Cyber Insurance for Dentists?

Join Our Mailing List

Are we de-facto targets?

By D. Kellus Pruitt DDS

Have you purchased cyber insurance yet, Doc?

If you are a HIPAA covered entity, you’re going to need it.

Press release: “AIG among insurers seeking more sales as small firms get hacked” (no byline).

“Smaller companies [including dental offices] are learning that, as more data is shared online, they, too, can be targets for the kinds of attacks that larger firms endure. American International Group Inc. and Travelers Cos. are among insurers tailoring cybersecurity products to those customers.”

The Expert Speaks

Bob Parisi, network security and privacy practice leader at the insurance brokerage of Marsh & McLennan tells DelawareOnline that small and mid-size companies are “where we’re going to see some of the most aggressive growth in the next couple of years, because it’s been a part of the market that was ignored.”

The ad describes how a California-based online print shop was targeted by hackers who exposed clients’ names, addresses and credit-card numbers last year. Much like dentists whose EDRs are hacked, after discovering the breach, business owner David Handmaker had to notify affected customers. The Ponemon Institute predicts that 20% or more of the customers notified will instantly become former customers.

“We’re just much, much more aware of the fact that being a small company” makes us more of a target,” Handmaker tells DelawareOnline. He adds that larger businesses have “more resources, and so I think their security practices are maybe a little more evolved.”


Small businesses such as print shops and dental practices have become de-facto targets – and according to security experts, easy pickings. I’m not wrong. I’m early.



Your thoughts and comments on this ME-P are appreciated. Feel free to review our top-left column, and top-right sidebar materials, links, URLs and related websites, too. Then, subscribe to the ME-P. It is fast, free and secure.


Speaker: If you need a moderator or speaker for an upcoming event, Dr. David E. Marcinko; MBA – Publisher-in-Chief of the Medical Executive-Post – is available for seminar or speaking engagements. Contact:


FINANCE: Financial Planning for Physicians and Advisors
INSURANCE: Risk Management and Insurance Strategies for Physicians and Advisors

Product DetailsProduct Details




7 Responses

  1. No more lies

    Doc, we owe it to ourselves and clueless patients to demand honesty from those who recklessly promote electronic dental records for power and/or profit.

    The digital marketing company ClikCloud recently determined that nearly 60% of small businesses (including dental practices) fail within six months of being victimized by cybercrime. Apart from the danger of bankruptcy that unaccountable EDR stakeholders routinely ignore and even hide, aren’t dentists ethically obliged to demand transparency concerning products that can harm patients?

    “Most Small Businesses Don’t Recover From Cybercrime” by Fox Business, was posted on the Wall Street Journal on March 22, 2013.

    “A recent [ClikCloud] study cited by the subcommittee chairman, Rep. Chris Collins, (R-NY), found though more than three-quarters of small businesses believe their companies are safe from hackers, 20% of all cyberattacks hit small businesses with 250 or fewer employees.

    While major corporations like Facebook and many big banks seem to easily bounce back from their reported tech infiltrations, according to the same study, nearly 60% of small businesses will shutter within half a year after being victimized by cybercrime.”

    Haven’t we been lied to enough already, Doc?

    D. Kellus Pruitt DDS
    cc: American Dental Association via


  2. New Cyber Security Legislation?

    Ann Miller RN MHA


  3. I still have unanswered questions about EDRs

    When I began publicly questioning the safety and cost of electronic dental records seven years ago, the notoriously HIT-friendly 2005 RAND study (disowned even by RAND this year) was still fooling lawmakers as well as dental leaders, while offering GE and Cerner a tremendous return on investment in EHR sales.

    Soon, trusting dentists were obediently volunteering for permanent NPI numbers, even while being mistakenly told that a mandate requires dentists to purchase and use EDRs by 2014, whether we want them or not.

    After years of witnessing the best in deceptive promotions EDR stakeholders have to offer, I am leery of all claims of digital’s superiority over paper – especially for dental records. I’m not alone.

    For example, today Cortney O’Brien posted on “Paperless Problems: Doctors Hurting From Obamacare’s Digital Record Mandate.”

    “According to a study published in December by the Pennsylvania Patient Safety Authority, the number of reports about medical errors associated with electronic records is growing. Of 3,099 incidents reported over an eight-year period, 1,142 were filed in 2011, more than double the number in 2010.” – O’Brien’s description of “Dangerous Glitches.”

    So much for safety. What about savings?

    Due to the complexity of physicians’ business needs compared to dentists’ one would assume that physicians stand to save far more money for their HIT investment than dentists. Yet, O’Brien illustrates “Costly Care” with numbers from, explaining “In addition to the technological issues, the hefty price tag of Obamacare’s electronic records mandate is also cause for concern”:

    The average physician would lose $43,743 over five years; just 27 percent of practices would have achieved a positive return on investment; and only an additional 14 percent of practices would have come out ahead had they received the $44,000 federal meaningful-use incentive. [“Digital Health Records’ Risks Emerge as Deaths Blamed on Systems,” by Jordan Robertson,, June 25, 2013].


    Only a half-dozen or so indignant EDR stakeholders I have cornered even attempted to publicly defend the value of their software. Each failed quickly. Nevertheless, in fairness, I must mention that a year ago, an EDR consultant coyly revealed that for $35 one can examine secret (?) evidence that paper dental records cost dentists over $40,000 per year. Although suspiciously absent is any hint of the cost of EDRs for comparison to the (inflated) cost of paper records, the $35 does include a year’s membership in ECO Dentistry Association with all its privileges. I declined.

    Finally, this reader’s response to Cortney O’Brien’s article caught my attention:

    “Computers are hacked………. there is no ‘secure’ page.

    The government has access, and like your credit cards and credit info your health info will end up in India.

    The moral of this story is don’t go to the doctor and if you must, lie through your teeth.”

    Patients’ trust in physicians’ security may have already been squandered for a generation or so. That does not have to happen in dentistry, but it could. We can protect dental patients by de-identifying their primary records, even if physicians can’t. This difference is destined to become increasingly meaningful. In 2014 HIPAA audits will scare the hell out of dentists.

    Sit back and watch.

    D. Kellus Pruitt DDS


  4. FBI Warning?

    An FBI warning that appeared this month is the nastiest piece of transparency yet for the invisible Director of the American Dental Association Department of Dental Informatics (DDI) – whomever that is. Though the dental industry niche has been virtually silent about mounting bad news about EHRs, this unpopular tale should be of no surprise to my spamgroup.

    The FBI Cyber Division’s “Private Industry Notification” is intended to alert the nation to the unsustainable risks of identity thefts from EHRs – including dentists’ electronic dental record systems: “Health Care Systems and Medical Devices at Risk for Increased Cyber Intrusions for Financial Gain,” April 8, 2014.

    Click to access health-systems-cyber-intrusions.pdf

    “The biggest vulnerability was the perception of IT health care professionals’ beliefs that their current perimeter defenses and compliance strategies were working when clearly the data states otherwise.” Like depending on the Maginot Line to defend against ICBMs. (I copied the entire Notification below).

    Sit back and watch what I expect will happen: More than likely, the FBI’s notification has already aggravated outgoing HHS Secretary Kathleen Sebelius, while at the same time, it has probably elated at least a few mid-term lawmakers looking for a cause with hair on it. Expect heroic, patriotic responses calling for tighter regulations and more fines – which is guaranteed to increase electronic dental records’ costs and liabilities even more. Contrary to recently published opinions of the American Dental Association, as well as Gordon Christensen’s Clinicians Report, EDRs have always been more expensive and more dangerous than paper dental records. What’s more, since nothing is holding down the cost of HIPAA compliance or mid-term elections, paper dental records’ business advantages will only grow.

    Doc, even though you don’t want to give up computerization for pegboards and ledger cards, what choice will you have if informed patients seek less costly dentists who do not store their identities on office computers? Should such a manifestation of economic law come to pass, will it piss you off just a little if our shy dental leaders are still hiding from discussion of de-identification – HIPAA’s other safe harbor?

    Outside dentistry, the advantages of de-ID over encryption are rapidly winning over fans. Inside dentistry, ADA-recommended full-disk encryption of EDRs has turned out to be so dangerously fallible, as well as time consuming, that today, there is no encryption at rest in dentistry. This means that once a dental patient’s file is in the hands of a thief – perhaps an employee – there are no barriers protecting personal information that sells for $50 per record on the black market. Some dental practices store 10,000 files or more. Do the math. How loyal is your staff?

    All that’s needed to retrieve the information from a file is the same EDR software used by the patient’s dentist. There is no security, and since encryption has not made it to the marketplace by now, it’s not coming no matter what the ADA says.

    Now that even the FBI is making a special effort to warn Americans that EHRs are increasingly vulnerable to identity thieves – including employees – do you think it is still too early to openly consider de-identification of electronic dental records? Even though the failure of EDR security is perhaps the least popular dental topic possible, there is zero chance of interoperable dental records without involving practicing dentists in transparent discussions. It’s time to stop hiding from us.

    D. Kellus Pruitt DDS


  5. Subrogation

    As more and more providers purchase cyber-insurance, subrogation, the right for an insurer to pursue a third party that caused an insurance loss to the insured, is going to become more common in healthcare, especially in dentistry. That makes vendors’ false claims of encryption increasingly expensive blunders.

    In “Looking Beyond the Breach: Recovery Analysis in Data Breach and Cyber Losses,” authors David Brisco, Esq. and Joe Rich, Esq. are not referring to a dentist’s loss of respect in the community when they mention “recovery.” For one thing, their comparison of an investigation of a data breach to the seriousness of an arson investigation was posted on the insurance industry’s, June 10, 2014. There’s money to be made in subrogation.

    Brisco and Rich: “Whose job was it to protect the data/network from the hacker? Did some other party or vendor’s work make the system more susceptible or open to access? The answers to these questions invariably leads to the network maintenance company, security vendor, and/or software and hardware companies and whether their level of protection met the standard of care.”

    If subrogation over the false claim of encryption turns into a huge liability for Dentrix, will that make their dental software cheaper or more expensive? I’ll ask Brisco and Rich:

    Dear David Brisco and Joe Rich

    Speaking of subrogation liability, Dentrix, the dental software vendor which you mention in your article, continued to advertise that their G5 dental software was encrypted 8 months after the Department of Homeland Security warned that their encryption was nothing more than “weak obfuscation.” (See: “Vulnerability Note VU#900031 Faircom c-treeACE database weak obfuscation algorithm vulnerability,” June 10, 2013”).

    This means there are very likely hundreds (?) of Dentrix customers who experienced stolen computers – and who still may be unaware that their dental patients’ identities contained in the lost files are not encrypted as promised. There could be tens of thousands of Americans at risk being blindsided by preventable identity thefts, just because an EDR vendor lied about encryption to boost sales at the risk of national security.

    This seems to me to be a huge liability for Schein Dental, parent company of Dentrix, and will never completely disappear.

    D. Kellus Pruitt DDS


  6. The more the scarier

    The US government’s open-ended regulation of healthcare reminds me of a scene from the comedy “Airplane!” in which well-meaning passengers are lined up in the aisle – each waiting for their chance to beat a scared passenger into submission using their favorite weapons.

    “FCC Is Latest Agency To Enter Cybersecurity Enforcement – Law360, New York (October 27, 2014, 6:12 PM ET)

    “The Federal Communications Commission voted on Oct. 24, 2014, to pursue fines of $10 million against two companies for alleged violations of laws protecting the privacy of telephone customers’ personal information. This is the second major enforcement action the FCC has taken to protect consumer privacy in the last two months, but it is the first time ever that such a fine has been based on failures of data security rather than failures to obtain consent or similar misuse of customer data.”

    Communications using EHRs are already regulated by HHS, FTC and the FDA. So do you think the addition of documented compliance with telephone security requirements will make healthcare cheaper or more expensive? Most importantly, does the current harm justify the cost of what has already proven to be questionable regulatory solutions?

    For example, look how well HIPAA has worked: 94% of healthcare organizations have experienced at least one reportable breach of patients’ protected health information in the last two years (Ponemon Institute).

    Since nothing is slowing down the data breaches from healthcare, watch for the re-appearance of compliance entrepreneurs’ nuclear selling point: “Purchasing compliance tools from us is still a lot cheaper than million dollar fines for willful negligence.” It’s impossible for consumers to argue with that.

    Are the vendors’ profits a bountiful result of a lively, competitive free market? Or are they the result of private industry’s symbiotic relationship with a totalitarian government?

    D. Kellus Pruitt DDS


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: