In an exclusive interview with Cyber Intelligence, Tom Terrenez, the chief executive of Medix Dental IT, describes the cyber-threats currently overwhelming many US dental practices. His warnings concerning data can be equally applied to doctors’ surgeries, upmarket beauticians and hairdressers, and other small businesses that provide personal services.
Cyber Intelligence: We all use dentists. How much non-dental data do they hold on us?
Tom Terronez: Dental practices in the US, for example, hold a great deal of information about their patients, their families, and their employers, together with personal financial data and, often, their social security numbers. In other words, everything needed to steal someone’s identity and then some.
Cyber Intelligence: How well-protected are dental practices?
Tom Terronez: Not very well at all – is the answer. The underlying difficulty is that dental practices tend to use the services of small IT contractors who cannot provide the full spread of cybersecurity services they need. Dental practices tend to keep much of their data in on-premises servers rather than the cloud. Unfortunately, sometimes these are not even protected by a firewall.
Cyber Intelligence: What make cybercriminals decide to hack into dental practices?
Tom Terronez: They can target them with ransomware by using artificial intelligence (AI) to send out large number of weaponized phishing emails to unsuspecting dental practices. They target dental practices because they are especially vulnerable and usually are storing extremely valuable information on-premise. I always say that threat actors target easy prey or valuable prey and dental practices are a nice combination of both.
Cyber Intelligence: Dentists, of course use all kinds of drugs and equipment. Can you give any examples of supply-chain attacks impacting dental practices?
Tom Terronez: The best-know example is that of US healthcare company Henry Schein, which suffered a massive ransomware attack that took all its systems down and encrypted about 35 terabytes of data. The February ransomware attack against United Health-owned prescription processor Change Healthcare also effectively blocked insurance payments from dental practices, thereby temporarily depriving them of their main source of income.
Cyber Intelligence: Are there any other reasons, apart from supply chain vulnerabilities, why organized cybercriminals would target a dental practice?
Tom Terronez: There are many possible reasons. For example, a determined cybercriminal group might hack an upmarket dental practice close to Wall Street in order to steal the personal data of a key individual at a major financial institution. The cybercriminals could then use that information for a carefully constructed spear-phishing attack precisely tailored to the Wall Street executive being targeted. These could even include voice or even deepfake video conversations with the target’s colleagues and clients.
Cyber Intelligence: What can dental practices do to protect their clients’ personal data?
Tom Terronez: They should begin by purchasing regular cybersecurity training sessions. Cybercrime and, therefore, cybersecurity are evolving so rapidly that just having one initial session is not enough. The other practical step that most dental practices could take is to move their data onto the cloud. Although the cloud is not 100 percent secure, it is a far safer home for their data than trying to store it themselves without sufficient cybersecurity knowledge or expertise.
Cyber Intelligence: Thank you.
