Dentists face growing cyber-threat from decaying legacy tech

Problems with a dental payment network prompt urgent root canal treatment to plug major potential attack paths.

ChatGPT's illustration of the tech problem facing some British dentists
ChatGPT's illustration of the tech problem facing some British dentists

Healthcare authorities in the UK have failed to fill a gaping cavity in the legacy tech that ensures dentists get paid - meaning that a straightforward cyberattack could leave thousands out of pocket.

That's the warning contained in an official document detailing the urgent overhaul of a system dentists use to request payments after performing publicly funded or subsidised operations.

The issue impacts Health and Social Care dentists in Northern Ireland, who operate similarly to NHS dentists in other parts of the UK by delivering care that's partially or fully funded by the government.

Whenever they perform an operation, details of that procedure are submitted to a body called the Business Services Organisation (BSO).

This is achieved using the Dental Web EDI (Electronic Data Interchange) System, which is responsible for processing 90% of dentists' claims.

It is not clear how much money this system processes. We do know that the gross cost of dental services in NI was £121.6 million last year - suggesting that the system handles at least tens of millions of pounds worth of payments each year.

The BSO forked out £973 million to a range of healthcare organisations including dentists in 2023/ 2024 - with 364 dental practices and 1,195 dentists operating in the region.

The threat is much clearer. This system relies on obsolete technology, making it highly vulnerable to cyberattacks.

Drilling into the security hole

After a Northern Irish dentist fills a hole in their victim, sorry, patient's tooth, a claim must be submitted to the BSO in XML format to an FPPS system (the payment processing backend).

"If this service fails, dental practices will not be paid and the BSO will fail in its statutory obligations as well as suffering serious reputational damage," Northern Irish authorities wrote in a contract notice announcing work to fix the issue. "This system processes in excess of 140,000 transactions per month."

However, the tech that powers the payment system is old and rotten.

The problem is that the WebEDI application that keeps everything running was written in VB6 and uses .NET Framework 2.0 C# components. Both of these technologies are no longer supported. VB6 became obsolete in 2008 and .NET Framework 2.0 went out of support in 2017.

"This currently means that no application changes can be made without first porting the application to supported technologies together with an ever-increasing risk that these out-of-date technologies could be subject to cyber-attack," authorities continued.

"The continued use of an unsupported technology framework poses an increasing risk to the organisation."

Civica UK has now been commissioned to migrate the WebEDI application to .NET 8, which will "resolve the concerns and minimise the risk of attack​" at a cost of £162,934.80.

Hopefully, that should make sure dentists get paid and the people of Northern Ireland get as many nice bright smiles as possible.

Have you got a story or insights to share? Get in touch and let us know. 

Follow Machine on XBlueSky and LinkedIn