The recent ADA cyberattack could have ramifications for dental professionals if sensitive member data was compromised.
By Steven Martinez
When the American Dental Association fell victim to a cyberattack on April 22, the situation was extremely fluid.
Other than a few scattered press releases, notices on websites, and emails to members, what is confirmed about the attack is sparse. The ADA’s email, phones and other services were taken down.
The association was also taking measures to mitigate the damage and investigate with the help of law enforcement and third-party cybersecurity firms.
But there was still an open question about what the attack accomplished. Was sensitive data compromised and stolen? The ADA initially said that there was no indication that data had been breached.
Possible Data Breach
Then a report from Bleepingcomputer.com lent credence to the idea that data was, in fact, compromised and found that a group called Black Basta was taking credit for the attack.
When asked about the group, Gary Salman, cybersecurity expert and chief executive officer of the cybersecurity firm Black Talon Security, hadn’t heard of them before.
While he has no inside knowledge of the ADA cyberattack, Salman has dealt with many hacker groups when negotiating data ransoms for orthodontists and other private businesses, so he knows the criminal hacking landscape well.
“We’ve dealt with almost all the various ransomware gangs out there, and we have not come across them [Black Basta],” says Salman. “There doesn’t seem to be much information because they’re basically brand new.”
This leaves two possibilities: Black Basta is either completely new, or they are a derivative of an existing gang that went out of business and rebranded under a new name.
“Our experience has been that many of these ransomware gangs that go out of business, go out of business for a couple of months, and then come back under a new brand name for various reasons,” says Salman.
Hacking groups might disband to throw off law enforcement or because the technology they used was taken offline by government agencies. After laying low for a few months, they reappear under a new name and return online.
With information sparse and hidden on the Dark Web, it isn’t easy to know for sure what data, if any, has been compromised. But Black Basta quickly and publicly took credit for the ADA cyberattack, reportedly leaking 2.8 GB of data.
If the goal of the ADA hack was to ransom its data, it is somewhat outside the norm for them to publish a large amount so quickly.
“I do believe that this is a very quick release of the data,” says Salman. “Hacking groups that are more established typically won’t start leaking data until day 10 or day 14 if they feel that the victim is not going to pay them.”
Black Basta’s actions could be interpreted as a statement about their abilities as a group by publicly infiltrating a high-profile target like the ADA.
“My opinion is that they’re trying to make a name for themselves by hitting a very high-value target,” says Salman. “The ADA is obviously a massive organization representing 160,000 to 170,000 dentists nationwide. So, it’s a high-profile attack.”
Regardless of the hacking group’s intentions, the cyberattack has potentially exposed a lot of data that could be used for further harmful actions, particularly within the dental industry.
“If they do have the data, I think the ramifications for the dental industry are pretty significant,” says Salman. “Especially if they’ve compromised membership database systems.”
The compromised data could be used for identity theft or to launch further spear-phishing attacks on ADA members and affiliated parties. Spear phishing attacks are emails sent by hacker groups posing as legitimate emails from trusted sources.
A spear-phishing email would include a link or attachment that could either harvest an unwitting person’s login credentials or attempt to compromise the company’s network. These attacks are nefarious because they involve social engineering and are harder to detect because they seemingly come from people you know.
“That’s the issue when this type of data is taken,” says Salman. They may sit on it for months to let people drop their guard, and all of a sudden, an email shows up, and they’re like, ‘Oh, I recognize this organization. They’re telling me I need to download a new compliance document. Let me click on this thing and see what they want, and then their systems get hit.’ That’s the risk.”
How to Avoid Becoming the Victim
Practice owners and staff must be on their guard, especially in the wake of an attack of this magnitude. Doctors need to make staff aware of the risks of malicious emails to protect their own data.
Even with up-to-date antivirus technology and hardened networks, the most effective way to prevent a ransomware attack is through awareness of the threat, says Salman.
Cybersecurity awareness training for medical practices is required by law through HIPAA, and it’s something that practitioners need to take seriously, says Salman. If staff is made aware of the threat and trained to recognize a malicious email, the danger is neutralized because the attack never happens.
“A human behind the keyboard that can look at an email and within a couple of seconds, say yep, this is a phishing email ‘Delete’,” says Salman.
Salman says it is crucial for practice staff to not only avoid scams but make everyone aware of when an attempt is made. The practice administrator should be notified so a system-wide email can be sent with an image of the phishing attempt and remind staff not to click on any links or attachments.
In the wake of the ADA cyberattack, the American Association of Orthodontists, another high-profile organization interested in keeping dental professionals’ data safe, emphasized its commitment to cybersecurity and urged its members to be proactive in shoring up defenses.
“The AAO remains steadfast in protecting our members’ personal and business information private. We are here as a resource to guide our members through the wide variety of complex issues that affect U.S. and Canadian small business owners. Cybercrime is an exceptionally complex topic to navigate,” said Ken Dillehay, DDS, MS, AAO president. “As an association, we must understand how to identify cybersecurity threats and how these can impact our members. The AAO encourages all orthodontic practices to take proactive steps to reduce their cybersecurity risk—because this threat is very real, and it grows more prevalent with each passing year. “
However the ADA cyberattack shakes out, events like this are a potent reminder of the kind of threat that practice owners face every day.
“This is no joke,” says Salman. “Practices need to really think about what they are and aren’t doing and understand the risk associated with what just happened here.”