How to prevent a data breach

0
145

Estimated reading time: 5 minutes

how to prevent a data breach
Photo: molostock – 123rf

More and more businesses are reporting data breaches, including dental practices. The fallout when this happens can be painful and costly and is why it is more important than ever to have a cybersecurity plan in place—and stick to it. By Stuart Turner

With 25 years’ experience advising dental practices, healthcare providers and other businesses on cybersecurity issues, Chris Haigh knows just how damaging data breaches can be.

“Imagine what a horrible experience it would be to have your house broken into and your property ransacked,” says Haigh, chief information security officer with Queensland-based Mercury IT. “I can imagine enduring a data breach is a similar experience if you’re a small business like a dental practice.

“Managing the reputational and financial implications and the lost time remedying the situation can be a devastating process.”

That process is becoming increasingly common for Australian businesses. The Office of the Australian Information Commissioner (OAIC), the national regulator for privacy and freedom of information, was notified of more than 900 data breaches between July 2022 and June 2023. Some of Australia’s biggest companies, including Optus and Medibank, have suffered well-publicised data breaches affecting millions of customers in recent years.

Dental organisations are also not immune to data breaches. For example, in 2020, more than a million patients were impacted after the Dental Care Alliance, which manages more than 300 practices, suffered a month-long cyber attack. The practice support group later settled a class action lawsuit for US$3m. 

“Dental practices are susceptible to cyber attacks because they have information like Medicare records which can potentially be highly valuable to criminals,” says Kenneth Tan, a cyber security presenter with the Australian Dental Association NSW Branch. “Small businesses are also a target for cybercriminals because they may not have adequate protection systems in place.

“You might be the world’s best dental practitioner, but patients these days are rightly concerned about their personal data. Trust is paramount in the healthcare industry and if that trust is broken through a data breach, the fallout can be huge.”

Imagine what a horrible experience it would be to have your house broken into and your property ransacked. I can imagine enduring a data breach is a similar experience if you’re a small business like a dental practice.

Chris Haigh, chief information security officer, Mercury IT
                                        

The OAIC defines a data breach as “when personal information is accessed or disclosed without authorisation or is lost.” Its website has a wealth of information on data breaches, including explanations and the criteria for an “eligible data breach,” whether the breach has triggered notification obligations under the Notifiable Data Breaches scheme and Privacy Act and necessary steps to take if a data breach has occurred. 

A common external data breach is a phishing attack, where a would-be hacker sends a fraudulent email or text message purportedly from a large organisation requesting sensitive data such as passwords. Password attacks, ransomware—encrypting the data of the target organisation until a ransom is paid—and malware, which targets computers, networks or servers, are also popular tactics. 

Other data breaches include ‘inside jobs’, accidental leaks, exploitation of weak login credentials and simple human error, such as emailing patient records to an unintended recipient. 

“Dental practices keep sensitive personal information, meaning they have a greater onus to keep it secure,” says Sharon McMillan, practice plus consultant at ADA Victoria and presenter on data breaches for the state branch.

“Many practices also keep ‘social’ information about patients, such as names of family members, hobbies and interests and non-clinical photographs for identification purposes. It’s putting a lot of potentially valuable data on a plate for cybercriminals. 

“You should only collect data that is necessary to provide a dental service.” 

Under tougher legislation introduced in 2022, Australian businesses can be fined $50m for serious or repeated data breaches. While McMillan says a dental practice incurring a data breach would be unlikely to receive a hefty fine, particularly if it handles a first-time breach well, it underlines the need to take data privacy seriously. 

Many practices also keep ‘social’ information about patients, such as names of family members, hobbies and interests and non-clinical photographs for identification purposes. It’s putting a lot of potentially valuable data on a plate for cybercriminals. You should only collect data that is necessary to provide a dental service.

Sharon McMillan, practice plus consultant, ADAVB

“I think dentists generally are very compliant and look for the correct way to do things,” she says. “It’s almost inevitable that a business will be targeted or suffer a data breach by human or equipment error at some point though, so you need a plan to minimise the risk.”

She says a cybersecurity plan could include undertaking regular IT audits, reviewing record-keeping procedures and policies, analysing server security and employing an IT and mobile device usage policy in the practice.

Haigh says employing two-step password authentication procedures on practice computers and password management are relatively simple security steps to take. Other measures could include purchasing cybersecurity insurance, consulting external cybersecurity experts for further advice—if budgets allow—and regular staff training on maintaining data privacy. “Get into the habit of having a high caution level in the practice,” Haigh says. “Train and educate your staff not to click on suspicious emails, for example. 

“Ask yourself, ‘What measures do we have in place and are we doing the right thing? Do we know what to do and if we don’t, who can help us?’”

More broadly, Haigh says dental practices should take “basic but essential” data privacy measures. “For example, don’t throw patient records into a skip or a wastepaper bin—use a shredder,” he advises.  “Don’t leave records and other correspondence on desks or passwords on post-it notes.  Log off and close down computers and laptops at the day’s end.”

Haigh also warns that, with constant technological developments, data breaches will become more common. 

“Cybersecurity threats are always evolving and cybercriminals are upping their game,” he says. “With things like artificial intelligence and ChatGPT becoming commonplace, it will be even harder for businesses to identify what’s real and what’s fake. 

“It emphasises the importance of dental practitioners knowing about the importance of cybersecurity.”  

Previous articleStudy suggests statins could help fight gum disease
Next articleThe effects of vaping on oral health

LEAVE A REPLY

Please enter your comment!
Please enter your name here