How much should you spend on IT vs Cybersecurity?
Yes, they are different…Cybersecurity is a specialty. The certification requires a minimum of 5 years of experience. (The gold standard is CISSP and/or CISM). Dentists are familiar with this distinction because in dentistry there are general dentists that take care of mainstream oral health, and specialists that exist for tough extractions, and tricky root canals.
Information Technology (IT) refers to the use of technology to manage, process, and store information, whereas cybersecurity refers to the protection of that information from unauthorized access or attack.
IT includes the hardware, software, and networks that are used to process and store information, while cybersecurity focuses on securing these systems and preventing data breaches, hacking, and other security incidents. It is a distinct specialty.
A common cyber-threat these days is ransomware. Ransomware locks up data and demands a ransom, which has become a huge challenge for dental practices. Data from Alexio Corporation, who perform security risk assessments for dental practices, shows that over 90% of offices don’t have all of the security controls they need in place, proper backup and disaster recovery plans, or employee cybersecurity awareness training.
While most offices have IT, many do not have certified skilled cybersecurity experts on their teams due to budget constraints and an overall shortage of cybersecurity professionals globally. This is why Cybersecurity-as-a-Service has become popular, which we will discuss further on.
“Much like a general dentist takes care of mainstream patient care, and the endodontist specializes in the tougher root canals, cybersecurity is the infected 4 curved roots molar.”
Anne Genge – Certified Privacy & Cybersecurity Professional
Can’t IT just handle cybersecurity?
The difference between IT and cybersecurity matters because it highlights the importance of both technical infrastructure and security measures in protecting sensitive information. Much like a general dentist takes care of mainstream patient care, and the endodontist specializes in the tougher root canals, cybersecurity is the infected 4 curved roots molar.
While IT may be able to provide (some) of the tools required for data protection, a cybersecurity assessment, plan, and training is best left to the experts. They will both work together to ensure your practice runs smoothly and is continually protected.
What do Canadian small businesses spend on cybersecurity?
Here’s what Canadian businesses spend to prevent and detect cyber incidents according to statcan https://www150.statcan.gc.ca/n1/daily-quotidien/221018/t001b-eng.htm#shr-pg0
Fig.1
Have you considered your IT and cybersecurity budget?
For our purposes, we will agree that a dental practice is the size of a small business. As you can see, there’s the cost to prevent (far right, $16,000) and then a higher cost ($35,000) when the business has had to incur costs to deal with a cyber incident (not necessarily a breach). A cyber incident is any event that affects or potentially affects the confidentiality, integrity, or availability of information stored on a computer or network. This can include anything from a simple unauthorized access attempt to a complex coordinated cyber-attack.
Cost to respond to cyber incidents vs breaches
On the other hand, a cyber breach is a type of cyber incident where an attacker successfully gains unauthorized access to sensitive information, such as passwords, personal information, or confidential patient and practice data. With a breach, the attacker successfully overcomes the defenses put in place to protect the information, and the confidentiality, integrity, or availability of the information is compromised.
The costs of not protecting your practice and suffering an actual breach, are outlined in the CDA’s presentation “Cyber Risk in The Dental Office” pegging the cost of a PHI + Credit card breach at a whopping $253.43 per record. https://oasisdiscussions.ca/2019/02/25/cyber-security-series-part-one-talking-cyber-safety-with-cdas-dean-smith/
For your reference, there’s a handy breach calculator using this data on the Alexio website if you want to see the potential loss according to your own practice’s number of records. https://getalexio.com/healthcare-data-breach-calculator/
Fig.2
Reliance on technology creates the need for partnership between IT and Cybersecurity Professionals
Dental practices, like any other business, rely heavily on technology to keep their operations running smoothly. With the increased use of electronic medical records (EMRs), appointment scheduling, and digital radiography, it’s essential that a dental office has a reliable IT provider to manage and maintain its computer systems.
However, a simple IT provider is proving to be not enough to keep a dental practice secure in today’s digital landscape. A dental office also needs the services of a cybersecurity specialist to protect sensitive patient information from hacking, ransomware, data theft, and viruses.
While the IT provider helps keep the office running smoothly by ensuring that the technology is working correctly and that employees can access the information they need to do their jobs, they are not necessarily equipped to deal with cybersecurity threats like hacking, malware, and data breaches.
These threats can compromise the security of patient information, putting the dental practice at risk of penalties under federal, provincial, and college regulations, and damaging its reputation.
Additionally, cyber insurance companies are demanding protections, policies, and procedures be in place to both obtain insurance coverage and ensure a claim will be paid out.
Cybersecurity specialists work together with your IT to strengthen your security posture
Cybersecurity specialists are experts in identifying and mitigating cybersecurity risks. They use their knowledge of cyber threats and technologies to secure a dental office’s computer systems and protect sensitive patient information.
They perform professional risk assessments, create cyber strategy plans, and implement proper protections like firewalls, intrusion detection systems, and encryption to protect against unauthorized access to the practice’s networks.
They can also monitor the networks for suspicious activity and respond quickly to any security breaches. Additionally, cybersecurity specialists can provide staff training on how to avoid cybersecurity risks and maintain the security of the practice’s computer systems.
Solving human error
One of the biggest risks to a dental practice’s security is the human factor. Employee errors, such as using weak passwords, opening attachments from unknown sources, using unauthorized applications, surfing the web, accessing social media etc… can all lead to data breaches.
A cybersecurity specialist can put security controls in place to prevent human error, and help the practice implement policies and procedures to reduce the risk of employee-related breaches, such as mandatory staff training on cyber hygiene and regular password changes. They can also perform regular security audits to identify and address any vulnerabilities in the team.
Compliance with laws and regulations
Another reason why a dental office needs a cybersecurity specialist is to stay compliant with regulations, such as federal and provincial privacy laws. All require dental practices to protect patient information and maintain the confidentiality and availability of electronic health records.
A cybersecurity specialist can help the practice understand and comply with regulations and can assist with the creation of a security plan to ensure that the practice remains in compliance. They can also assist the practice in responding to data breaches, which can help minimize the risk of penalties under different legislation and regulations.
It’s important to note that the cost of cybersecurity can vary greatly depending on the provider. Dental practices should compare the services and prices of several providers before making a decision. A popular option is Cybersecurity-as-a-Service.
What is cybersecurity-as-a-service?
Cybersecurity-as-a-service (CaaS) is a model in which an organization outsources its cybersecurity functions to a third-party service provider. The provider offers a range of cybersecurity services, such as threat detection, firewall management, and data protection, over the internet. With CaaS, organizations can benefit from expert security resources and technologies without the need to build and maintain an in-house security team.
This model can be especially beneficial for small-to-medium sized businesses that do not have the resources to invest in an internal cybersecurity infrastructure. The service provider assumes responsibility for maintaining the security of the organization’s systems and data and offers flexible pricing and scalability options to meet the specific needs of the client.
The amount of money a dental practice should budget for cybersecurity depends on several factors, including the size of the practice, the complexity of its computer systems, and the type of services it requires. In general, a dental practice can expect to spend anywhere from a few thousand dollars to tens of thousands of dollars on cybersecurity, depending on its needs.
For an average dental practice, a budget of a few thousand dollars per year may be sufficient for basic cybersecurity services, such as antivirus software, firewalls, intrusion detection systems, 24/7 monitoring, disaster recovery planning, and regular system and application updates.
The practice should also budget for regular security assessments and staff training on cyber hygiene. As you remember from fig.1, the average annual spend by small businesses is $16,000 per year.
Dental practices should regularly review their cybersecurity budget and adjust it as needed to ensure that they have the resources they need to protect sensitive patient information.
Together we can make the world safer online!
Her motto ‘no geek speak’, coupled with her humour and great story-telling, has made Anne one of Canada’s leading cybersecurity and privacy educators. Anne has dedicated her career to helping healthcare practice and small business owners understand technology, how to leverage it, and more importantly, how to do it safely. Over her 20+ years as an educator and tech innovator, she has earned global awards for her efforts. Anne keeps the client as her ‘true north’ in how she creates affordable and effective tools and training for privacy & data security. Anne is on a mission to help everyone understand online threats and be able to defend themselves at home and at work when using technology.
Reach out to Anne for speaking engagements, training, and consulting.