Disaster Recovery Plan: How Patient Data Can Be Compromised [Part 1]

Patient data is very valuable and must be protected. Although there are safety and compliance rules in place to protect patient data, an unexpected turn of events, such as a natural disaster or major cyber-attack, can paralyze any infrastructure. Data breaches can result in the loss of not only clinical patient data but also credit card numbers, social security numbers, email addresses and other personal identification. It’s hard to expect the unexpected, but a disaster recovery plan is a great way for dental offices and organizations to minimize damage. In this three-part blog series, we will discuss common ways data can be compromised, the severity of data breaches and how to create a HIPPA compliant disaster recovery plan.

A disaster recovery plan is critical for protecting any dental practice or organization. According to a study by the Ponemon Institute, unplanned downtime at a healthcare organization can cost an average of $7,900 a minute per incident.[i] The best way to arm yourself with a disaster recovery plan is to first understand how data can be compromised. Then, the necessary steps can be taken to facilitate an effective data loss prevention plan.

Cyber Attack

In 2018, the healthcare sector saw 15 million patient records compromised in 503 breaches—three times the amount seen in 2017.[ii] The value of personal health information is becoming more enticing to hackers. Hackers tend to target healthcare organizations because of the high rewards on the black market and from ransoms. Unfortunately, cyber attacks happen every day. Common types of cyber attacks can include: 

  • Malware – malicious software including spyware, ransomware, viruses and worms.

  • Phishing – fraudulent communications that appear from a reputable source, usually through email

  • Man-in-the middle attack – attacks that occur during a two-party transaction i.e., using unsecured public Wi-Fi

  • SQL injection – a structured query language injection (SQL) occurs when a malicious code enters a server and forces it to reveal sensitive information

  • Zero-day exploit – occurs when attackers target a disclosed network vulnerability before a patch or solution is implemented[iii]

Once a malicious entity infects a computer, it becomes what is known as a bot. An attacker can then gather other computers to take down a server or perform other attacks without the owner’s knowledge. For this reason, it is important – now more than ever – for offices to expand their digital footprint and ensure they are protected from cyber crimes.

Insider Threat

Although many cyber attacks are external in origin, insider threats can be just as dangerous and crippling to any office or organization. Insider threats can be caused by the negligence of personnel or employees with malicious intent. Negligence can include phishing, theft or any carelessness by a contractor or employee who disregards proper security protocol. Insiders who willfully steal, damage or expose internal data are considered acting with malicious intent. Insider threats pose a direct security concern as they can create data breaches and leaks.

It can be hard for administrators to distinguish harmful actions from regular work. For this reason, insider threats can go undetected for days or weeks. It’s also important to understand that insider threats do not only include employees who physically report to an office; any remote users, contractors, third parties or terminated employees can be considered as insider threats. It’s in every organization’s best interest to not underestimate the importance and impact of these attacks. Controlled user access and user education are minimal steps that can be taken for upholding security standards. Sensitive data must be stored, secured and protected by all authorized users to prevent not only external but internal attacks as well.

Power Outages and Surges

Power outages and surges can result from a variety of reasons including storms, fallen trees, vehicle collisions or electrical malfunctions. The effects of downtime from a power outage can be devastating. Power outages have a direct effect on providing patient care and housing electronic patient records. Without proper backups and preventive methods in place, record-keeping medical equipment can crash or lose data completely. Power surges can happen anywhere, even in areas that aren’t prone to dangerous weather conditions.

No one can truly be immune to server issues during power surges. A CS OrthoTrac user, Dr. Randall Ogata of University Orthodontics, was once a victim of a server malfunction. After a powerful storm came through the Seattle area, his practice was left without power for an entire week.  “On Monday morning, my team informed me that our server was down. At first, I attributed it to the weekend’s storm—but they were insistent that immediate action was needed, as the server wouldn’t boot up at all,” recalls Dr. Ogata. “So, we were T-minus 5 minutes to patients, facing the dreaded ‘blue screen of death,’ and with no access to our database. That’s when the panic struck, and I contacted my sales representative for information about OrthoTrac Cloud’s ‘emergency’ conversion process. Although we were already planning to upgrade to the Cloud in the future, fate intervened, and it had now become priority #1 for Q4.” Luckily, Dr. Ogata was able to recover all patient data and dodged a potentially devastating event.

Natural Disaster

A natural disaster is another common catastrophe that could result in the loss of patient data. Earthquakes, forest fires, floods, hurricanes and winter storms are all possible natural disasters that could cause major adverse events. Natural disasters can cause extended power outages and extreme server malfunctions. Patients can become displaced, and offices could be unreachable for weeks. Some software programs may have backup options, but an untested backup can be very risky. Natural disasters involving water can be extremely detrimental even if the disaster didn’t necessarily involve flooding. Humidity and moisture in the air can tamper with computers and data drives. A weather crisis can cause a list of problems for a dental office, but that doesn’t mean your data has to be compromised.

>>> Check back soon for part two of this blog series: Disaster Recovery Plan – The Severity of Data Breaches

[i] Disaster recover planning is critical in healthcare. Flexential. Retrieved from https://www.flexential.com/knowledge-center/blog/disaster-recovery-planning-critical-healthcare Last accessed Sep. 19

[ii] Caban K. Breached patient records tripled in 2018 vs 2017 as health data security challenges worsen. Cision PR Newswire. Retrieved from https://www.prnewswire.com/news-releases/breached-patient-records-tripled-in-2018-vs-2017-as-health-data-security-challenges-worsen-300793374.html. Last accessed Sep. 19

[iii] What are the most common cyber attacks. Cisco. Retrieved from https://www.cisco.com/c/en/us/products/security/common-cyberattacks.html Last Accessed Oct 19

Carestream Dental Blog Administrator Contributor