FBI Issues Warning to Oral and Maxillofacial Dental Practices: Stay Vigilant Against Cyber Threats

On Tuesday, May 6, 2024, the Federal Bureau of Investigation (FBI) issued a crucial advisory to the American Dental Association (ADA) and the American Association of Oral and Maxillofacial Surgeons (AAOMS) regarding an imminent cybersecurity threat targeting oral and maxillofacial surgery practices. While no instances of cyberattacks had been reported as of that date to this new threat, the FBI took proactive measures to alert and educate practitioners in an effort to prevent potential victimization. Notably, the FBI indicated a concerning shift in tactics, suggesting that the group responsible for previous cyberattacks, which targeted plastic surgeons last year, may now be directing their focus towards oral and maxillofacial surgery practices. In a recent development, the Federal Bureau of Investigation (FBI) has issued a credible warning to oral and maxillofacial dental practices regarding potential cyber threats. This alert underscores the pressing need for heightened cybersecurity measures within the dental community to safeguard sensitive patient information and preserve the integrity of professional operations.

While the present threat specifically targets oral and maxillofacial surgeons, hackers often expand their targets of interest and that may include general dentists and other specialists.

The Nature of the Threat:

Cyber threats targeting oral and maxillofacial dental practices have become increasingly sophisticated and prevalent in recent years. Hackers, often operating through malicious software or phishing schemes, seek to gain unauthorized access to patient records, financial data, and other confidential information. Once compromised, this sensitive data can be exploited for fraudulent activities or sold on the dark web, posing significant risks to both patients and practitioners alike.

Examples of Cyber Attacks:

  1. Ransomware Attacks: Hackers deploy ransomware to encrypt vital practice data, demanding exorbitant sums of money in exchange for decryption keys. Failure to comply can result in permanent data loss or public exposure of private patient information.
  2. Spear Phishing Scams: Cybercriminals masquerade as legitimate entities, such as insurance providers or software vendors, to deceive unsuspecting staff members into divulging login credentials or downloading malicious attachments. These tactics can lead to unauthorized access to sensitive systems and compromise the security of patient records.
  3. Data Breaches: Infiltration of practice networks can result in the unauthorized extraction of vast quantities of patient data, including personally identifiable information (PII) and protected health information (PHI). Such breaches not only violate patient privacy rights but also expose practices to potential legal liabilities and reputational damage.

The FBI presented a scenario wherein the threat actor assumes the identity of a prospective new patient, or expresses interest in becoming one, to gain access to new patient forms available online. Subsequently, upon receiving the forms, the threat actor contacts the practice under the guise of encountering difficulties with online submission, and requests permission to scan and email the forms instead. However, the email attachment purportedly containing the forms is laden with malware, constituting a phishing scheme upon its opening. This results in the extraction or exfiltration of some or all of patient data.

Protecting Your Practice:

To mitigate the risks posed by cyber threats, all dental practices are encouraged to implement robust cybersecurity protocols and remain vigilant against suspicious activities. Key measures include:

  • Use vulnerability scanning technology to scan your firewalls daily and your computers and servers every four hours to detect vulnerabilities hackers can and will exploit to gain access to your network.
  • Educating staff members on cybersecurity best practices, including the recognition of phishing attempts and the importance of password hygiene.
  • Utilizing encryption and multi-factor authentication to secure sensitive data and prevent unauthorized access.
  • Implementing data backup procedures to ensure the availability and integrity of critical practice information in the event of a cyber incident.
  • Have an annual penetration test performed by a cybersecurity company.

Impact on the Bottom Line:

Beyond the immediate implications for patient privacy and practice operations, cyber threats can have significant financial ramifications for oral and maxillofacial dental practices. Remediation costs associated with data breaches, including forensic investigations, legal fees, and regulatory fines, can quickly escalate into the tens of thousands or even millions of dollars. Moreover, the reputational damage inflicted by a cybersecurity incident may result in loss of patient trust and diminished revenue streams over the long term.

DSWP spoke with Sue Griffin, Chief Operating Officer of Black Talon, regarding the current threat landscape and historical incidents within the dental community. Ms. Griffin affirmed the validity of the FBI warning and disclosed a previous ransomware incident wherein hackers demanded a sum of $2 million from a small dental group.

In light of these pressing concerns, proactive investment in cybersecurity infrastructure and staff training is not just a prudent business decision but a moral imperative to safeguard patient welfare and preserve the integrity of the dental profession. Practices must implement security testing beyond just a firewall and anti-virus software. Vulnerability scanning, penetration testing and training are key components of offensive security measures.

The FBI’s warning serves as a timely reminder of the ever-present threat posed by cybercriminals to  dental practices. By adopting a proactive stance towards cybersecurity and implementing robust protective measures, practitioners can fortify their defenses against malicious actors and uphold the highest standards of patient care and confidentiality.

Together, let’s remain vigilant, resilient, and united in our commitment to safeguarding the well-being of our patients and the integrity of our profession in the face of evolving cyber threats.

Sources

FBI Warns of Credible Security Threat to Dental Practices

https://sitefinity.ada.org/home/2024/05/08/fbi-warns-of-credible-cybersecurity-threat-to-dental-practices
David Bruger