From chairside to cyberspace: Understanding and responding to cyber threats in dentistry—Part 2

Ransomware attacks have evolved into double extortion schemes, where attackers not only encrypt a practice’s data but also steal patient information. The hackers then demand two payments: one for decrypting the files and another to prevent them from publishing sensitive data on the dark web. Their criminal activity has now also extended to extortion of patients directly. In November 2023, Fred Hutchinson Cancer Center in Seattle in the US experienced a cyberattack by the Hunters International ransomware group, leading to unauthorised access to its clinical network.³ The attackers claimed to have stolen 533.1 GB of data, including sensitive patient information such as names, US Social Security numbers, medical histories, laboratory results and insurance details. After the breach, patients began receiving personalised extortion emails demanding US$50 in Bitcoin to prevent their data from being sold on dark web markets. These emails included personal details to validate the threat.

This incident underscores the increasing trend of cybercriminals directly targeting individuals when organisations refuse to pay the ransom, highlighting the critical need for robust cybersecurity measures in healthcare institutions. The direct targeting of patients adds a new layer of reputational and legal risk for dental practices. It is no longer only the practice that is vulnerable; patients too are now at risk of extortion, and this can severely damage trust.

Phishing scams
Phishing is one of the most effective methods for attackers to infiltrate dental networks. These scams often involve emails or other messages that appear legitimate but contain malicious links or attachments. With the rise of AI, phishing campaigns are becoming more sophisticated, leveraging AI-generated content to create emails that are nearly indistinguishable from genuine communications. Cybercriminals are using AI tools to craft convincing phishing messages, mimicking official language, branding and even tone. These AI-powered attacks make it more difficult for dental staff to detect fraud. In a study on the performance of phishing emails, 60% of participants fell victim to AI-generated phishing emails, and research by the same authors found that AI phishing automation allows cybercriminals to enjoy a 95% increase in efficiency.^{4, 5} A white paper by the US Department of Health and Human Services on the threat of AI-augmented phishing to the health sector also pointed out that AI has made phishing attempts more effective, and it reported that ransomware attacks and data breaches often begin with a successful phishing attack.⁶ From this, it is easy to see why training for all team members using email in a dental practice must be improved.

Cybercriminals are leveraging AI to automate attacks, strengthen malware and exploit gaps faster. AI allows attackers to launch phishing campaigns on a massive scale, tailoring messages to individuals based on data harvested from social media and other online sources. AI-enhanced malware can adapt in real time, making it more difficult to detect and neutralise. AI tools can scan networks and identify vulnerabilities more efficiently than traditional methods can.

Data breaches
Data breaches can occur through vulnerabilities in software, weak passwords or even accidental insider actions, such as being captured by phishing emails or simply being tricked into handing over log-in credentials through various means. These breaches expose sensitive patient information, potentially resulting in significant financial and reputational damage for dental practices.

In December 2023, Hapy Bear Surgery Center, a paediatric dental surgery centre in Tulare in California in the US, experienced a data breach.⁷ Sensitive patient information, including names, Social Security numbers, health insurance information and medical records, was compromised. The centre agreed to a class action lawsuit settlement, offering affected individuals up to US$8,050 in compensation and two years of credit monitoring services. Managed Care of North America Dental, a major dental insurer, experienced a cyberattack between 26 February and 7 March 2023.⁸ The LockBit ransomware group stole approximately 700 GB of data, affecting nearly nine million patients. Compromised information included names, Social Security numbers, health insurance details and dental records. The company refused to pay the US$10 million ransom, and the cybercriminals released the stolen data online in early April.

Beyond compliance issues, data breaches erode patient trust and can have costly legal consequences. Cybercriminals often use stolen data for identity theft or sell it on the dark web. Health information is not like a credit card that can simply be cancelled and replaced when breached. Health histories, for example, often contain some of the most sensitive and potentially embarrassing information about an individual, such as medications, treatment and diagnoses.

Insider threats
Insider threats, whether intentional or accidental, pose a significant risk. Some examples are:

• Employees may unknowingly expose the network to malware by falling victim to phishing attacks.
• Systems and software may be configured improperly, allowing staff members access they should not have.
• Team members may surf the web or access personal email through practice systems, exposing the network.
• Lack of training about common telephone or other scams can put the practice at risk.
• A team member may act in a nefarious manner by trying to copy or steal data or manipulate systems to cover his or her tracks in cases of internal fraud.

Simple steps to strengthen cybersecurity in dental practices

It is evident from what has been explained in this article series so far that it is vital to create a budget for cybersecurity management. In many cases, a practice’s IT support providers do not have the necessary skills, certifications, and experience to monitor and maintain the many aspects of compliance and cybersecurity best practices. Rather you should work with experts who understand dental cybersecurity to implement tailored defences. Cybersecurity is a specialty requiring many years of training, a professional certification process and experience. In order to select the appropriate provider for your practice, consider the following:

• Specialisation in dental practices: Ensure that the provider understands the unique technology used in dentistry, the compliance requirements relevant to the country in which you practice and the workflows in dentistry.
• Certifications and expertise: Look for a provider with credentials like Certified Information Systems Security Professional (CISSP), Certified Information Security Manager (CISM) and Certified Information Privacy Professional (CIPP). Experience in managing dental office security is also paramount.
• Proactive threat management: Verify the provider’s ability to provide continuous monitoring, incident response and solutions like end-point detection and response, which monitors devices such as computers, servers and digital imaging systems for threats.
• Data protection and compliance: Confirm that the provider offers robust encryption, secure data backups and tools to maintain patient privacy and compliance with legal regulations.
• Training and support: Choose a provider that offers ongoing cybersecurity training for staff and responsive technical support to address issues quickly.

Once you have found the appropriate certified cybersecurity professional for your practice, here are the main strategies you should work on together:

1.Develop a comprehensive cybersecurity programme
A strong cybersecurity programme is essential for protecting patient data and preventing cyber threats. To achieve this, you should:

• formalise a cybersecurity programme that includes clear security policies that define how data should be accessed, shared and stored, as well as regular security reviews;
• have a certified cybersecurity professional perform a professional comprehensive security risk assessment; and
• provide ongoing cybersecurity training to all staff, focusing on how to recognise phishing scams and respond to potential threats.

2. Strengthen password management and multifactor authentication
Password security is a crucial defence against unauthorised access. To improve security, you should:

• ensure that all passwords are unique and complex and thus strong.
• require two or more verification steps for access to sensitive systems—this is known as multifactor authentication.

3. Implement network security measures
Protecting your network infrastructure helps prevent cyberattacks. To secure your systems, you should:

• keep all software and hardware up to date with the latest security patches;
• invest in robust firewall and antivirus software tools to prevent unauthorised access and detect threats; and
• encrypt all devices and data to ensure information remains protected.

4. Conduct regular data backups
Regular data backups are essential for disaster recovery and business continuity. To safeguard critical data, you should:

• schedule automated backups of all critical data;
• store backups securely, preferably in encrypted cloud storage; and
• test your backups to ensure that data can be restored quickly in an emergency.

5. Educate staff on social engineering risks
As we learned in Part 1, a high percentage of successful breaches start with human error. Employees are often the first line of defence. Regularly train your team to:

• identify phishing emails, including those generated by AI;
• verify requests for sensitive information by contacting the sender directly; and
• report suspicious activity immediately.

6. Evaluate vendor security practices
Dental practices rely heavily on third-party vendors for practice management software and imaging systems CAD and CAM, and other integrated tools, Before working with a vendor:

• confirm that they comply with the relevant security standards;
• ask about their encryption practices and data protection measures; and
• review their incident response protocols to understand how they will handle a breach.

Building a culture of cybersecurity

Effective cybersecurity requires more than tools; it demands a culture of awareness and vigilance. Foster an environment where employees feel comfortable discussing potential risks and reporting suspicious activity. Regularly review your cybersecurity policies and adapt them to address emerging threats, such as AI-enhanced attacks and double extortion ransomware. Implement annual security awareness training, preferably training designed specifically for dentistry. Print posters with security awareness slogans to keep strategies top of mind.

Moving forward: Protecting your practice and patients

Cybersecurity threats are growing in both frequency and sophistication, but dental practices can protect themselves by taking proactive measures. Start by understanding the risks, implementing practical defences and fostering a culture of cybersecurity awareness. By combating ransomware and preparing against AI-driven phishing campaigns, among others, these steps will help safeguard your practice, your patients and your reputation. Cybersecurity is a shared responsibility, and every effort counts. By taking action today, dental practices can strengthen their defences and confidently face tomorrow’s challenges.

In Part 3 of this article series, we will discuss how to ensure that your data is protected and recoverable in the face of all types of disasters. We will also discuss new technologies that affordably provide failover server capabilities, ensuring uninterrupted access to patient records and practice management systems in case of server failure.