Information theft is at an all time high. Every day you hear about another company that has had a security breach which has caused their private information of their customers to be spread across the web. Dental offices are becoming more and more of a target because from the perspective of the thief, they are low hanging fruit. Why? Because many dental offices tend to think it won’t happen to them, so there’s no urgency to be concerned about securing patient information.
At Dental ClaimSupport, we take security seriously. Being the IT manager it is my job to make sure that all the information that we have access to is secured within our systems and processes. We work with hundreds of offices across the country and see a lot of different ways in which security is deployed.
This article aims at informing you of the importance of securing the patient data that has been entrusted to you, how someone might get that information from you, and how you can best protect your practice and your patients. Awareness is important, but action is essential. Below you will find some steps to take to make sure your data is secure.
What data do I have to protect?
The simple answer is you need to protect all of it. What different types of data might you have in your possession?
When a new patient comes to you I’m sure the first thing you do is have them fill out your new patient paperwork. That information is entered into some software (Dentrix, Eaglesoft, Opendental, etc.) on a computer, most likely a server in your office that shares that information with all the other computers that are connected to your network.
As soon as you create that new patient in your system, you now have that person’s personal identity information, their personal health information, and most likely some form of payment such as their credit card information.
If your form is like most, their personal information includes their full name, date of birth, and social security number at a minimum. With that information alone, someone could use that to steal a person’s identity and cause all sorts of havoc.
You’re also most likely asking for their dental insurance information, and depending on the office and the procedures needing done, their medical insurance as well. Now you have their personal health information, and because you are a health care provider, you now fall under HIPAA guidelines having to protect that information according to their standards.
Along with a patient’s personal identity information and their personal health information, you most likely have captured their credit card information as well, or some type of payment information.
When you take a moment to look at all of the information that has been entrusted to you, it should make you feel a bit uneasy. You’ve been given a big responsibility, and that responsibility not only affects your patients, but your business, all who work for you, and anyone who has access to that information.
What are the most common ways information is stolen?
You may be thinking, “Why is this important? We are just a small dental office. No one is going to mess with us.” That is exactly why. Dental offices are being attacked more and more frequently.
Just recently a local dentist office in Suffolk VA has had to deal with the threat of a data breach. This leads to the next question…what type of breaches should I be defending against?
Many of the most common ways that hackers get into systems and steal information are related to us as dental offices, or the user. Weak credentials or just flat out stolen passwords make up a huge percentage of the cause of data breaches.
If you were honest, how many of your passwords are the same for everything?
When Google or windows asks you to accept the suggested password and it looks like 3hGgso987*s7cz or similar, you look at it and say, “There is no way I’ll remember that, so let’s use Password1.” By a show of hands, how many are actively using something like Password1 as your password for at least one thing? Need I say more?
Phishing attacks is another way hackers can gain access to your data. This happens when the hacker sends out an email to an email address, especially made to look just like a legitimate email. It may come looking like it’s from Amazon, Netflix, or even your bank but if you looked at it very carefully, you’d see one letter out of place.
These attacks are designed to make you click on them and give your information to the hacker, or to have you download something like a virus or malware. From here they’ll attack your system and gather information to send to the hacker, or worse yet, to put ransomware on your system.
What is ransomware? The hacker gets a program into your system that essentially copies all of the information it’s looking for, then corrupts those files and your system so that you can’t use it. It is accompanied by a “ransom” asking for payment or bitcoin to restore your files.
At this point you believe you have this covered. You have made good backups and doing a full restore will get you up and running. The problem is now this hacker has your information, and can, most likely will, share it with whomever he/she wants. Now you have a breach.
And more importantly, as a dental office, you have a HIPAA breach. Now you have to report that breach. That could come with some hefty fines, possibly even mean closing your practice.
Software or program type breaches such as viruses, malware, ransomware aren’t the only way that data breaches occur.
There are physical attacks as well such as straight up theft of the information from someone in your office that has access to the information. Information that is stored on USB drives can be easily stolen. Documents which are printed and not shredded properly, or left laying around for others to see can have information compromised as well. These are by no means meant to be an exhaustive list of the types of breaches that could occur but they are the most common.
How can personal data be best protected?
Securing data is a lot like locks on your home or car, just like trying to protect any other type of theft. While it will never be 100% secure, there are some barriers you can put into place.
Get your IT involved.
Make sure that the services your IT company is using are secure. Don’t just take “yes, it is secure” for an answer, especially if you are dealing with an IT company that supports a lot of other businesses.
Cybersecurity is big business these days and there are a lot of options, but make sure you have things such as a firewall to protect your network. A firewall is just like it sounds. It is a virtual wall that protects anything from getting in or out of your network.
Make sure you have good antivirus/malware/ransomware detection and elimination software installed on your server as well as all workstations. These will catch most programs that are trying to infect your system.
Your IT team should be doing server and workstation monitoring, making sure that systems are up to date, that patches are being installed, and detecting any issues with those systems before they create a problem.
One side note here: There are many windows programs which are no longer supported by Microsoft, which means they are not being updated and are therefore no longer HIPAA compliant. One of those is Windows 7. If you are still using any machines running Windows 7, those are out of compliance. Make sure you are keeping all software up to date to avoid security issues.
Along with all of that, your IT should be making backups of all your data so that you are not vulnerable to losing any information. Those backups also need to be held in secure areas, whether on site or on the cloud.
Education, education, education
Educate your employees on what to do and not do when it comes to working on computers at the office. As already mentioned, phishing scams are the easiest way to infiltrate your system. If an employee is not educated on what to look for, they don’t know everything that could be a threat.
Also they should not be checking their personal email on your system, browsing around the web, Facebooking, Pinterest, Etsy (to name a few)… all of these lead to possible breaches in your system. Your IT can set your firewall settings to now allow this type of browsing, but education is still best. The need to understand that there is always someone trying to find information to steal.
What if my dental office has a data breach?
Even with all of these proactive measures in place, bad guys do what bad guys do. Someone is always trying to outsmart the other side. Being a dental office, you are governed by HIPAA laws and statutes. One of those laws has to deal with reporting breaches.
There are specific rules as to who has to be notified and what steps need to be taken to notify those individuals and entities. Make sure you check on that so you know what you have to report and to whom you have to report it.
You should also have a cybersecurity insurance policy in place. While it is never going to be fun if you have an all out breach, and no matter what the circumstances are surrounding the breach, you will be seen as the one who allowed it to happen. You are the one dealing directly with the patients. They entrust you. Unfortunately, even with all the measures in place, most likely you will take a financial hit. So make sure you have a good cybersecurity policy to help you through that aspect should you ever have to deal with a cyber security breach.
This is by no means an exhaustive list of the problems, issues, and solutions to preventing a data breach, but hopefully it has stirred you to take a look at your current situation. It is important and something you do need to take seriously. Contact your HIPAA consultant to answer any questions you may have. If you do not have a HIPAA consultant, contact us for a referral.
Author: Scott Tageson, IT Manager