Cybersecurity best practices can, and should, be implemented by large and small dental practices, employees and individuals.
Cybersecurity. It’s almost impossible to go through your favorite news website and not see some article or headline about cybersecurity, a recent breach, or other IT nightmares out there. With so much being written about cybersecurity, I think it’s important to review exactly what that means, and, more importantly, what are the minimum steps you need to be doing to protect patient data.
There are obviously multiple definitions of cybersecurity. According to Techtarget, cybersecurity is the protection of internet-connected systems, including hardware, software and data, from cyberattacks. In a computing context, security comprises cybersecurity and physical security-both should be used by dental offices to protect against unauthorized access to data centers and other computerized systems. The goal of cybersecurity is to limit risk and protect IT assets from attackers with malicious intent. Information security, which is designed to maintain the confidentiality, integrity and availability of data, is a subset of cybersecurity. HIPAA focuses a lot on information security.
Cybersecurity best practices can, and should, be implemented by large and small dental practices, employees and individuals. One of the most problematic elements of cybersecurity is the continually evolving nature of security risks and advanced persistent threats.
Probably the most well-known cybersecurity threat over the past two years has been ransomware attacks. Ransomware criminals have become much more sophisticated in their attacks. Initially, they would just target individual dental offices in the hopes of getting a few hundred to a few thousand dollars. Recently, though, they discovered that some dental IT companies who provide remote access support to clients had inadequate security, and by hacking their systems, they could reach exponentially more people. The recent attacks on 400 dental offices in Wisconsin in August and another 100 in Colorado in November is proof of this. And, more recently, not only are the attackers demanding a ransom, but knowing that some people can avoid the ransom by restoring a backup, they are now threatening victims that not paying the ransom will result in the data being published online to the public. Scary stuff.
So, why is this such as big deal? As I mentioned in a previous article, back in 2016, Health and Human Services made a determination that if you are hit with ransomware, then you must declare a breach, because their definition of a breach is “loss of control of your data,” which is exactly what a ransomware virus does, it locks your files. Unlike much of HIPAA which is ambiguous, the Breach Notification Rule is very clear: A breach of patient data requires notifying all patients in writing, notifying the news media, and having your practice listed on the HHS Wall of Shame.
Here are the basic steps you should do right now to protect yourself:
1. Do a formal risk assessment and develop a HIPAA management plan. Just like you can’t diagnose a patient until you take X-rays and do your charting, you can’t know where you are at risk unless you actually look.
2. Get a good, paid antimalware software program. Ones like ESET and Bitdefender are good, and make sure you keep them current and up-to-date.
3. Invest in ransomware-specific software. Many general purpose antivirus software don’t do the best job against ransomware, and for around $40 per computer per year, you can have some really good ransomware protection.
4. Get a business-class firewall. I’d stay away from the consumer-level routers such as Linksys, D-Link, and Netgear, but instead invest in a better firewall from companies such as Sophos or Sonicwall.
5. Encrypt all computers that contain patient information. This always includes the server, and often the dentist’s and office manager’s PCs.
6. Finally, realize that you can’t prevent all breaches, and invest in some good cybersecurity insurance. I would recommend a minimum of $500,000 of coverage.
Protecting your patient data is critical for the livelihood of your practice. Taking the time to properly prevent these attacks is a worthwhile endeavor that will save you a lot of grief down the road.