Emmott On Technology: What Your Dental Practice Needs to Know About Cyber Security

Thursday, June 27, 2013

Emmott On Technology: What Your Dental Practice Needs to Know About Cyber Security

Two Hundred Dollars.

That is what a hacker can sometimes get on the black market for a complete medical dental record, according to Chris Verbiest, VP at DBIC (Dentists Benefits Insurance Company) in Oregon. That means a typical dental office with 2,500 patients could be worth as much as half a million dollars to a cyber-criminal. That kind of money makes your dental office a tempting target.

As dental professionals we have an ethical and a legal obligation to protect our patient’s personal information. This includes medical data and even more importantly, from a data breach perspective,  personal information such as name, address, birth date, social security numbers and most sensitive of all credit card numbers.

Mysterious Internet hackers are not the only way a cyber-security breach can happen. If you lose a portable electronic device such as a laptop or smartphone you use to access office data, you have a problem. If a burglar steals your office computers or an employee steals the data, you are responsible.

In 2009 the HITECH act was passed. This law significantly strengthened many aspects of HIPAA’s security rules, with mandatory financial penalties for violations. In addition, state and federal laws require you to notify patients in the event of a data breach.

The fines and penalties are intended to be punitive, and they are. Fines are levied per file compromised and range from $100 to $50,000 for each violation. It adds up fast. At $300 per record you could be liable for $750,000 if your 2,500 patient records were compromised. What is even more frightening is that you will most likely have to pay personally, out of pocket.

As a rule, your professional liability policy will not cover you in the case of a data breach.

“We have already seen dental practices that were devastated by a data breach,” Verbiest said. “We responded by developing a new insurance product to provide coverage.”

As with most catastrophic events, the chances of your office being exploited are small but the results can be disastrous. However, as more dental offices use digital technology and hackers become more sophisticated, the chances of you experiencing a breach increase. These are the types of low probability, high risk events that lend themselves well to insurance. Check with your liability carrier to see if you are covered.

In addition to insurance coverage there are several basic security measures you need to consider. The law requires that you conduct a computer security assessment and provide basic training to all staff members. As with all government regulations it is not enough just to do it. You also need to document that you did it. Many dental IT specialists are now offering training and assessment to their dental clients.

Additionally, there are online assessment tools you can purchase to guide you through the assessment and then provide documentation and steps to take to ensure compliance.

At the most basic level, set up and enforce the use of passwords. Ideally you should have secret, individual, eight character passwords for each team member to log onto their computer. You should then have completely different passwords for each person to access the dental practice data. Then all these passwords should be changed every few months.

While that is ideal, hardly anybody works that way. In most dental offices, passwords are easy to remember, shared by everyone, never changed and written on a sticky note stuck to the computer.

Passwords can be difficult to use optimally, but on the other hand, the second important security measure is easy to install and manage. Set up a firewall to protect your computer system from outside attacks.

Step three is also easy, lock up the server. Keep your server where the data is stored in a locked closet that is protected from environmental problems such as heat and water.

Step four may be the most important. Store your data in an encrypted format. This is especially important if you are storing data off site.

In the past I have stated that dental offices were unlikely targets of cyber criminals. They would much rather steal data from a bank or department store. However, as these prime targets harden their data against attack, hackers are turning to softer targets such as dental and medical offices. At up to $500,000 per office the returns can be substantial.

We will re-visit these issues with more detail in future Emmott on Technology columns, in the meantime; understand there are risks and take precautions to protect yourself and your practice, because despite the potential problems, the future is coming and it will be amazing!

  • <<
  • >>

Comments

-->