As cybercriminals exploit the chaos created by COVID-19, a cybersecurity expert provides guidance on how to protect your practice as you and your staff work from home

Cybercriminals don’t back off when a crisis hits. They thrive amidst chaos and weakness. And right now, orthodontic practices are facing just that. Chaos as they try to sort out how to provide continuity of care to patients in treatment, but also extreme financial weakness as their practices are forced to close to help stem the spread of COVID-19. According to Gary Salman, CEO of Black Talon Security, now more than ever, cybercriminals are going to ramp up their attacks on vulnerable businesses, including orthodontic practices. And orthodontists and staff cannot let their guard down.

Orthodontic Products spoke to Salman, whose company received an exclusive endorsement from the American Association of Orthodontists last fall, naming it a “trusted resource” for members facing cybersecurity threats, to ask him how cybercriminals are exploiting COVID-19 and how orthodontists and staff can avoid becoming victims. What’s more, we talk about the precautions practices should take to protect their data if employees are working from home and what measures they should take now to ensure they are protected when their doors can reopen.

OP: What types of cyberattacks are you seeing that exploit COVID-19 and what can orthodontists and their staff do to protect themselves?

Salman: There are a couple of things going on right now. In terms of phishing scams, there’s what’s called FearWare. It’s what it sounds like. It’s using a situation like COVID-19 to solicit a click on an image or a click on a website link with the intention of either injecting some type of malicious code into the computer with that click or soliciting credentials, meaning username and passwords to something like a Gmail or Outlook account. There have also been a couple of phishing scams related to what looked like emails coming from the World Health Organization where they’re telling you: Here’s a new compliance document on COVID-19—click here. It looks legit. The web address if they spoof it might look legit. But when people click on it, typically, what happens is a virus downloads.

Right now, there are two specific viruses being utilized: EMOTET and TRICKBOT. If either of these viruses ends up on your system, they’re typically engineered to steal usernames and passwords to applications and websites and send them back to the hackers. Both those viruses are very difficult to detect and can literally sit on your network indefinitely and constantly steal usernames and passwords. The other problem, which tends to be a bigger problem, is they will steal the username and password to your email account. The hacker will then be able to log in as you. One of the ways to defeat this is through multi-factor authentication [MFA] where the website or email client sends you a text message on your phone that you then acknowledge—yes, that’s me logging in—and you can authenticate.

Another element of this is ransomware. You get one of these coronavirus phishing scams and click on that link or open that attachment, and you fall victim. I think that’s going to be the next wave of these attacks.

The other thing we’re seeing—and we literally received an alert from the FBI a couple of hours ago—is fake emails around PPE [personal protective equipment]. So many doctors are going crazy right now trying to find N95 masks, or gowns, gloves, and face shields. All of a sudden, you get an email that looks like it’s from a legit source, and in your panic to survive as a business, you click on the link. The result: You download some type of malicious code into your system. Practitioners need to be really smart about this and not be reactionary. If it looks like it’s from a legit source, instead of clicking on the link, you can open up your browser and go to the company’s official website and see if they actually have that product available for sale. Another technique that is very effective is link hovering. Basically, take your mouse, place the mouse pointer over the link or the image, wait a couple of seconds—typically 1 to 2 seconds—and then, typically in the bottom left-hand corner of your screen, it’s going to show you the real URL or web address. If it returns to a real company, then ok, maybe this is a legit email.

Keep in mind: This type of attack could also be an email that comes from a friend, a colleague, or maybe it looks like it came from a state health organization or even the government. But maybe it’s a made-up web address, or someone bought a domain name that looks like your state or federal organization.

The other part of FearWare that is pretty prevalent right now is fake heat maps—those maps we see online or on TV with the little red dots that show where the infections are. People wonder how many people in my state are infected now. Someone will send them a link and it takes them to a malicious website infected with malware. We recommend that they use cdc.gov [Centers for Disease Control and Prevention] or hhs.gov [U.S. Department of Health and Human Services] for the most up-to-date information and navigate directly to those websites.

OP: Many practices, where possible, are having staff work from home. What are the risks of working remotely?

Salman: Remote access is another huge problem. In the rush to allow team members to work remotely, a lot of IT companies are flipping on remote access for practices, and with this comes risk. When you open up a door for someone from the outside to easily gain access, and if that access is not configured properly, you can give away the keys to the kingdom. We really recommend that an orthodontist does not allow the use of remote desktop protocol. That’s a specific technology. We do recommend they use remote control software instead, and they should talk to their IT vendor to see what they recommend for remote control. But what I really want to say is: You need to buy the business version of these types of products—not the free version. They need to be able to activate multi-factor authentication, and the free versions typically do not offer MFA. If a cybercriminal grabs their username and password, and MFA is not enabled, they can then log into a workstation at the office and have full control. That’s a huge problem. But if the MFA is activated and someone logs in, it’s going to send the account holder a text message alert that someone is trying to log in.

Another recommendation: Practices should be using strong passwords on their host computers; that’s the PC sitting at the office. And that host computer should be set to timeout and auto lock after a maximum of 15 minutes, but they might want to lower that to 5 to 10 minutes, so that if no one has touched that computer remotely in 5 to 10 minutes, it will auto lock itself.

OP: What are the vulnerabilities if staff are using personal computers to log into the practice’s network?

Salman: If you’re working from home you have to consider HIPAA compliance. If you step away from your desk, make sure you lock your computer. Technically, you can’t have someone else in your home walking by; or what if you’re logged into the software and your child comes and starts hitting random keys. So, lock your computer.

OP: Offices often uses VPNs, or virtual personal networks, to give staff access to the network. What should orthodontic practices do to make sure their VPN is secure?

Salman: People don’t secure their home computers like an office does. So if the practice has a VPN setup, that home computer needs to have the same antivirus software that the office has. Staff members logging onto the VPN should also be using Windows 10 or higher or a Mac. If a personal computer has some type of malicious code on it and it connects to the office network via a VPN, there’s a very high likelihood that malicious code will move from the home computer into the office network.

Practices also need to talk to their IT vendor to make sure their VPN is up to date. In January, the National Security Agency came out with a warning that a majority of VPNs can be compromised. A lot of companies updated and patched their VPN software then. But if a practice has VPN technology and has never turned it on before now, there’s a good chance the VPN software has not been updated. Hackers will see this and easily compromise the VPN.

OP: Are there precautions practices should be taking as they look to reopening their doors?

Salman: If practices turned off computers while they were closed, there is a huge concern that they are not going to get all the security updates that Microsoft pushes out. Almost every week, Microsoft releases security patches for Windows. If you shut your office down for 4 weeks, you’re going to need to start downloading 4 weeks of security updates when you turn it on. And what if millions and millions of computers all get turned back on at the same time, there is a possibility that there are going to be major bandwidth issues. That could mean you can’t run your practice software while these updates are applying to your computer, or you expose your computer to a tremendous amount of vulnerabilities. So, I advise practices to leave their computers on to keep the updates flowing. OP