Tag Archives: risk management

Dentists (and Doctors) A Target For Cyber Criminals

DentistryIQ, a web site for dental professionals ran a piece last week talking about dentists (and while the article didn’t talk about it, doctors as well) being a target for cyber criminals (see article).

If you think about it, it makes a lot of sense.  Think about all the non public personal information that a dental or other health care practice keeps.  Social security numbers, names, addresses, birth dates, phone numbers and even client banking information.  That, of course, is in addition to all of the health care (HIPAA protected) information.

Fines for loss of HIPAA protected information can be staggering – up to $1,500,000 a year in some cases, but even the small fines hurt.  A practice can be fined up to $25,000 year even if the person did not know of the violation and reasonably would not have known (reference).

That of course does not include costs for investigating the breach, notifying patients, remediating the problem, lawsuits, legal costs, etc.

Some dentists, the article says, don’t think small offices are attractive targets.  Think about it.  If I were a crook, would I want to go after a large company with an in house IT team and a lot of security hardware and software?  Or would I rather go after a small office with no in house IT and weaker security?

Again, according to the article, health care organizations make up 33% of all breaches and is the single most breached industry.  More than half of the organizations that are breached have less than 1,000 employees.

In fact, 55% of all breaches compromise less than 1,000 records (see post here).  If a practice has only 300 families as patients and each family has 3+ members, that is 1,000 records.  That would be a small practice.

This means that health care practices need to consider the risks and take appropriate, cost effective actions.  Many times employees accidentally do things (like clicking on links or surfing at compromised web sites) that cause a breach.  Many actions to reduce risk are inexpensive and not terribly painful.

In addition, having an incident response plan is very important.  Other wise, you will be flailing if something occurs.

Plan now so you don’t have to panic later.


Are you managing your third party connections

Those of you who have been following the Target Company’s security breach are probably aware that the publicly stated source of the breach was a heating vendor who clicked on a malicious email and set the wheels in motion for one of the largest security breaches ever.

Since since the old adage says that your firm’s security is only as good as it’s weakest link, you might assume that companies would be reviewing the security of third parties that are vendors and are part of the company’s supply chain.

According to an article in CSO Online, only 44% of companies surveyed take the effort to vet the security of third party vendors and others in their supply chain.

92% of the firms don’t have a supply chain risk management process.

We have heard of law firms being targeted.  Apparently, the bad guys have figured out that may be easier to attack a company’s law firm than the company itself.

Do your vendors have the ability to log in to your systems?  You might say that if the answer to that question is no then you are safe.  Maybe not.

If those third parties have the ability to send you an email or send you a Word doc, then they could be the vector for an attack on you.  If they can log on to your systems, the risk is even higher.

My suggestion – use a risk management process to minimize the likelihood of your most important vendors being the source of a breach of your information.

Remember that even if they have cyber liability insurance (and since you are not vetting them you don’t know),  who is getting the black eye is you, not them.  Nobody remembers the name of the heating contractor that started the Target breach.  And, if all they have is general corporate liability insurance, then the odds of you collecting a dime are nill.

Food for thought.