Dentists (and Doctors) A Target For Cyber Criminals
DentistryIQ, a web site for dental professionals ran a piece last week talking about dentists (and while the article didn’t talk about it, doctors as well) being a target for cyber criminals (see article).
If you think about it, it makes a lot of sense. Think about all the non public personal information that a dental or other health care practice keeps. Social security numbers, names, addresses, birth dates, phone numbers and even client banking information. That, of course, is in addition to all of the health care (HIPAA protected) information.
Fines for loss of HIPAA protected information can be staggering – up to $1,500,000 a year in some cases, but even the small fines hurt. A practice can be fined up to $25,000 year even if the person did not know of the violation and reasonably would not have known (reference).
That of course does not include costs for investigating the breach, notifying patients, remediating the problem, lawsuits, legal costs, etc.
Some dentists, the article says, don’t think small offices are attractive targets. Think about it. If I were a crook, would I want to go after a large company with an in house IT team and a lot of security hardware and software? Or would I rather go after a small office with no in house IT and weaker security?
Again, according to the article, health care organizations make up 33% of all breaches and is the single most breached industry. More than half of the organizations that are breached have less than 1,000 employees.
In fact, 55% of all breaches compromise less than 1,000 records (see post here). If a practice has only 300 families as patients and each family has 3+ members, that is 1,000 records. That would be a small practice.
This means that health care practices need to consider the risks and take appropriate, cost effective actions. Many times employees accidentally do things (like clicking on links or surfing at compromised web sites) that cause a breach. Many actions to reduce risk are inexpensive and not terribly painful.
In addition, having an incident response plan is very important. Other wise, you will be flailing if something occurs.
Plan now so you don’t have to panic later.
Mitch