The advent of computer filing systems has greatly simplified the process of recording and storing patient records in dental offices. However, this convenience does not come without a potential cost. Every day, dentists across the country face the threat of hacking, ransomware and other threats to cybersecurity. And even in the absence of these active dangers, dental office managers must make sure to maintain security standards that meet federal guidelines for patient confidentiality.
Understanding HIPAA Guidelines
All dental offices in the U.S. must follow patient protection guidelines established under a piece of federal legislation called the Health Insurance Portability and Accountability Act, or HIPAA. This legislation includes a security rule that requires all practices to protect digitized records with appropriate safeguards. Common steps used to meet this requirement include:
- Making sure that all computers and mobile devices capable of accessing patient records are secured by passwords of adequate complexity
- Protecting an office’s entire digital pathway with comprehensive data encryption software
- Teaching staff members how to avoid exposing computers and mobile devices to unauthorized requests for access (which often come in the form of “phishing” emails)
- Taking steps to ensure data security before and after business hours
The best way to coordinate your safeguarding efforts is to establish an office-wide cybersecurity policy that serves as a framework for all employees. In addition to actions that help keep patient records secure, this policy should include the steps to take if a security breach occurs.
Conducting a Cybersecurity Review
Once you have your office-wide policy in place, follow up with a review of your dental office’s current procedures. Crucial steps in this review include:
- Identifying all computers capable of accessing patient records
- Identifying all mobile devices (e.g., smartphones and tablets) capable of accessing patient records
- Determining which staff members have access to relevant computers and mobile devices
- Determining if any mobile devices ever leave the premises during or after hours
- Making sure the entire electronic pathway is protected by passwords and adequate encryption
After completing your review, identify any discrepancies between your stated policies and your office’s actual day-to-day conduct. Be aware that current federal law allows HIPAA’s parent agency, the Office of Civil Rights, to audit any dental practice in the country. If such an audit turns up inadequacies in your policies or procedures, you could end up facing a hefty fine that totals thousands of dollars, or even more.
Responding to a Ransomware Attack
Ransomware attacks are increasingly common at all kinds of businesses, including dental offices. In most cases, these attacks begin when a staff member opens a seemingly harmless email and unleashes a piece of malicious software on the office system. Once active, this software can block access to vital electronic data, including patient records. In return for restoring access, the perpetrator of the attack will demand some sort of payment.
Dental offices victimized by ransomware attacks should take several immediate steps, including:
- Limiting the damage by disconnecting the affected computer(s)/device(s) and disabling drive sharing
- Letting the entire staff know that an attack has occurred
- Seeking help from your IT provider
- Informing your insurance provider
After completing these actions, follow up by assessing the extent of the harm. Steps in a thorough assessment include determining if you have backup records for the machine(s) under attack and determining the amount of time since the last backup was completed.
If you don’t have recent, secure backups for the ransomed machines, you may have to consider the pros and cons of paying the money required to release the blocked records. This tough call can be influenced by a number of factors, including the level of disruption caused by the attack, the type of information lost through the attack and the value of that lost information.