You and your patients probably started Friday October 21 the same way you do most weekdays. I know I did. I opened my phone to the Starbucks app to place a mobile order. Except I couldn’t, because when I clicked my order nothing happened, the Starbucks app returned an error.
So I tried it again — same response. A little bewildered I shrugged it off as a problem with my iPhone. I walked into Starbucks, placed my order, and happily went on my way with my drink.
When I got home, I was going to check an Amazon.com order, only to realize I couldn’t get into Amazon.com because the website was down. Well that can’t be right, Amazon can’t be down — the world stops if Amazon goes down!
What on earth is going on? Turns out, there was nothing wrong with my iPhone, there was nothing wrong with my Starbucks app, there was nothing wrong with Amazon (hallelujah) – there was something wrong with the Internet.
Within hours, you, your staff, your patients, seemingly the entire U.S. noticed many websites were down. Amazon, Netflix, Twitter, Reddit, Spotify, Starbucks etc. They were just simply not available.
What happened?
Turns out there was a large scale, widespread Distributed Denial of Service (DDOS) attack. Essentially this is when servers are flooded with millions of fake requests for information; so much so that they are unable to respond to the legitimate requests. They simply lock up and crash under the weight of this attack. Amazon was a victim, so was Starbucks, so was Spotify, so was Reddit, so was about another 150 other major sites that were down anywhere from minutes to hours.
Other than the fact that it was a minor inconvenience for you and your patients, why should you care? We don’t know who did it, but what is more interesting is how it happened.
Do you have so-called connected devices in your office or home? Not computers per se, but cameras, routers, DVRs, and the like. Maybe you can control the office thermostat through your smartphone.
Previously, in attacks such as this one, we’ve often found that the origin of the attack is a group of computers that have been taken over by a virus or malware that spits out these fake requests. That is not what happened here.
This was an army of DVRs, routers, cameras, thermostats, and other unrelated gadgets; benign objects on their own; but together, on this occasion, these seemingly unconnected devices brought down websites over a large portion of the U.S.
All of this was accomplished from a small piece of software that was released on the dark internet. It allowed a hacker to distribute the malicious software to all of these little devices of yours and you had no idea. Why would you? The hardware still worked as it should, your DVR still showed the latest episode of The Walking Dead or NCIS, my heater still turned on, the security cameras still functioned as they should, no one would know the difference.
So did all of these devices suddenly turn on us, like a scene from I, Robot? Not quite. Many times these situations are started with a phishing email. You get an email that looks like it is from your bank or another prominent institution asking you to reset your password. However, it’s not really from them, instead when you click on it, it downloads code to your computer.
In today’s Internet of Things, that code now not only goes to your computer but also to every other device that is on the same network as your computer. As you can see, this amazing interconnectivity we now have has both pros and cons.
We are in an era where everything is connected. Cameras, thermostats, DVRs, even your refrigerator now has the ability to be connected. It’s a wonderful convenience and an amazing time to be living in. However, we need to be aware of the risks as well; particularly in businesses with sensitive information like dental practices.
You are sitting on a treasure trove of protected health information (PHI) that is covered by HIPAA. So we must be wise about how we embrace the Internet of Things in this environment. Let’s talk about some practical steps.
Key Thoughts
Is the juice worth the squeeze?
Do you really need a toaster that will send you a text message when your toast in done in your practice? When you look at smart thermostats and such, some of these technologies are valuable and helpful. Sometimes they are useless features that aren’t going to make things better. So, if the juice isn’t worth the squeeze, don’t bother.
If it is worth the risk, how do we limit that risk?
We isolate it. Your thermostat, wireless cameras, any other smart device should be on the guest network, not your main practice network. This portion of the practice network should be fully segmented from your internal wireless. They should never be on the same network as servers or workstations. A safe rule is that if it doesn’t need to be on your internal WiFi, put it on the guest Wi-Fi. Your security cameras, thermostat, Apple TV, and everything else will function exactly the same.
Special considerations for the practice
It is important to note that in dental practices we have certain devices that should be and remain on the internal network. CERAC, Wi-Fi, intraoral cameras etc. these devices directly relate to the daily needs of the practice and should be protected by the firewall and the technological securities in place. There is a big difference between a smart thermostat or DVR and your intraoral cameras and CERECs.
These are some steps that will go a long way towards making sure we are smart in a world of the Internet of Things. A connected world is wonderful, but it demands that we be smart about it. As in all technology decisions, especially those dealing in security, be sure to consultant your IT management company. They are there to support and be a resource for you! An extra call to them, as well as the time and money spent on reducing your risk, is much better than a call from the Office of Civil Rights.
Bryan Currier is the President of Advantage Technologies, an IT company and leading source of technology integration solutions for the dental community. More information can be found at www.adv-tech.com