WannaCry: How Secure Is Your Orthodontic Practice’s Data Anyway?

I was recently approached by an orthodontist who really, really wanted to cry: all of his office’s documents including patient communications, case images and x-rays stored on his practice’s computers were encrypted by this virus. Since paying the ransom was out of the question (you don’t negotiate with cyberterrorists as blackmail never really ends), his office was down for 3 full days until his IT support contractor rebuilt all of his computers and restored his practice’s data from offline backups. Total cost: $3,750 in IT support fees and $27,000 in lost revenue for the practice. Ouch!

How could this happen?

His IT support people swear that they kept his computers patched up and his antivirus definitions current. Being on a support plan, he was keeping his practice management system diligently up to date by installing all upgrades as soon as they were released by the vendor.

Yet all it took was for one of his assistants to inadvertently open up a seemingly innocuous personal email on a practice computer just before leaving the office the night before.

Being asked to do an analysis of his computers and network to determine his true level of exposure to future such events, here is what we found:

  1. His practice management system (which shall remain nameless) is of an old design which stores all patient images, x-rays, and communication documents as independent files in regular folders on the server while accessing them through the practice management screens via links stored in the database. This architecture, still prevalent in most orthodontic practice management systems on the market today, exposes all these files to partial corruption, inadvertent deletion or relocation – and encryption attacks such as this.
  2. A large number of practice-critical documents such as letter templates, checklists, and patient consent forms in Word and PDF format, scanned insurance claims and EOBs in PDF format, and case presentation slides in PowerPoint format were kept on local computers, outside of the practice management system. All of these files were encrypted by the virus.
  3. Having his practice management server in his office on a local area network made it an easy target to a virus outbreak initiated for any computer or laptop connected to the same network. On the positive side, his server backups were stored offsite and they were not infected, making an almost full recovery of his data possible.

Having strong passwords did not help in his case. Once a virus infects a computer where a user with administrative rights is logged in (and we all want administrative rights nowadays, don’t we?), it will impersonate that user’s credentials and get access to everything the user has access to. Which in this case was all the information that was not in the database, meaning all the files on all the computers inside the office, including the server.

So what can an orthodontist do to protect his or her practice from these types of attacks, now and in the future?
  1. Move your practice management system in the cloud. This way, even if all the computers in your practice become infected, your cloud data is still there. All you have to do is bring your laptop from home, connect it to the cloud, and continue to see patients while your other computers are being rebuilt clean.
  2. Consider switching to a practice management system of a more recent design, which stores all checklists, documents, images, and x-rays within its database. Better yet, consider a practice management system that has its own built-in word processor and template editor and which does not require any interaction with locally stored files or an outside program. An encryption attack can’t affect you if there is nothing there to encrypt in the first place.
  3. And lastly, ask your cloud vendor if a) your data is kept segregated from the other practices’ data, and b) whether your practice management system runs in a dedicated virtual server instance or runs in a shared server instance with other practices. Beware that most “HTML-5” practice management systems are nothing but glorified large public web sites, where both answers will be negative. As a general rule – the bigger the target, the most likely is that the target will be hacked and the bigger the chance that a cloud breach will affect your practice as well.

    As a native Cloud 2.0 product deployed in a private cloud or hybrid cloud model, Visual Orthodontics has been carefully engineered to offer built-in protection to encryption attacks (and many others) by minimizing its attack surface through all of the architectural choices listed above – and many, many more.

Contact us now at (888) 845-7621 or on the web at www.visualorthodontics.com to learn how Visual Orthodontics can propel your practice further faster – all while enjoying the peace of mind of an inherently safe and secure modern architecture which will keep your practice up and running even in the most extreme of the situations – when others won’t.
Stay safe!

Leave a Reply

Your email address will not be published. Required fields are marked *