Patient care is more complex, and involves more digital integration than ever before. Experts see the integration increasing in scale and complexity with each passing year.
In Dental over a ten year period I have seen the sweeping adoption of intraoral cameras, cone beam CT, patient engagement tools such as text confirmations and digital forms, tablets for medical history and consents, 3d printing, digital intraoral scanning, financial and treatment metric platforms pulling database information multiple times a day and the list goes on.....
Why is this important?
Each time we introduce a new technology to the practice we potentially introduce an additional attack surface. How so? Let us consider a patient engagement platform. You pick a platform, receive your onboarding call during which your EMR integration gets installed and you choose your features and options. Typically you set up an login for an online portal to control your new integration. Username/Password......Statistically speaking the username is probably the same one you chose for 10 other logins utilized at the practice and dare I say it...the same goes for the password. Concerning? Well it should be considering that the newly installed integration has direct access to your EMR database and anyone threat actor worth their salt will be able to leverage this access in a myriad of ways. One of the most common breaches we see with these integrations is the threat actor utilizing the patient communication mechanism to send phishing messages to patients pretending to be the Doctor or staff. These messages will ask for information or even payment and since they are apparently originating from a trusted provider the scam is often successful.
All of that trouble because we wanted to be able to more efficiently confirm appointments.
Does this mean don't leverage integrations? No, of course not. This means that we need to be educated on how they operate, we need to be comfortable with the interoperability of the platforms and assured of the vendors security practices. We need to ensure we are using best practices when created our logins and utilizing multi-factor authentication wherever possible.
In short, we need to treat our technology decisions with the same deference and care as our clinical decisions.
Harden the target, stay vigilant!
Reflections on article tagged below: