There is little doubt that running a modern dental practice is significantly more complicated than it was only 5 years ago. The main reasons for this are twofold: First, all dental practices must comply with HIPAA rules and regulations, and secondly, practices are now under constant cyberattack for their data. On the black market, most IT researchers agree that patient health records have the highest monetary value. So, it would be incorrect to assume that your solo dental practice is not a target, because nothing could be further from the truth!
The purpose of this article is to outline some critical cybersecurity issues to inform you of what can be done to protect yourself, your patients’ data, and your livelihood.
Encryption: Your Get-Out-Of-Jail-Free Card
As many people know, there are 2 types of HIPAA rules—required and addressable—and there is, unfortunately, a lot of confusion about these. Required is the easy one: Any rule that is required means you must do it—no ifs, ands, or buts—and it’s not negotiable. Addressable, though, is a bit less cut and dry. The wording is this: The US Department of Health & Human Services says “a covered entity must implement an addressable implementation specification if it is reasonable and appropriate to do so, and must implement an equivalent alternative if the addressable implementation specification is unreasonable and inappropriate, and there is a reasonable and appropriate alternative.” If you believe that an addressable specification is not reasonable or appropriate, you must document your decision.
It is my opinion that there are some lecturers and writers out there who do not truly understand what this implies. I’ve heard people say that any addressable regulation means that you don’t have to do it, and that you can just document that you do not feel it’s appropriate and be done with it. There are a couple of reasons why I don’t agree with this.
First, it all comes back to the phrase, “reasonable and appropriate.” How do you decide if something is reasonable and appropriate for your specific situation? One thing I would recommend is that you speak to your colleagues to see what they are doing; the “standard of care” is often used by a HIPAA auditor when deciding if you are in compliance or not. Let’s use encryption as an example. Yes, in theory, you could say that you don’t find it reasonable and appropriate to encrypt your data or encrypt your communications with other offices. The problem is that many dental offices are already doing this. If you have any computers that are running Microsoft Windows 7 Ultimate, Windows 8 Professional, Windows 10, Server 2008, Server 2012, or Server 2016, then you already have a free program called Bitlocker that came preinstalled with the operating system. It doesn’t take too much effort (work with an IT company if you don’t know the steps) to turn on Bitlocker encryption. It’s the same with email: There are dozens of different products out there—some that work with Microsoft Outlook, some that are similar to Google’s Gmail—that can encrypt your communications, and most will run you around $7 to $10 per user per month. Do you really think you can convince an auditor that encryption is not reasonable when you have the necessary software already installed on your server, and, for a small amount of money, you can encrypt all your emails?
The second issue basically goes past the whole addressable issue, and that’s related to the Breach Notification Rule. Should your data ever be compromised, you must, by law, notify all patients in writing, notify the local news media, and be listed on the Health and Human Services website (affectionately called “The Wall of Shame”). However, if your data is encrypted and you can establish a low likelihood that an outside party is able to access the data, then you are exempt from that rule—even if encryption was not addressable. For this reason alone, I would recommend that all data be encrypted.
Ransomware: The Biggest Threat?
Ransomware is a very big deal! A recent attack in late January crippled the EHR program Allscripts for more than a week. Even a cursory search on Google will show results on dozens of minor and/or major ransomware attacks. Some of the more notable attacks have targeted the United Kingdom’s National Health Service, airports, banks, etc.
So, how do you know you have been affected by ransomware? At the time it happens, you may be oblivious to it. However, it is programmed to attack at some future point and, when that happens, there won’t be any doubt. The most common thing you’ll see is a pop-up on your screen that takes over everything; you can’t access your data or do much of anything. The pop-up will usually demand that you pay a ransom—usually anywhere from $200 to $2,000—in order to receive a special decryption key to get your data back. And, the ransom almost always must be paid in hard-to-trace cryptocurrency (ie, BitCoin) since they definitely don’t take credit cards or cash!
The good news is that if you have an encrypted backup in place, in almost all cases, the ransomware can’t attack that backup. You can clean out the virus (or get help from someone who knows what he or she is doing), restore your backup, and be on your way. But, if you don’t have an uninfected backup, then your options may be limited. This is why a backup is so critical (more on this later).
So, how do you protect yourself? Good anti-malware software is a must. I have always been a fan of ESET products, but I would also suggest investing in ransomware-specific products, such as Cryptoprevent or Hitman Pro Alert. On a regular basis, one should have the systems updated (called “patch management”); this is a HIPAA requirement. Also, your entire office team and you need to learn how to recognize malicious emails and websites and what to avoid.
Disaster Recovery: Your Last Line of Defense
I highly recommend a 2-pronged approach, with a local backup and an online backup. Let’s examine both of these.
So many offices focus on how they do their backups, but, in my opinion, this really is not the main issue. Whether you use external hard drives, local NAS devices, DVDs, and/or online systems, all of them are most likely backing up your systems adequately. Here’s the better question to ask yourself: If my server goes down for any reason, how quickly can I get back up and running? If the answer is measured in days, then it’s time to re-evaluate your backup and disaster recovery system!
Many offices elect to use a simple online-only backup system. Some of these are incredibly cheap, perhaps only $50 to $100 per year to backup unlimited amounts of data. However, there are a number of reasons why I do not recommend this approach:
1. As mentioned above, there’s no quick way to restore your data. Even with a fast Internet connection, if you’re like many offices with hundreds of gigbytes of data, that will take at least 1 to 2 days to download. Some of the better companies will overnight you a copy of your data on a hard drive, but that still means you are down 24 hours just to get the data, let alone restore it.
2. These companies will not verify your backup in most cases. In other words, if the data doesn’t backup certain files that are corrupted or were open when you went to back them up, you would never know this.
3. Many of these systems don’t provide HIPAA compliance. You must have a signed Business Associates Agreement with any person or company who has access to your data, you must verify the backup, and you must test the restoration of the backup on a regular basis.
What I would recommend is having a local backup and an online backup. The local backup is there as your first line of defense. If you set it up correctly, you can recover from a server crash in a matter of minutes. However, that’s not going to help you much in the event of something like a flood or fire or theft, and, in those cases, you’ll want an offsite backup in the cloud.
IN CLOSING
Review the security systems you have in place. HIPAA demands that you do a formal risk assessment and develop a management plan, and there is no time like the present to start. It’s no different than treating a new patient in your practice: When a new patient shows up, you don’t just start treatment; you take a series of radiographs and do your perio and restorative charting, intraoral and extraoral exams, etc. Based upon that, you then develop a treatment plan. Well, HIPAA is the same way: How can you know where you are falling short of the requirements unless you actually do a comprehensive evaluation and develop a plan of action? Evaluate your firewalls, anti-malware software, and backup and disaster recovery systems in place, as well as your system for patching your software. Protect yourself now, before it’s too late!
Dr. Lavine, founder and president of The Digital Dentist, has more than 30 years experience in the dental and dental technology fields. He has vast experience with dental technology systems. As a consultant and integrator, Dr. Lavine has extensive hands-on experience with most practice management software, image management software, digital and intraoral cameras, computers, networks, and digital radiography systems. He also writes for many well-known industry publications and presents lectures throughout the United States. Dr. Lavine can be reached at (866) 204-3398 or by email at drlavine@thedigitaldentist.com.
Disclosures: Dr. Lavine reports no disclosures.
Related Articles
Six Steps to a Paperless Dental Practice
“Hey You, (Don’t) Get Off of My Cloud”
Don’t Let Data Breaches Imperil Your HIPAA Liability