A recent alert about Royal ransomware from the Department of Health and Human Services’ Health Sector Cybersecurity Coordination Center highlighted the dangers of this new form of ransomware. Royal utilizes traditional methods like phishing to breach networks and also exploits various network vulnerabilities. Required payments start at $250,000 and if not paid, accessed data is subsequently published on Royal’s website on the dark web.
Gary Salman of Black Talon Security, an AAO endorsed program partner offering discounts to AAO members, provided the following information about Royal Ransomware:
Royal Ransomware: Insights for Orthodontic Practices from Black Talon Security
Royal is a Threat Group that first made its appearance in the United States in September 2022. The U.S. Health and Human Services Cybersecurity Coordination Center sent out a security alert warning all healthcare organizations about Royal Ransomware targeting the healthcare sector. One of Royal’s primary attack vectors is healthcare and when one reviews the dark web data leak site, there are healthcare victims listed.
Royal often breaches networks through network vulnerabilities that go undetected by the practice’s IT resources. Royal leverages these vulnerabilities to breach the network, steal data, usernames, passwords and ultimately encrypting as many computers as possible with ransomware. In many cases, the data encryption causes the computers to be compromised and inoperable. Even practices using Cloud technology would most likely not be able to function properly.
What makes Royal stand out in the cyber world is their ransom demands, which typically start at $250,000. In fact, we saw a relatively small specialty practice hit with Royal ransomware and their initial demand was $250,000.
If the healthcare entity refuses to pay the ransom demand, Royal will publish the stolen data on their website for anyone to view. As an orthodontic practice, the publishing of your patient records is not only a major HIPAA compliance nightmare but creates public relations and reputational concerns as well. Since many patient records are likely to be of minors, the compliance and reputational issues are even greater.
Royal does not appear to only target medium and large organizations, in fact, they appear to go after smaller organizations because they know the ability to detect and defend against an attack is much more difficult for a small practice.
What Can Be Done to Help Protect Your Practice?
- Vulnerability management: You must engage in real-time vulnerability management of all your computers and firewalls. A simple vulnerability (i.e., misconfiguration or open port in your network) can be easily detected and exploited by groups like Royal. Keep in mind that you are up against some of the most sophisticated operations in the world.
- Training: You must train your doctors and team members on cyber threats so they do not fall for a phishing email and provide an entry point into your patient data.
- Awareness of Cloud limitations: Cloud technology is not immune to intrusions. Even if your data is in the Cloud, that does not absolve you from enhancing the security of your workstations. We have seen numerous breaches at orthodontic practices where the hackers have installed screen sharing applications on computers and used the computer’s browser to access Cloud software. Hackers are very creative and find “workarounds” to security measures.
- Firewall imperative: EVERY practice must have a firewall. We still see some practices without firewalls because a software vendor told them they don’t need one. If you have a breach, it is going to be hard to argue with Health and Human Services that you felt you did not need a firewall to protect your data.
- Testing: Conduct an annual external penetration test to determine if your network is susceptible to a cyberattack.
All orthodontic practices must take a proactive approach to security to protect their valuable patient data and avoid becoming the next victim. Cyberattacks can be prevented.
NOTE from the AAO: Black Talon Security offers a range of cybersecurity discount options for AAO members, including cybersecurity, HIPAA compliance and PCI (Payment Card Industry) solutions specifically for dental practices.