Insights into IT Infrastructure of Dental Clinics Around the Nation's Capital

A dental practice tapped WorkingVet to evaluate its cybersecurity posture. WorkingVet enabled the customer to remedy the issues while reducing costs and cutting needless complexity.

Background

Medical and dental clinics handle sensitive patient data: demographics, bank information, health information, and even employment information.

WorkingVet is an SBA-certified Service-Disabled Veteran Owned Small Business (SDVOSB). Our President, a dentist and a veteran, is dedicated to the nation’s security and to helping other small businesses in general, with a specific focus on small clinics. To that end, WorkingVet strives to address gaps in our nation’s cybersecurity posture by working with small businesses that tend to be softer targets for cyberattacks. Our principals have inculcated a culture of customer advocacy and customer enablement. We therefore strive to make the customer self-reliant for routine tasks and hardened targets through education and training.

Common Challenges Based on the Business Domain and Location

• National Interest: WorkingVet is keenly aware that healthcare centers and clinics near sensitive installations of national importance face a particularly heightened cybersecurity threat because of the nature of the local demographics.

• Softer Targets: Smaller clinics with fewer resources present softer targets for actors sponsored by nation-states than hardened military infrastructure and well-funded hospital chains.

• IoT and Medical Device Vulnerability: Healthcare centers and especially dental practices depend heavily on intraoral and panoramic x-ray devices, CT Scanner, intraoral scanners, and even 3D printers, ovens for curing polymers, etc. Many of these devices tend to be minimal devices with little to no endpoint security.

• Compliance Burdens: HIPAA compliance requires healthcare entities to safeguard patient data through physical, administrative, and cybersecurity safeguards.

Business Specific Challenges

• Cost: The practice had previously used a subscription-based model for IT infrastructure support. This entailed higher costs than a targeted outcome-based model.

• Communications: A lack of regular reporting from the legacy service provider led to a perception that IT support had become a black box. The principals in the dental practice needed a thorough assessment of their infrastructure and cybersecurity explained in layman's terms to help them evaluate their cybersecurity situation.

• Hours of Operation: All work in clinical settings must be conducted off hours to reduce the impact on the operations and to respect patient privacy.

The WorkingVet Approach

• The 5-Eyes Approach: WorkingVet brings a diversity of perspectives by bringing in not just cybersecurity engineers and tools but also developers and solutions architects who understand the underpinning purpose of each component in the overall IT ecosystem of the enterprise.

• Agile Deliverables: WorkingVet engineers develop the reports in full view of the customer, giving their management the ability to see the reports evolve from raw data to a prioritized list developed in communication with the customer.

• On-Site Visits During Holidays and Off-Hours: WorkingVet engineers review the infrastructure during on-site visits and over online work sessions with management and staff.

• State-of-the-art tools: WorkingVet deploys multiple tools, both industry standard and proprietary, to ensure that every aspect gets multiple layers of coverage.

• Continuous Engagement: We maintain lessons learned that are then communicated back to all our past and present clients who have similar needs. The benefits to our customers are long-term and persist past our engagement.

Results

• WorkingVet’s diversely talented team ensured a robust 360 Degree review that produced a comprehensive list of recommendations, not just for cybersecurity issues, but also to eliminate obsolete components:

  • A database instance and primary/backup domain controllers had become irrelevant because the practice had switched from an on-prem, client–server tools to cloud-based SaaS tools for everything from practice management software and productivity tools.

  • On-prem virtual machines running on bare-metal hypervisors had long been forgotten and had evolved into dormant threats on the office network because they were running discontinued OS and software.

• In the process of reducing complexity and attack surface, we also eliminated needless hardware, licensing, and maintenance costs. The hardware was free to be reharnessed for other purposes.

• We addressed vulnerabilities embedded in “internet-enabled” devices such as garage door openers, sensors/controllers used in ornamental fish tanks, Wi-Fi-enabled bulbs, etc.

• We identified weaknesses in DNS entries introduced by mass email services that are frequently used for appointment reminders and marketing. These entries can enable email spoofing that appears to come from official accounts on the customer’s domain.

• WorkingVet trained staff to execute routine maintenance and to watch out for social engineering, email spoofing, and phishing attacks.

Key Takeaways

• Over multiple engagements with general dentists, orthodontists, endodontists, and oral surgeons, we have noted repeating patterns of problems, and we have identified common solutions.

• A targeted engagement with specific deliverables leads to better outcomes for the customer than a subscription-based model for routine patching that leads to complacency and ignores emerging threats.

• Managed Security Service Providers should encourage and educate customers to take charge of routine tasks and be self-sufficient while eliminating the need for an “agent” to own their relationships with endpoint security, office tools, etc. An informed customer with strong ownership of their data is a safer customer.

• Small businesses can cut costs and yet improve their cybersecurity posture. In fact, one enables the other.