Summary: Email systems in orthodontic practices are critical yet vulnerable assets, often targeted by cybercriminals to steal sensitive data, commit fraud, or disrupt operations. Understanding common threats like phishing and implementing robust security measures is essential for protecting both patient information and practice operations.

Key Takeaways:

  1. Email breaches, often initiated through phishing attacks or weak security practices, can result in significant financial and operational harm, including HIPAA violations.
  2. Threat actors exploit compromised email accounts to spread malware, steal credentials, and impersonate users in financial fraud schemes.
  3. Effective prevention measures include enabling multi-factor authentication, using strong passwords, conducting regular cybersecurity training, and partnering with a cybersecurity expert.

By Gary Salman, CEO

Email is a lifeline for orthodontic practices, connecting teams, patients, suppliers, consultants, and referral sources like oral surgeons, pediatric dentists, and GPs. Unfortunately, it’s also a major vulnerability that cybercriminals exploit to access sensitive data and cause operational chaos. Understanding how these breaches happen—and how to prevent them—is critical to protecting your practice.

It’s important to note that a breach of your email system could be considered a data breach under HIPAA. If your emails contain patient names and any type of treatment information, then that data is classified as electronic protected health information (ePHI). Think about the personal and patient information stored in your email system—and the ramifications if all that data were stolen in an email account takeover.

I’ve personally witnessed cases where orthodontists had their email accounts compromised, and threat actors used those accounts to execute financial fraud, such as unauthorized wire transfers. This type of attack, known as Business Email Compromise (BEC), has defrauded practices and doctors out of hundreds of thousands of dollars. Remember, many banking and financial institutions use email accounts for multi-factor authentication (MFA), making a compromised email account a direct pathway to your finances.

Even if you’re using cloud-based practice management software, you likely have a treasure trove of confidential data in your email. Let’s explore how to protect your email accounts from being taken over by a threat actor.

The risk of email breaches

Email breaches often start with a compromised account. For instance, imagine receiving an email from a trusted GP with a subject line like “New Patient Referral.” Because the email appears to come from someone you regularly communicate with, you open it, click a link, or download an attachment without a second thought.

Unbeknownst to you, the GP’s email account was breached—likely due to a phishing attack or weak password security. Once inside the GP’s account, the threat actor can impersonate the account owner and send malicious emails to their contacts, including you. Since the sender is “trusted,” you drop your guard and act.

Many of these attacks deploy a malicious payload that evades traditional defenses like firewalls and antivirus software. Once installed, this payload can harvest usernames, passwords, and security tokens from your computer.

A token is a code stored on your device after successfully logging into a website. It tells sites like Amazon, Gmail, or Microsoft 365, “This is Dr. Smith, who logged in yesterday, so don’t ask for credentials again.” If a threat actor steals this token, they can use it to access your accounts as if they were you.

How the attack works

Threat actors often include links in emails leading to fake login pages that mimic Microsoft Outlook or Gmail. When you enter your credentials, they are captured by the attacker, who can now access your email account.

With control of your account, they can:

  1. Send additional phishing emails to your contacts, spreading the attack.
  2. Monitor your communications to gather sensitive patient or business data.
  3. Redirect financial transactions by altering invoices or payment information.
  4. Trigger ransomware attacks by distributing malicious files.

Because these emails appear legitimate, many of your contacts won’t suspect foul play until it’s too late. Now your breach causes other breaches. This is not a good position to be in.

The rise of AI-generated spear phishing

AI has taken phishing attacks to a new level. Instead of generic emails with poor grammar, cybercriminals now deploy AI to craft highly convincing, personalized spear phishing emails. These messages may reference specific cases, recent conversations, or even local events to appear authentic.

For example:

Hi Dr. Smith, I need your help with a quick review of a treatment plan for a mutual patient, Sarah Jones. Can you please look at the attached PDF and let me know your thoughts?

The specificity makes these emails almost indistinguishable from legitimate ones. Once you open the attachment or click the link, your system is compromised.

LEARN MORE: Gary Salman on Protecting Your Practice From Cybersecurity Treats

How to protect your practice

  1. Enable Multi-Factor Authentication (MFA): MFA requires a second form of verification, like a text message code or authenticator app, to access email accounts. This adds a vital layer of protection.
  2. Use Strong, Unique Passwords: Encourage your team to use long, complex passwords and avoid reusing them across accounts. Leverage password managers like LastPass or 1Password.
  3. Train Your Team to Recognize Phishing: Regularly conduct cybersecurity training to teach employees how to spot red flags in emails. Training is required under HIPAA and is your best defense against social engineering attacks. Cybersecurity companies provide a platform for this training.
  4. Verify Before You Click: Always confirm unexpected emails via phone or another communication channel before clicking links or downloading attachments.
  5. Invest in Email Security Tools: Use filtering tools that block suspicious links and attachments. AI-based tools can proactively remove malicious emails before users interact with them.
  6. Use Domain-Specific Emails: Avoid free accounts like Gmail or AOL. Instead, invest in professional email addresses (eg, [email protected]) through Google Workspace or Microsoft 365.
  7. Secure Your Domain Email Accounts: Purchasing domain email isn’t enough. Engage a cybersecurity company to conduct a security assessment of Google Workspace or Microsoft 365 configurations.
  8. Partner with a Cybersecurity Expert: Regular monitoring, vulnerability assessments, and real-time threat intelligence can keep your email system secure.

Email is essential for running your orthodontic practice, but it’s also a major target for cyberattacks. By understanding how breaches occur—like through compromised accounts or AI-generated spear phishing—and implementing strong security measures, you can protect your practice, your patients, and your peace of mind. Don’t wait until a breach happens and costs you hundreds of thousands of dollars; take action today to secure your email systems. OP

Gary Salman is CEO and co-founder of Black Talon Security. A leader in the cybersecurity field, Gary has a 25+ year background in law enforcement and healthcare technology. His firm monitors and secures approximately 50K computers and networks worldwide and has trained tens of thousands of dental and other healthcare professionals.

Photo: ID 344345249 @ Sascha Winter | Dreamstime.com