FBI warns of credible cybersecurity threat to dental practices
Current Threat Information from the FBI
On Tuesday, May 6, 2024, the FBI informed the ADA and the American Association of Oral and Maxillofacial Surgeons (AAOMS) of a credible cybersecurity threat to the practices of oral and maxillofacial surgeons. The FBI said that as of that date there were no known cyberattack victims, but the agency is working proactively to raise awareness to help prevent victimization. The FBI suspects the group behind the cyberattacks may be shifting tactics to oral and maxillofacial surgery practices after targeting plastic surgeons last year.
While this current threat is focused on oral and maxillofacial surgeons, the FBI is concerned that the practices of general dentists and other specialists could also eventually be targeted.
Cybercriminals often use social engineering scams — such as phishing (email), SMSishing (through text or instant messaging apps) and vishing (using phone calls and voicemail) — to gain access to sensitive personal data such as electronic protected health information. Spear phishing refers to a phishing email appearing to be from a trusted contact. For example, a threat actor may use phishing to impersonate a credentialing agency. Through these scams, threat actors try to convince people to reveal sensitive information, or to click on a link, open an attachment or visit a website that causes malware to be deployed. This malware can lead to ransomware, which blocks system and/or file access until money is paid.
The FBI provided an example in which the threat actor poses as a new patient or says they want to become a patient at the practice to obtain new patient forms online. Once the forms are received, the threat actor will then contact the practice to report they are having trouble submitting them online and ask if they can scan the forms and email them instead. The threat actor then emails the “forms” as an attachment. When the attachment is opened malware is deployed in a phishing scheme.
The FBI requests dental practices that experience any fraudulent or suspicious activities to report them to the FBI Internet Crime Complaint Center at ic3.gov.
Precautions Practices Can Take
The Cybersecurity & Infrastructure Security Agency (CISA) recommends four vital ways to protect your practice from cyberthreats:
- Teach your team to recognize and avoid phishing
- Require strong passwords
- Require multifactor authentication
- Update all business software
- A CISA.gov toolkit aids healthcare practices in building cybersecurity foundations and implementing more advanced, complex tools to stay secure and ahead of current threats.
- The U.S. Department of Health and Human Services’ Knowledge on Demand resource offers five free cybersecurity trainings that align with the top five threats named in HHS’ Health Industry Cybersecurity Practices. HHS also offers information on how the HIPAA security rule can help defend against cyberattacks.
- The Office of the National Coordinator for Health Information Technology’s Security Risk Assessment Tool, a resource designed to help medium and small providers conduct a security risk assessment as required by the Health Insurance Portability and Accountability Act.
- The U.S. Department of Health and Human Services Office of Information Security and Health Sector Cybersecurity Coordination Center’s “Artificial Intelligence, Cybersecurity and the Health Sector” guide shares how health care entities help protect against AI-enhanced cyberthreats.
- Additional resources can be found at ADA.org/riskmanagement