By Olivia Wann, JD
Ransomware hits 400 dental offices. Cybercriminals are now demanding ransom directly from the patients according to one Florida plastic surgeon who had to post a notification on his website. Cybercriminals seek hundreds of thousands of dollars to decrypt your data held at ransom. HIPAA fines and penalties can be millions of dollars. Do you feel like you are losing your sanity trying to maintain your office’s cybersecurity and HIPAA compliance?
The first step in achieving cybersanity is to learn about cybersecurity. You can’t run from it. Simply having a trusted IT person is not sufficient.
The Health Insurance Portability and Accountability Act (HIPAA) sets forth the requirements for the security and privacy of protected health information. Having a set of HIPAA policies is not enough. However, we start here with a foundation.
identifiable information (PII) and protected health information (PHI). Your security policy provides
details on the administrative, technical, and physical safeguards in place.
An example of a policy for an administrative safeguard is access control policy. We must have the
proper controls in place for access to data. Limiting access to data is essential for the protection of your data and to maintain compliance. Be familiar with the user rights within your practice management software. Your IT vendor should limit access to the network. If an employee leaves their workstation, they should either log out or lock the screen to prevent another person from using the previous user’s credentials to access the system.
Two very critical technical safeguards include password management and encryption. If you are not encrypting emails that contain identifiable information and/or protected health information, you are playing with fire. We recently served a dental practice whose office manager’s email was hacked. The cybercriminal intercepted an email to the bank and had the office manager electronically deposit loan proceeds into his account rather than the banks. Other emails were breached including patient emails triggering breach notification.
Encryption is both affordable and highly effective. Encryption encodes the information or scrambles it so that without the secret key, the information cannot be deciphered. A mobile device policy is equally important. Whether it’s a notebook computer, a flash drive, or a smartphone, if the device contains PII and/or PHI, the data must be secured.
Not to be overlooked is your backup policy. Address how, what, when, and where. Years ago, when I worked for a software company, we supported a dental client who thought she was backing up the data, but the actual evaluation of the backup proved otherwise. Nothing was backed up. If your practice is under a ransomware attack, you will not succumb to paying the ransom if your data is backed up and accurate.
The policies mentioned in this article are basically a sampling of the policies you must develop to comply with HIPAA and to maintain good cyber health. On the other hand, policies are meaningless if there is no adherence. This brings us to our next topic: Training.
Most dental professionals have taken a HIPAA training course or listened to a presentation. The real question is – was it meaningful? Did the material apply to your office setting? What kind of takeaways can you readily employ? Is the content up to date and pertinent for 2020?
How often do we provide training? HIPAA requires we provide periodic training and updates about the protection and security of protected health information. Cybersecurity training is even more advanced.
According to the Federal Communications Commission, train employees to recognize social engineering. 1 Social engineering tactics coax people into installing malicious software including fake antivirus software and links to load ransomware.
Cybercriminals use the phishing technique to trick people by impersonating someone else. The criminal may send a false email or a message. Train your team how to recognize suspicious messages and how to report such activity.
Cyber insurance may not immunize you against an attack, but it can certainly help you manage risk and offset costs. Most plans require you to complete an application. If you cannot affirmatively answer the basic questions about your data security, you may not be able to obtain coverage.
Call to Action
Our goal is to encourage you to take action. Protect your data. Protect your practice. Stay cybersane!
Olivia Wann, JD founded Modern Practice Solutions, LLC in the year 2000, serving the compliance needs of dental professionals. As a practicing attorney and active compliance consultant, she is dedicated to helping you achieve peace of mind. firstname.lastname@example.org Telephone (931) 232-7738 https://www.fcc.gov/cyberplanner Accessed on February 9, 2020