How to Protect Your Data from Ransomware.
Imagine if all your patient files, accounting information, and other data critical to your dental practice was not accessible because someone was holding it hostage. In order to get your information back, you would have to pay that person (or persons) thousands of dollars for the possibility of getting it back, with no guarantees. Sound ludicrous?
Unfortunately for more and more business owners, that scenario is not an imagined threat. The threat is real and such events have implications far beyond interrupting your daily business practices. With ever-increasing laws and requirements to protect patient data (see the article, “Getting Hip with HIPAA”) any security breach of your information system can expose you to regulatory fines and litigation risks. In short, the very survival of your business increasingly depends upon your ability to safeguard your data resources.
With the advent of cryptocurrencies like bitcoin, would-be hackers now have the ability to hold your data for ransom, forcing you to pay thousands of dollars in a currency that, for the most part, cannot be traced. This type of attack is often done via malicious software called ransomware.
In May 2017, the WannaCry ransomware attack encrypted the files of hundreds of thousands of computers worldwide and presented each victim with a simple proposition—pay up or never get access to your data. In another example, in January 2018, the Greenfield Daily Reporter, reported that a hospital based in Greenfield, IN, paid hackers a ransom of $55,000 after electronic health records and other internal information was encrypted by ransomware.
Last year, Newsweek reported that the number of ransomware attacks had risen by more than 250 percent during the first few months of 2017. Unfortunately, the trend continues to accelerate as more and more individuals and companies pay hackers to get their data back. Why do businesses pay to retrieve their own information? Simply because digital information is essential to run a business. If you doubt this, just try to convince a patient or an insurance company to pay for a procedure that you can’t prove was completed. With a looming threat on the internet (and understand that everything is now on the internet in one form or another), what can the average dental practice do to protect itself?
While there is no such thing as absolute security, there are steps you can take to mitigate the possibility that your business will be targeted. In the unfortunate event of an attack, it’s entirely possible to recover your data without paying a dime of ransom.
Just as dental offices must practice sterilization techniques in the operatory to prevent infection and exposure to biohazards, they should implement safeguards for preventing computer viruses and possible loss of business and patient data. Here are a few essential safeguards:
Limit Team Member Access
In the past, I worked as an IT consultant for dental practices and one of the most common problems I saw was the use of shared passwords. It was not unusual for all the operatory computers to be accessible using a single password that everyone knew. Often, this password was the same one used for the front office computers.
Worse yet, the accounts were configured with high levels of access, meaning that users could access virtually all of the network shares on the dental practice’s server. When I pointed out this practice to clients, they usually responded that it was a matter of convenience for the staff, and not something they wanted to complicate.
However, the very thing that makes access easy for your staff also makes it easy for ransomware to find and encrypt your data. If a workstation on your network gets hit with ransomware, and that workstation has access to all the data on your server (as well as all the other computers via a shared, common password), that ransomware can potentially encrypt everything.
A better approach is to make sure your information is separated and shared with only those people and/or workstations that require access to such information. For example, the accounting data on your server should be located in its own folder and not lumped in with other data.
Make sure that the folder is only shared with team members who require access, and use a unique username and password for each individual. Approach the segregation of your data like you segregate the general office duties among your team members. Failure to do so puts your data at risk and opens you up to problems beyond data loss.
Fortify Your Passwords
From now on, stop using weak passwords! For the past few years, the top two passwords were “123456” and “Password.” Using common dental terms as passwords is only marginally better. A surprising number of dental offices use an administrative password on the server or workstation such as “Bicuspid123,” “K9,” or “Smile123.” Easily predictable passwords can be broken using existing tools with little to no effort on the part of the attacker. If you are using simple passwords, change them immediately.
Patch Your Systems
Most dentists only schedule a visit from an IT professional when something isn’t working. This kind of reactive approach to IT makes small businesses an easy target for ransomware. Instead, be proactive and schedule regular visits from IT professionals for your dental practice, and patch your systems before you are attacked.
Virtually all software providers release patches to fix security vulnerabilities or other problems in their software. Microsoft releases patch updates on the second Tuesday of every month. Ask your IT professional to apply patches on a regular basis, as most ransomware and other malicious software use known vulnerabilities to attack computer systems. The WannaCry ransom attack impacted only the individuals and businesses who had failed to apply a security patch that was released two months prior to the actual attack.
Train Your Team
Make sure that members of your team know how to identify suspicious emails and are aware that clicking on unknown links in emails can be potentially dangerous. I always recommend that team members read emails with a certain degree of disbelief and if something doesn’t look right, ask someone else to look at it or call the assumed source for clarification.
Also, clearly identify the types of requests that should not be carried out via email. For example, never authorize the wiring of funds from an email. This may sound ridiculous, but on more than one occasion I witnessed emails instructing the bookkeeper to wire money to a fraudulent account from the dentist’s email address. Without guidelines for your team members, ambiguity puts you at risk.
Have a Plan
To protect dental practices from data loss, every dental practice should back up their data on a regular basis. If data is encrypted by ransomware, one of the only reliable ways to recover that data is to restore it from a backup location. In order to retrieve reliable data from a backup location, it must be a recent backup and it must be accessible. A thumb drive with a copy of a Quickbooks database from last quarter isn’t going to be sufficient, and in most cases any backups that are not part of a broader strategy are generally worthless during an emergency.
A backup strategy doesn’t have to be complicated or expensive, but it requires dentists to look at their dental practices and make business decisions about the value and recoverability of their data. This is not a monolithic determination—dentists should not treat all the data equally when it comes to determining their backup needs.
A good starting point is to consider the following three questions:
1. What are your operational data sources? A common mistake is failing to differentiate the importance level of different types of data. For example, accounting and patient data is much more important to operations than an employee manual or other internal documents. Every dental practice should identify their primary data sources and rank their importance on a scale from 1 to 5, with 5 being the most important.
• Accounting Data: 5
• Practice Management System Data: 5
• Internal HR Documents: 3
• Patient Images: 4
• Marketing Collateral: 2
• Administrative Documentation: 3
• Patient Testimonials: 1
2. How long could you operate without access to each of these data sources? A recovery window is the amount of time you can maintain operations without access to data. For example, if you can’t function without access to accounting data for more than two days, then your backup strategy must be able to restore the accounting data within two days. If you can run general operations for 20 days without access to your internal HR documents, than your backup strategy must be able to restore them within 20 days.
In general, the quicker you need to restore the data, the more expensive the backup strategy will be. That is why identifying your data sources and ranking their importance is critical and can lead to substantial cost savings. The ranking system is important because it allows the most critical systems to be restored first.
3. How much data loss is acceptable? It’s tempting to answer none at all, but unless you are willing to invest in a high-cost backup infrastructure, consider this question from an operations standpoint. If you are backing up your accounting data only once a day, you are basically saying that you are able to lose an entire day’s worth of data. If that’s the case, be prepared to re-enter or re-create a day’s worth of accounting transactions in the event of a problem.
You might respond that you don’t ever want to lose more than two hour’s worth of accounting data, because it is being updated throughout the day, but internal HR documents rarely change, so you can potentially stand to lose up to five day’s worth of such data without a problem.
Analyzing your practice’s operational needs and the frequency of the data changing against such losses enables you to determine which data should have priority backup, and where to allocate your expenses for the most important information.
Once you have answered those three questions, you will understand how much data you need to back up, what the relative importance is of each class of data, and how soon you would need to recover the information. Such knowledge saves time and money as you work with an IT professional to implement a backup system.
3-2-1 Backup Strategy
A new threat in some versions of ransomware is the ability to detect and destroy backups prior to attacking the primary data on a system. Since backups are some of the only recovery options when faced with ransomware (aside from paying the ransom), this evolution is no surprise. The ability of ransomware to detect and neutralize online backups will become increasingly more common and sophisticated.
All businesses should employ the 3-2-1 backup strategy, which is as follows:
• Have at least 3 copies of your data (including the production data)
• Use 2 different media formats to back up data
• Have 1 copy offsite and offline
In a dental practice, always use backup software that makes a backup copy of your production data based on the schedule and frequency that you identified in the three questions. Many great software backup applications are currently available. Some of my favorites include Veeam®, Unitrends®, Acronis®, and CloudBerry®. These software programs can run backups on a schedule and push the backup copies to a host of different storage media and cloud storage providers. In the event of a ransomware attack or accidental data loss, commercial backup software can also make the restoration process easy and efficient.
Having the backup of your production data on a different device gives you a second copy of your data. Commercial backup software often has a feature that allows you to write your data to another media format such as tape or removable disks. Increasingly more software packages also allow users to duplicate their data to the cloud so that they have a copy of the data offsite, and in some cases offline as well.
I recommend implementing fully-automated backup systems that can copy production data to a secured and inexpensive storage device located within the practice. Then a copy of the backup should be uploaded to Amazon Web Services or another cloud provider so that the data is stored offsite. Dental practices that follow this protocol are not only protected against ransomware attacks, but in the event of a flood or a fire their data is safe and recoverable. Backup options are available for every budget and need.
The key to protection from a ransomware attack, or even a natural disaster, is to ensure that you have a plan to recover your business’s critical data. Dentists and team members should consult with a local IT professional to create a backup and recovery strategy that protects their important information assets. Remember, it should be a proactive effort. Trying to recover data without having a backup strategy in place is very expensive and often results in the permanent loss of data.