops them from being used to compromise your systems.
9) Weak Email Security
Sending and receiving email is necessary and it must be secure in order to protect private data and it is a requirement for PHIPA compliance
Encryption of incoming and outgoing mail protects against in transit theft and the additional threat hunting tools that look for malicious attachments make this a necessary piece of your IT infrastructure.
10) Weak Data Backup
When your IT environment is managed correctly, your data backups should be used only for restoring a lost file to a user, recovering from a major disaster like a flood / fire or a server that dies unexpectedly.
If you are counting on backups to save you from a major breach, and you are not using Zero Trust security management, you will be very disappointed.
The first thing a hacker will try to do once you are compromised is to destroy or modify your backups.
This instantly makes their ransom demand something you will have to seriously consider.
It is recommended that your critical production servers are backed up locally and to the cloud. This helps eliminate the risk of losing critical data. It’s also necessary to comply with PHIPA. The legislation requires that back-ups be maintained and tested, all back-ups are encrypted for security, and a disaster recovery plan is in place.
If you are unsure of where to begin when looking for help in the world of Dental IT support, please reach out.
We can tell you very quickly where you stand and discuss how we can help you stay safe, and have some peace of mind when it comes to managing your IT systems.