Insights into the IT Infrastructure of Dental Clinics Around the Nation's Capital

A dental practice tapped WorkingVet to evaluate its cybersecurity posture. WorkingVet was able to cut needless complexity and ownership costs for the customer while strengthening their security.

Background

Medical and dental clinics handle sensitive patient data: demographics, bank information, health information, and even employment information.

WorkingVet is an SBA-certified Service-Disabled Veteran Owned Small Business (SDVOSB). Our President, a dentist and a veteran, is dedicated to the nation’s security and to helping other small businesses, with a specific focus on small clinics. To that end, WorkingVet strives to address gaps in our nation’s cybersecurity posture by partnering with small businesses, which are often softer targets for cyberattacks. Our principals have inculcated a culture of customer advocacy and customer enablement. We therefore endeavor to make customers self-reliant in routine tasks through education and training, while enhancing their security.

Common Challenges Based on the Business Domain and Location

• National Interest: WorkingVet is keenly aware that healthcare centers and clinics near sensitive national installations face heightened cybersecurity threats due to local demographics.

• Softer Targets: Smaller clinics with fewer resources present softer targets for actors sponsored by nation-states than hardened military infrastructure and well-funded hospital chains.

• IoT and Medical Device Vulnerability: Dental practices depend heavily on intraoral and panoramic x-ray devices, CT Scanners, intraoral scanners, 3D printers, milling tools, and ovens for curing polymers. Many of these devices tend to be minimal devices with little to no endpoint security.

• Compliance Burdens: HIPAA compliance requires healthcare entities to safeguard patient data through physical, administrative, and cybersecurity safeguards.

Business Specific Challenges

• Cost: The practice had previously used a subscription-based model for IT infrastructure support. This entailed higher costs than a targeted outcome-based model.

• Communications: A lack of regular reporting from the legacy service provider led to a perception that IT support had become a black box. The principals in the dental practice needed a thorough assessment of their infrastructure and cybersecurity explained in layman's terms to help them evaluate their cybersecurity situation.

• Hours of Operation: All work in clinical settings must be conducted off-hours to reduce impact on the operations and to respect patient privacy.

The WorkingVet Approach

• The “5-Eyes” Review: WorkingVet brings a diversity of perspectives by deploying not only cybersecurity engineers and tools but also software developers and solutions architects who bring knowledge of the underlying APIs and understand the role of each software component in the overall IT ecosystem.

• Agile Deliverables: WorkingVet engineers develop the reports in close coordination with the customer, so that the customer can see the artifacts and actions as they evolve from raw data, to a list of prioritized recommendations, to actual execution.

• On-Site Visits During Holidays and Off-Hours: WorkingVet engineers review the infrastructure during on-site visits and over online work sessions with management and staff.

• State-of-the-art tools: WorkingVet deploys multiple tools, both industry-standard and proprietary, to ensure that every aspect gets multiple layers of coverage.

• Continuous Engagement: Lessons learned from each engagement are communicated back to all our past and present clients with similar needs. Thus, the benefits to our customers are long-term and persist past our engagement.

Results

• WorkingVet’s diversely talented team ensured a robust 360 Degree review that produced a comprehensive list of recommendations, not just for cybersecurity issues, but also to eliminate obsolete components:

  • The database instance and the domain controllers had become irrelevant because the practice had switched from an on-premise client–server tool to a cloud-based SaaS tool for practice management.

  • On-prem virtual machines running on bare-metal hypervisors had long been forgotten and had evolved into dormant threats on the office network because they were running discontinued OS and software.

• In the process of reducing complexity and attack surface, we also eliminated needless hardware, licensing, and maintenance costs. The hardware was free to be reharnessed for other purposes.

• We addressed vulnerabilities embedded in “internet-enabled” devices, for example, physical security devices, sensors/controllers used in ornamental fish tanks, and Wi-Fi-enabled bulbs.

• We identified weaknesses in DNS entries introduced by mass email services that are used for appointment reminders and marketing. These entries can enable email spoofing that appears to come from official accounts on the customer’s domain.

• WorkingVet trained staff in routine maintenance and in detecting social engineering, email spoofing, and phishing attacks.

Key Takeaways

• Over multiple engagements with general dentists, orthodontists, endodontists, and oral surgeons, we have noted recurring patterns of problems and identified their solutions.

• A targeted engagement with specific deliverables leads to better outcomes for the customer than a subscription-based model for routine patching that is better handled by trained staff.

• Managed Security Service Providers should encourage and educate customers to take charge of routine tasks and be self-sufficient while eliminating the need for an “agent” to own their relationships with endpoint security, office tools, etc. An informed customer with strong ownership of their data is a safer customer.

• Small businesses can cut costs and still improve their cybersecurity posture. In fact, one enables the other.