Unfortunately, cybercriminals are now leveraging the COVID-19 pandemic to target businesses of all sizes. By launching cyberattacks and phishing campaigns, orthodontic practices are at a high risk during our potential time of weakness. Historically, successful cyber-attacks launched against the orthodontic sector have resulted in stolen, inaccessible, or destroyed patient electronic health information, the unavailability of websites, servers, and email systems, disabled or disrupted telephone communications, and the cancellation or delay of scheduled appointments. As the rapid emergence of COVID-19 within the US has already begun to place a strain on our practices, disruptive cyberattacks could potentially delay our ability to regain practice normalcy.
As you make decisions about your practice and with the potential for long-term closures, please consider the following mitigation strategies to reduce the risk of a potentially crippling cyberattack. Should you have any questions regarding the information provided, please see the source information for endorsed AAO partner, Black Talon Security posted at the end of this information. We will continue to provide additional information as we receive it on this topic.
Establishing Remote Access for Your Practices
Warnings are being issued by government agencies related to cybercriminals targeting businesses that are turning on remote access to their systems in order to help with business continuity. Remote access is a powerful tool but, if not implemented correctly, may result in a cyber or ransomware attack against your business.
Consider the Following Now:
- Unless your IT vendor clearly understands the risks associated with using Remote Desktop Protocol (RDP), do not allow them to install it. RDP is a highly exploitable technology that is a primary target of cybercriminals.
- Utilize a remote-control software that allows you to “log in” to a computer at your office.
- Make sure the remote-control software utilizes Multi Factor Authentication (MFA) so it makes it more difficult for a cybercriminal to hack into your system. MFA sends a text message to your cell phone or an App on your phone to authenticate your login.
- Utilize strong passwords that incorporate multiple words, numbers and special characters for the authentication for the remote-control software.
- If you are using a VPN, make sure your IT vendor has updated all the VPN software. As of just a few months ago, many VPNs had vulnerabilities that could allow a breach to occur.
- Make sure all remote computers are running the latest versions of Windows 10 or MAC.
- Make sure all remote computers have anti-virus software installed and the virus definitions are up-to-date.
- For Wi-Fi enabled devices, use the strongest encryption protocol available. WPA3 is the newest. At a minimum, you should be using WPA2.
If you are able, back up any and all practice data on an external hard drive.
This includes imaging, patient information, attachments and financial information. This backup should be saved to an encrypted external hard drive that is stored offsite. A locked safe is the best location.
In parallel, confirm that all your cloud data backup is up-to-date and all your systems are being backed up.
Phishing Attacks/Social Engineering
Be extremely careful when receiving any emails related to COVID-19. These phishing emails are designed to lure you into clicking on links or attachments that may seem relevant to the current situation. In addition, “heat maps” that show the infection rates may direct you to a fake website that will download malicious code onto your device.
Please be extremely careful regarding these types of emails and always use the link hovering technique to verify the destination. Place your mouse over the link or image, look at the bottom left corner of your screen and validate the URL (web address).
Five Signs of a COVID-19 Phishing email may include:
- A link to a “heat map” showing the infection areas/rates
- A link to a fake government or state agency designed to look real
- A link to a government or state agency with a legitimate name, but a fake hyperlink
- A warning to download a document related to COVID-19
- A link to a hospital or other healthcare institution
Black Talon Security