Wednesday, May 8, 2024

FBI Sounds Warning on a Credible Cybersecurity Threat to Offices in the Dental Industry

 


There is a reason I believe in the ADA.  Although I don't agree with everything they do, dentistry needs a united voice to communicate with the public and legislators.  Density also needs a voice that can speak to the profession when something important is happening that the profession needs to be aware.  Today is one of those days.

In case you have not been notified or perhaps missed the email sent yesterday May 7th, today's post is *incredibly* important to dental practices.  I am posting the email I received in its entirety.  Please read it!


The American Dental Association (ADA) urges all dental practices to remain vigilant after it was contacted by the Federal Bureau of Investigation (FBI) with information regarding a credible threat to the practices of oral and maxillofacial surgeons.

Current Threat Information from the FBI

On Tuesday, May 6, 2024, the FBI informed the ADA and the American Association of Oral and Maxillofacial Surgeons (AAOMS) of a credible cybersecurity threat to the practices of oral and maxillofacial surgeons. The FBI said that as of that date there were no known cyberattack victims, but the agency is working proactively to raise awareness to help prevent victimization. The FBI suspects the group behind the cyberattacks may be shifting tactics to oral and maxillofacial surgery practices after targeting plastic surgeons last year.

While this current threat is focused on oral and maxillofacial surgeons, the FBI is concerned that the practices of general dentists and other specialists could also eventually be targeted.

Cybercriminals often use social engineering scams — such as phishing (email), SMSishing (through text or instant messaging apps) and vishing (using phone calls and voicemail) — to gain access to sensitive personal data such as electronic protected health information. Spear phishing refers to a phishing email appearing to be from a trusted contact. For example, a threat actor may use phishing to impersonate a credentialing agency. Through these scams, threat actors try to convince people to reveal sensitive information, or to click on a link, open an attachment or visit a website that causes malware to be deployed. This malware can lead to ransomware, which blocks system and/or file access  until money is paid.

The FBI provided an example in which the threat actor poses as a new patient or says they want to become a patient at the practice to obtain new patient forms online. Once the forms are received, the threat actor will then contact the practice to report they are having trouble submitting them online and ask if they can scan the forms and email them instead. The threat actor then emails the “forms” as an attachment. When the attachment is opened malware is deployed in a phishing scheme.

The FBI requests dental practices that experience any fraudulent or suspicious activities to report them to the FBI Internet Crime Complaint Center at ic3.gov.

Precautions Practices Can Take

The Cybersecurity & Infrastructure Security Agency (CISA) recommends four vital ways to protect your practice from cyberthreats:

Teach your team to recognize and avoid phishing

Require strong passwords

Require multifactor authentication

Update all business software

The following resources  are also available to support healthcare professionals:

A CISA.gov toolkit aids healthcare practices in building cybersecurity foundations and implementing more advanced, complex tools to stay secure and ahead of current threats.

The U.S. Department of Health and Human Services’ Knowledge on Demand resource offers five free cybersecurity trainings that align with the top five threats named in HHS’ Health Industry Cybersecurity Practices. HHS also offers information on how the HIPAA security rule can help defend against cyberattacks.

The Office of the National Coordinator for Health Information Technology’s Security Risk Assessment Tool, a resource designed to help medium and small providers conduct a security risk assessment as required by the Health Insurance Portability and Accountability Act.

The U.S. Department of Health and Human Services Office of Information Security and Health Sector Cybersecurity Coordination Center’s “Artificial Intelligence, Cybersecurity and the Health Sector” guide shares how health care entities help protect against AI-enhanced cyberthreats.

Additional resources can be found at ADA.org/riskmanagement

As the nation’s largest organization of dentists, the ADA is advocating on behalf of all dentists at the federal level to recommend several measures to protect and ensure the resilience of health care infrastructure against cyber threats. The ADA will continue to lead this charge and provide cybersecurity updates as they become available, all in service to you and your patients. Please visit ADA.org to see the many ways the ADA advocates on behalf of dentists nationwide.


2 comments:

  1. IT notes:
    • Teach your team to recognize and avoid phishing

    Management refuses to spend any money on training in this economy. The cheapest staff we can hire have pretty much never used a computer and think 'hotdoc69' is a great password. Also, all staff regularly share passwords because it's too much of a hassle to sign. Also, screens will not be set to lock every 5, 10 or 15 minutes because that could interrupt patient care and we can't touch keyboards with contaminated gloves. We aren't going to buy keyboard covers that can be wiped down or changed because there's no budget for that. There's also no budget for smartcards or YubiKeys to simplify the process.

    • Require strong passwords
    We just got told to stop checking passwords against dictionary words because doctors keep forgetting their passwords.

    • Require multifactor authentication
    Most multifactor auth is too expensive. HR says we aren't going to pay employees for the use of their cell phones for receiving text messages.

    • Update all business software
    Upgrading software requires taking an office down for a few hours. We can't afford to stop seeing patients for a few hours, so we're going to stick with a version of Dentrix or Eaglesoft that's 4 years out-of-date. Anyways, it works just fine, so there's no need to upgrade.

    Oh, there's also no budget for any sort of intrusion detection system or network monitoring. Plus, if we don't detect a leak, we don't have to report a leak.

    *sigh*

    Healthcare IT is as painful as getting a tooth pulled with no Novocaine.

    ReplyDelete
  2. And people NEED to hear this! The criminals in the IT world are as good at their jobs as the doctors are at theirs. The days of a high school kid in a hoodie were over the moment this became a big financial payday for the bad guys. If you don't do everything you can to provide security, you've just made it easier for them...

    ReplyDelete