The real question isn’t “if” your DSO will experience a cyberattack, but “when/” Most healthcare entities are targeted with breach attempts every day. Just ask your IT resources how many intrusion attempts were successfully blocked yesterday – each one represents an intended cyberattack.

The focus should shift from the possibility of an attack to the probability of one succeeding, and then evaluating the potential impact it could have on your DSO. This starts the process of assessing your current level of cyber resilience and developing a plan to strengthen it.  Understanding the potential operational impact and attack related expenses provides the data needed to establish the budget strong cyber resilience requires.

Factors of Cyber Resilience

Cyber resilience is the ability to anticipate, withstand, recover from, and adapt to a cyberattack. A few of the factors that affect your level of cyber resilience include:

1. Cybersecurity: Does the cybersecurity stack you have in place now meet your expectations of avoiding and mitigating the effects of a cyberattack on your DSO?   
2. Cybersecurity Insurance Coverage: Does your current level of cyber liability insurance provide adequate coverage for a systemic cyberattack on your DSO?
3. IT Resource Capacity: Are your IT resources staffed and capable of adequately responding to a systemic worst-case scenario?

The answers to these questions and the strategic business decisions to reduce risk must be guided by data, not based on unverified trust. Let’s explore some operational impacts and attack-related costs a cyberattack could potentially have on your DSO.

The Potential Impact of a Cyberattack on Your Operations 

Just as every network environment is unique, so is every cyberattack. The impact on your operations could range from minimal disruption to a complete operational shutdown for weeks. Even if your locations are not connected, what could happen if a threat actor gains control of your RMM tool? What if a corporate email account is hacked and used to launch a widespread attack on all your locations? While the severity of an attack can be mitigated with early detection and containment efforts, a fully systemic attack is always a possibility.

Gone are the days of simply ignoring a ransom demand and opting to install new workstations and restoring them from a backup. Being unable to access your systems is bad enough, but the theft of protected healthcare information (PHI) adds another layer of complexity and often requires notification to the impacted patients. If your data is in a cloud solution, a cybercriminal can steal PHI without accessing your database by simply downloading a report that includes PHI.

The duration of incident response can vary widely. The initial detection and containment can take days. An investigation and forensic analysis are required to identify the root cause and extent of the attack, which can take weeks to months to complete. Steps to repair and recover can only begin after the full scope of the incident is understood. The subsequent recovery phase often takes weeks to months as well. Planning for a worst-case scenario is the best approach when evaluating the risk potential.

The Immediate Costs

Some of the initial costs related to an incident response that you need to consider:

OVERHEAD COSTS: Even if your DSO is shut down, you are still expected to make payroll and pay bills. Make sure to identify the overhead that cannot be paused during an incident response.

LEGAL FEES: If your DSO has in-house counsel, you still may need to engage outside counsel especially if the incident response requires specialized legal expertise.

INCIDENT RESPONSE FIRM: Your cyber insurance carrier determines which IR firm that you will work with to conduct the investigation.

RANSOM COSTS: Ransom amounts vary depending on several factors — how successful their attack was, the amount and value of the data stolen, if you have data backups, etc.

HARDWARE REMEDIATION: Depending on the severity of the attack, some or all workstations may need to be repaired while others may need to be replaced.

BREACH NOTIFICATION: Depending on the size and scope of the attack, HIPAA obligations can involve notifying all patients of record, setting up a call center and offering identity theft protection.

PUBLIC RELATIONS: To mitigate the damage to your brand, you may consider hiring a crisis communications firm to help manage the impact on your reputation.

Black Talon has consulted with leading industry experts to create a Ransomware Attack Financial Impact Calculator, designed to estimate the initial costs of a cyber incident. After helping numerous DSOs understand the potential financial impact they could face, many have reassessed their cyber insurance coverage and evaluated the capacity of their IT resources to properly respond to an incident.

Ransomware Attack Potential Financial Impact Calculator

The Long-Term Costs

In addition to the immediate impact to your DSO, there are several longer-term expenses following a cyber incident that should be considered:

REGULATORY PENALTIES: Compromised PHI can lead to violations of both HIPAA and state-specific laws. If a breach occurs, your DSO may be subject to fines for non-compliance.

INCREASED CYBER INSURANCE: After a cyberattack, your DSO’s cyber insurance premiums are likely to increase and, in severe cases, renewal may be denied altogether. If your policy is renewed, you may be required to implement higher levels of cyber coverage and could be restricted by the carrier as to the level of coverage they will approve.

DAMAGE TO THE BRAND: It takes years of hard work to build a trusted brand, but it can be damaged in an instant with just one wrong click. The cost to rebuild a damaged brand and your reputation can be significant. Regaining patient trust can be long and challenging.

NEW PATIENTS LOST: How many new patients reach out each day to schedule their initial appointment? Have you considered the lifetime value of each new patient? DSOs often rely on various technologies to schedule and manage new patient appointments. What happens if the technologies your DSO relies on to schedule patients is shut down by a systemic attack? If your DSO struggles to schedule appointments, every missed opportunity to schedule a new patient isn’t just a loss of initial revenue; it also represents a significant loss of potential lifetime revenue from that patient. In addition, you may be at risk of losing some of your existing patients if they feel that you were negligent in protecting their personal information.

CLASS-ACTION LAWSUITS: Healthcare class-action lawsuits are becoming more common especially when patient data is stolen. In the event of a class-action lawsuit, you would be required to engage with a law firm seasoned in class-action litigation.

Making Your DSO More Cyber Resilient

Grasping and understanding the full financial and operational impact of a cyberattack is critical. This will enable your DSO to allocate the proper budget for preventative measures and develop effective incident response plans necessary to maintain a high level of cyber resilience.

Estimating the potential costs of a cyberattack for your DSO involves several factors. Consulting with cybersecurity specialists who have the knowledge, credentials and expertise in incident response is crucial. At Black Talon, we’re here to help guide your DSO to continue to enhance its cyber resilience and better prepare for the unexpected.

Written by: Joseph Hood, Sr. Cyber Risk Specialist at Black Talon Security

---

🚨Recent notable healthcare cyber incidents:

Great Expressions data breach settlement has been reached. The DSO experienced a data security incident from February 17-22, 2023 that exposed patient and employee data, including names, Social Security numbers, financial account info, treatment details and more for nearly 2 million people. Plaintiffs filed class action complaints against Great Expressions alleging negligence, breach of implied contract and other claims. Five related cases were consolidated into the Great Expressions Data Security Incident Litigation in the Eastern District of Michigan. After mediating, the parties agreed to a class action settlement to resolve all claims related to the data incident. A $2.7 million non-reversionary fund will be allocated to plaintiffs.

---

Hapy Bear Surgery Center (HBSC), a dental clinic in Tulare, California, recently reported a data incident that may have exposed some of its patients’ health information. On December 27, 2023, HBSC experienced a network disruption that affected the functionality and access of specific systems. It was later determined that unauthorized parties may have hacked its systems and accessed certain HSBC files. A forensic investigation revealed that files containing personal information such as full names, addresses, medical information, health insurance information, Social Security numbers and driver’s license numbers may have been accessed during the Hapy Bear Surgery Center data breach.

---

Recently spotted Trinity ransomware spurs federal warning to healthcare industry. At least one U.S. healthcare entity has fallen victim to a new ransomware strain called Trinity, according to a report from federal officials. The U.S. Department of Health and Human Services published an advisory early this month warning hospitals of the threat posed by the ransomware group, noting that its tactics and techniques make it “a significant threat” to the U.S. healthcare and public health sector.

At least seven victims of the Trinity ransomware have been identified so far and two are healthcare providers. One is based in the U.K. and the other is a U.S.-based gastroenterology services provider that had 330 GB of data stolen. The facility, which was not identified but is listed on Trinity’s leak site, currently has a banner on its website saying it is experiencing technical issues and has limited access to phone systems. Researchers have reported another incident involving a New Jersey-based dental group.

---

Dental Cyber Watch is sponsored by Black Talon Security, the recognized cybersecurity leader in the dental/DSO industry and a proud partner of Group Dentistry Now. With deep roots within the dental and dental specialty segments, Black Talon understands the unique needs that DSOs and dental groups have when it comes to securing patient and other sensitive data from hackers. Black Talon’s mission is to protect all businesses from the devastating effects caused by cyberattacks—and that begins with a robust cyber risk mitigation strategy. To evaluate your group’s current security posture visit www.blacktalonsecurity.com.

 

­