Helen Barge, Managing Director of Risk Evolves, which specialises in risk, organisational governance, compliance and training, highlights the ever-changing cyber threats faced by dental practices and the best ways to tackle them. Implementing effective dental practice cybersecurity measures is essential for safeguarding sensitive patient information.
Cybersecurity is now, and will remain, a critical part of the healthcare industry. Many recent examples, including a substantial data breach at NHS Dumfries & Galloway in May 2024, have shown how the sector is a prime target for cyber criminals.
There’s no doubt that the rapid and widespread adoption of digital technologies for clinical, diagnostic, and business activities is transforming healthcare delivery. However, it’s also creating new cyberthreats. The dramatic pace of change, with the increased presence of artificial intelligence (AI) and connected medical devices, means the challenges are always evolving. Every new technology has the potential to present a new risk, and the array of hardware, software, and cloud services provide a fertile environment for hackers.
Data has value to the criminal. Regardless of the size of your practice, you will have information that they would like. Patient payment information, employee payroll details, names, addresses, telephone numbers, medical details – your organisation is a digital goldmine.
Since dental practices handle large amounts of sensitive personal information, breaches can lead to serious cases of identity theft, financial loss and the undermining of patient privacy. Like other businesses, dentists are subject to regulations, such as the UK General Data Protection Regulation (GDPR). If you fail to protect patient data there are potential regulatory, reputational and financial implications.
Regulators have recently shown they are ready to act against firms that don’t take the necessary measures. In one case, the Information Commissioner’s Office (ICO) issued a substantial provisional fine against a company following a ransomware attack personal details of more than 82,000 people.
Commenting on his organisation’s decision, John Edwards, UK Information Commissioner, said: “This incident shows just how important it is to prioritise information security…We expect all organisations to take fundamental steps to secure their systems, such as regularly checking for vulnerabilities, implementing multi-factor authentication and keeping systems up to date with the latest security patches.”
Diverse threats
Unfortunately, for everyone operating in healthcare the range of threats is diverse. Cyberattacks, such as ransomware, can cripple your operations, leading to the unavailability of critical systems like electronic records, lab results and even medical equipment.
Other common dangers include phishing attacks where cyber criminals use deceptive emails to trick employees into giving sensitive information or installing malware. And it’s important not to overlook internal threats where employees or contractors with access to patient data intentionally or accidentally compromise security.
While anyone in a dental practice can be targeted, employees who handle patient data are often the most vulnerable. This includes receptionists, dental assistants and office managers.
Looking widely, the external environment can exacerbate difficulties for individual practices. Sadly, many parts of the healthcare system they interact with continue to rely on outdated technologies, which are more vulnerable to cyber-attacks. What’s more, there is a shortage of skilled cyber security professionals in the UK, which makes it challenging for healthcare providers to attract and retain the necessary expertise.
Holistic solution
Tackling the issues isn’t just an IT problem; it requires a holistic solution. Among other measures, it is important to promote a culture where dental practice cybersecurity measures are a shared responsibility throughout your organisation.
One way to help identify and tackle potential risks is by gaining appropriate certification.
Cyber Essentials is a UK Government scheme that helps companies protect themselves against the most common threats from the internet. It covers five main technical controls including securing connections, protection against viruses and other malware, and controlling access to data and services. There are two variants of Cyber Essentials. The ‘basic’ programme contains 70 self-assessment questions that are independently verified. ‘Cyber Essentials Plus’ also includes an independent technical audit for additional peace of mind.
Achieving ISO27001 helps make sure your leadership is accountable, that your people are alert to danger and you have processes in place that shore up your security. It can help you be better protected against threats such as phishing, viruses and ransomware. Similarly, it allows you to manage new risks more effectively through the sharing of best practice and recover more quickly if you are subject to an attack.
ISO27701 helps safeguard data so you protect your reputation while meeting the requirements of the GDPR and the Data Protection Act. This ISO standard helps your team understand the value of data and take personal responsibility for keeping it safe.
Taking effective precautions means educating your staff about cyber security best practices. Among other things you should encourage them to create strong passwords, avoid clicking on links or attachments in suspicious emails, and use multi-factor authentication (MFA). Teach them safe browsing habits, the importance of keeping devices and software up to date, secure data handling and the need to promptly report any security concerns.
Mobile devices used for work should be encrypted and have antivirus and anti-malware software installed. Similarly, your people should not access patient information or work systems over public or unsecured Wi-Fi networks and be sure to use a virtual private network (VPN) when they are working remotely.
If terms such as encryption, networks and firewalls leave you cold, then it’s time to call in the experts. Where once it may have been cost effective to have the Practice Manager’s next door neighbour’s son to look after your IT, technology and the associated risks have progressed. All organisations, regardless of size, need a reliable IT partner to manage their environment for them. If you need help and support in identifying one, then Scotland has a dedicated ‘not for profit’ team https://cyberfraudcentre.com/
Patient data
It almost goes without saying that one of the most critical aspects of cyber security in healthcare is protecting patient data. This involves securing digital files, paper records and other sensitive information through stringent storage and access protocols.
Every dental practice should have a secure document management system that has features such as multi-factor authentication, access controls, encryption, version control and audit trails. As well as encrypting patient data you should limit access to authorised personnel only. At the same time, it is important to perform regular backups and have recovery processes in place in case your practice is subject to an attack.
In managing your risk it’s wise to monitor and log incidents and near-misses to help identify patterns or expose wider concerns. If there is a breach it should be properly investigated to avoid it happening again. Make sure you have a plan in place to deal with any breach. This should include clear action to keep your practice running smoothly, manage patients and provide external and internal communications.
The dental sector, and healthcare generally, will always be a target for cyber-attacks. However, if you take the right dental practice cybersecurity measures, you will reduce your risk of making unfortunate headlines.
Safeguarding patient privacy and data security is a fundamental ethical obligation for every healthcare provider. By implementing best practice and staying vigilant you will maintain essential patient trust and protect your business.
