The entire dental industry is, increasingly, in the crosshairs of regulators and lawyers, who are focused on them safeguarding protected health information (PHI). The “bad guys” want to steal your customers’ data, and regulators want to punish you if the bad guys succeed.
Most dental offices have the latest equipment and trained teams to improve patient service, but when it comes to security, many are lacking. The dental industry suffers the same trends and penalties as healthcare in general, such as an uptick in cyber-attacks, social engineering, malware, and cyber ransom that can result in millions of dollars for response, credit monitoring, and fines. But now, the Office of Civil Rights (OCR) is taking a closer look at how PHI is protected—across all forms of healthcare, including dentistry.
It may be surprising to learn that half of all dental PHI breaches are due to theft.
In one case in Nevada in 2015, 12,000 records were compromised when a device with unencrypted data was stolen. In another, a laptop was stolen from the car of a business associate that impacted 76,000 victims.
But other types of incidents are surfacing as well. One dental practice last year exposed 151,000 records, complete with patient names, Social Security numbers, birth dates, phone numbers, and home addresses when hackers used malware to obtain an employee's user name and password for the practice’s membership database.
Theft and hacking are just the beginning. An increasingly popular tactic is crypto-ransomware, a type of malicious software (malware) that infects a computer and restricts access to it until a ransom is paid to unlock it.
In fact, ransomware has become so pervasive, the FBI has warned that ransomware has become one of the biggest threats to consumers and businesses. Victims can be infected by clicking on links in malicious e-mails that appear to be from legitimate businesses and through compromised advertisements on popular websites. Or they can become victims by simply visiting the wrong website, as discovered in one major case in California, where a hacker used crypto-ransomware downloaded via browser drive-by (visiting compromised websites) that resulted in the practice being taken offline for several days until backups were recovered. Data recovery was only the beginning of that hack; the dental practice had to notify regulators, and a federal investigation ensued.
Data breaches are crippling to dental organizations. They can face millions of dollars in losses due to lost business, fines, remediation, and litigation.
One way for dentists to avoid a PHI breach or loss is to regularly conduct HIPAA security risk assessments (SRAs) in their practices. SRAs look at the current state of affairs and then provide a remediation roadmap that helps the entire team correct gaps in compliance from a technical, physical and administrative perspective.
Another way to lessen risks is to take advantage of cloud computing. Storing data in the cloud is a popular choice for dentists due to its agility and cost effectiveness. By moving their server from the office to the cloud, dentists remove the number one cause of compromised PHI --theft of the server due to insecure in-office environments.
Henry Schein TechCentral, and its security partner, ClearData, can conduct SRAs and offer cloud technologies and managed services that can play an important role in helping you protect your practice from data thieves. To learn more about TechCentral support and maintenance options call 877.483.0382 or visit www.henryscheintechcentral.com.