Home » Issues & People » Computer vulnerabilities are real and a serious threat to the livelihood of your practice!

Computer vulnerabilities are real and a serious threat to the livelihood of your practice!

Dentists are remarkable individuals with much to offer and share with fellow dentists. In this section, which we call the “Masked Dentist”, we present real-life stories in the hope of shedding some light on the most commonly encountered issues in clinical dentistry and the delivery of dental care. These stories are presented by dentists of all ages, backgrounds, and experiences. 

If you have an experience that could be a valuable experience for your colleagues, please be generous and consider sharing it with us and your colleagues on Oasis Discussions. We encourage you to send your stories through email, phone or by uploading your documents and pictures through our Oasis Discussions website.

All stories are moderated by the CDA Oasis Team, are edited to remove obvious identifiers, and are published anonymously to protect your identity.

Line divider

The following story is presented by a general dentist: 

You think you’re protected: Computer vulnerabilities are real and a serious threat to the livelihood of your practice!

It started as a normal day at the office, or so we thought…

As usual, I was busy at the back with patients and staff at the front desk were busy welcoming patients. During the course of a normal day, email is our means of communicating with patients, referring offices and others. However, that day would prove to be “special”.

A team member opened what she had thought was an email from one of our regular referring offices with the subject line ‘Invoice’ and zip file attachment. As soon as she clicked to open the email, the “zip” file started encrypting all of our databases. Not only that, it also sought all the databases housed on our network and encrypted EVERYTHING! The email contained a malware that encrypted all our data and demanded a ransome to release it. 

Petrified, we thought we lost everything: all patient and other records, radiographs, periodontal charts, the office schedule! We were stunned: this is the day you think you had prepared for and protected against but, much to our chagrin we were STILL ill-prepared. How could this happen?

Our office has adopted the ‘paperless approach’ for over 10 years. Our infrastructure consists of one server with two mirrored hard drives. We schedule daily back-ups on tape drives that are removed daily from the office at the end of the day. We always run the scheduled and latest version of antiviral software on all our computers. Our information technology support team (IT) regularly reviewed our backup tapes and told us that everything looked fine. 

Although we immediately shut down all office computers, it was too late to reverse the damage. Quickly, our IT team tried to restore our system, using the back-up tapes; however, the back-ups didn’t contain the original databases! My IT experts reached out to a colleague in an another IT organization; they remotely ran a program that attempted to access the most recent back-up, one hour before the corrupted email was received, but the operation failed too! 

A real disaster, our worst nightmare! Not only did I feel helpless, I was humbled. I thought we did everything that needed to be done in preparation for this day, but the reality was different. There was nothing I could do!

The ‘virus’ that attacked our IT system was called “Ransomware”. Initially, when IT was attempting to fix the system, we received messages stating that we could decrypt one file for free. It was worth a try so, we chose a patient letter and within 30 seconds it was back to its original form.  We ended up paying a ‘ransom’ of $500 USD in ”bitcoins”, another online nightmare as it is an untraceable service and difficult to purchase in Canada. Within 48 hours, we were completely restored and back to where we were before opening the infected email.

This was probably one of the most stressful situations I have encountered in my dental career. The medico-legal and financial implications from the fallout would have been devastating to my patients, the practice and my career. Computer security and privacy are REAL issues that we MUST be better prepared for.

 

Share your story if you have been in the same situation, you may help a colleague  oasisdiscussions@cda-adc.ca

Follow-up

Anne Genge, CEO, Co-Founder of Healthcare Compliance Network Inc. spoke with Dr. John O’Keefe about what dentists must do to protect themselves against this and other similar situations.

Watch Anne Genge’s video interview

3 comments

  1. Re: submission by Suham Alexander dated Sep 15, 2015

    It would be helpful if we were informed why the daily restore was unable to restore the back-up data. Was the back-up not configured correctly? It appears that in this case the office did not have their backup configured properly. It was not backing up the correct databases – this was a failure by their IT company. Also, their anti-virus software missed removing this zipped file.
    If that was the case why not state that clearly or give a reason why his back-up would not restore and which anti-virus was being used so others would avoid such a problem!

    • Yes you are correct in saying the backup was configured incorrectly. Within the past 6-12 months without the knowledge of our IT support, the 2TB backup tape drives which originally had full backup with databases was only saving new data. As for the anti-viral software, it was the latest version of AVG however the ZIP file/malware bypassed the AVG and was able to ‘infect’ our databases. Since this episode we now have six daily backups with 2TB tape drives but also two external harddrives as a supplemental backup so we hope we’re protected.

  2. This as they would say in the movies ‘a clear and present danger’. In June the security company MacAfee reported that ransomware attacks were up 165% in the first quarter alone. There are 3 crucial layers of protection that dental offices should deploy. These include secure email with filtering to catch bad files on their ‘way in’. Next, you must purchase more than just antivirus protection…go with ‘endpoint’ protection which provides many layers of scanning, filtering, and intrusion prevention. Finally, we usually recommend buying backup through your practice management company as they will backup and verify your data on a regular basis. Some also provide services which will give you access to your data ‘virtually’ within as little as one hour of your disaster. If you do these 3 things you should be pretty BULLETPROOF.

%d bloggers like this: