header__brand
Create
Account log in become
a member magnifier
cross
menu-icon
MEMBER CENTER> MEMBER NEWS> Cybersecurity Information for OMSs

Cybersecurity Information for OMSs

May 6, 2024

The FBI has informed AAOMS that oral and maxillofacial surgeons and their practices are potential targets of cybersecurity attacks.

Last year, the FBI warned plastic surgeons they were being targeted with cyberattacks. The FBI now suspects the group behind the cyberattacks may be shifting tactics to oral and maxillofacial surgery practices. At this time, they said there are no known OMS cyberattack victims from the group that targeted plastic surgeons; they are proactively working to prevent future victimizations.

One example the FBI provided: A bad actor will pose as a new patient or say they want to become a patient. The practice provides a link to a New Patient Registration Form. The bad actor will call the practice to say the online process to submit the forms isn’t working or they don’t know how to use the form. They ask if they can scan their form and send it by email instead. The practice provides the bad actor with an email address and the email that is sent contains a malicious link or attachment. The practice then clicks on the link or attachment and the bad actor can gain access to the practice’s network.

Cybercriminals use phishing and vulnerability exploitation techniques to deploy malware on office computers to gain access to electronically protected health information and then steal that data to use as leverage for fraud schemes or to extort the practice by demanding a ransom payment.

The FBI asks that practices be reminded not to open attachments unless you know the sender, can verify the security of the attachment, and also consider bolstering the security of any computer that accesses the internet and email.

AAOMS members should be taking the following steps to ensure their data stays secure:

  • Training – All team members need to learn how to identify social engineering attacks such as phishing. Training is typically available from cybersecurity companies.
  • Turn on multifactor authentication (MFA) – Enable MFA on all websites and applications as an added layer of defense. When you log into a website or app that has MFA enabled, you will receive a text message or interact with an app on your phone. This will help prevent unauthorized access to your applications in the event a bad actor obtains your username and password.
  • Focus on password management – There are password management tools that create unique and strong passwords for every website and app and then store them in a password-protected vault.
  • Identify vulnerabilities – You should utilize a vulnerability scanning tool that scans your computers and firewalls daily to identify areas of your network that bad actors may exploit to gain access to your network and data.
  • Monitor finances – Check bank accounts and credit reports for suspicious activities. Never wire money without verbally confirming the account number and routing number with the recipient.
  • Invest in AI antivirus software – This technology, typically known as MDR or EDR, uses artificial intelligence to detect malicious code and hacker behaviors and can alert security engineers and/or autonomously fight back.

Unusual request? AAOMS members who are contacted by AAOMS, ABOMS or OMSNIC – whether by email or phone call – with an unusual request or contact should please call the organizations to confirm the request. Our organizations welcome such inquiries.

Friendly reminder: To further protect your practice data, we ask that you not post this notice to social media, not email broadly to unknown individuals, and remember to think before you click.

Free cybersecurity resources

Webinars – As an added AAOMS member benefit, two AAOMS cybersecurity webinars will be available on a complimentary basis through June 6:

Podcast – The 30-minute Cybersecurity for OMS Practices episode from the AAOMS On the Go podcast features Gary Salman, CEO of Black Talon Security, who outlines the potential operational, reputational and financial impacts of cyberattacks.

AAOMS Today – Recent articles covering cybersecurity include:

Government websites – Information on cybersecurity is available at:

  • Federal Trade Commission: Cybersecurity for Small Business includes guides, quizzes and materials covering cybersecurity basics and specific types of scams.
  • U.S. Department of Health and Human Services
    Cyber Security Guidance – This webpage includes guidance and an infographic as well as a 43-minute video for HIPAA-covered entities.
    HHS 405(d) Program – Offering best practices to use to mitigate the most prevalent and emerging cyber threats.
What to do if you experience a cyberattack

The FBI is asking cybersecurity victims to report these fraudulent or suspicious activities to the FBI Internet Crime Complaint Center at ic3.gov. Include as much information as possible, including:

  • The name of the person who contacted you.
  • Method of communication used, including websites, emails and telephone numbers.
  • The cryptocurrency digital wallet address(es) or bank account number(s) for extortion payments and recipient name(s), if provided.

In addition, the HHS Office for Civil Rights offers a Quick-Response Checklist that explains what to do if you have just experienced a cyber-related security incident.