In the early days of in-office computer use, dental offices would make the mistake of not professionally setting up their IT network. They would rely on just about anyone who was good at computers, including their patient’s nephew. Today, the hardware has become more sophisticated, but the same mistake is repeated—many practices still don’t have proper IT support.
Part of the problem is mindset. Dentists wrongly think their practice network is just another piece of equipment, such as a dental chair. It’s delivered, they unbox it, and they get it up and running. They forget that their network is a system that needs to be cared for, upgraded, and supported. This is of serious concern, as failure to properly maintain your practice IT network can potentially violate the federal Health Insurance Portability and Accountability Act (HIPAA).
The HIPAA Security Rule is primarily comprised of three sets of “requirements”: technical, physical, and administrative.1 From my experience as a dental technology lecturer and consultant, dentists face a two-fold responsibility in following these requirements. There’s the legal obligation to follow the law, and there’s also a moral obligation. I never met a dentist who didn’t agree that they in fact have a moral obligation to protect patient health information (PHI) and their patients’ confidentiality.
Despite good intentions, some dentists won’t deliver on this promise. It’s not because they don’t care enough. It’s because when it comes to following the requirements, they simply “don’t know what they don’t know.” Therefore, they’re unaware of what they really need to be HIPAA-compliant.
Given recent statistics on healthcare data breaches, it’s important dentists change their mindset and become aware of what they need to do in order to protect PHI. Healthcare data breaches continue to occur at extraordinary rates, according to research.2 Between 2009 and 2017, 2,184 healthcare data breaches were reported to the Department of Health and Human Services (DHHS)3, and breached facilities face heavy fines and litigation.4 According to the HIPAA Breach Notification Rule, “A breach is, generally, an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information.”5 Under the rule, healthcare providers must notify the Secretary of DHHS of breaches of unsecured personal health information affecting 500 or more individuals in no case later than 60 days following a breach. They must also inform patients affected by the breach within 60 days of the breach discovery.
Dentists should be concerned about 3 real scenarios that can potentially result in a data breach: cyber criminals or hackers who break into the system to steal data, physical theft of hardware, and increasingly prevalent ransomware attacks, in which you’re locked out of your network and are asked to pay a ransom to regain access to your information, including PHI.
While cyber crime attacks have gained much media attention in the past few years, we also need to pay attention to physical theft, which was the most common data breach type in the 10-year window.4 It’s important to secure your server and other hardware components. Put them in a locked closet, use a secure cable, or bolt them to the floor.
After you’ve physically secured your hardware, you need to ensure network security. This is where many dentists need professional help.
Here are the 3 things your dental office technology needs from an IT service provider to help your office to comply with HIPAA requirements:
1. Up-to-date software and hardware. If you’re behind on your software updates, you’re more exposed to cyber attacks. Years ago, before cybercrime was prevalent, I would say that practices didn’t need to update right away, and they could wait until the bugs and kinks were worked out. Today, I give the exact opposite advice. New versions of software are designed to patch vulnerabilities and better protect you, so you want to be running the latest version of everything. A knowledgeable IT service provider should guide you on the protections you need.
2. Multiple backups. Backups have also evolved. Running your backup on a single hard drive that you take home each night is no longer the safest or most secure method. Today, if your practice is the victim of ransomware or otherwise gets hacked, you need a copy of the data that’s stored remotely. You should have multiple backups, including offsite backups that rely on secure cloud-based technology and encryption. Your IT service provider should handle the complexities of this setup.
Under the HIPAA Breach Notification Rule, a dentist would be relieved from providing notifications following a data breach if their data is encrypted as specified in the HIPAA Security Rule.6 Encrypting data is essential for every dental practice. However, it’s not a do-it-yourself project and can actually slow down your system if done improperly. I advise dentists to hire a professional that specializes in dentistry, like TechCentral by Henry Schein One, to help set up an encryption system for local data and backup data.
3. Basic protections and reliable IT support. Basic protections like malware, antivirus software, and firewalls are not all created equal. They should be enterprise-grade solution maintained by a good, reliable IT professional. This is another reason to hire a reputable company like TechCentral.
Look for an IT service company that has a local office as well as a national presence, plus years of dental experience that can help you navigate HIPAA risk assessment requirements. Don’t do it halfway and don’t do it cheaply. Be willing to look into a reputable IT provider that will not only make your life easier, but help you deliver on the promise of data security.
While local IT providers can easily reach your office, they may not specialize in dentistry and all the idiosyncrasies of dental software, such as Dentrix. TechCentral has the capability and resources to fix many problems in a remote session that spares an in-office visit and disruption of business. But in the event they do need to fix a problem in-person, they’ll send a locally based team member. It’s the best of both worlds!
Dental practices should also consider national providers for their hardware-as-a-service offerings. For instance, TechCentral offers a solution called Omnicore, a “network-in-a-box” solution that eliminates many of the concerns of routine monitoring and maintenance. After helping to install Omnicore, TechCentral takes care of all the maintenance and monitoring remotely. Importantly, they make sure your backup is working properly. Unfortunately, I’ve heard numerous stories where dentists thought they had a backup and discovered the hard way that it wasn’t working. This is one of the things TechCentral will regularly audit.
TechCentral offers services such as secure data backup and storage and remote system monitoring that can help you as you work on your HIPAA Risk Assessment. This support provides tremendous value, delivers peace of mind, and eliminates time-consuming hassles. Ultimately, working with a company like TechCentral allows you to focus on being a better dentist and a better business owner.
In closing, don’t look at your in-office technology like it’s an extra burden. Rather, look at is as a way to make practice/life easier. As I like to conclude my lectures, “The future is coming, and it will be amazing!”
1 https://www.hipaajournal.com/hipaa-compliance-checklist/
2 McLeod Alexander, Dolezel D. “Cyber-Analytics: Modeling Factors Associated with Healthcare Data Breaches.” Decision Support Systems. (April 2018);108:57–68.
3 US Department of Health and Human Services “Breach Portal.” https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf
4 Dolezel D, McLeod A. Cyber-Analytics: Identifying Discriminants of Data Breaches. Perspect Health Inf Manag. 2019;16(Summer):1a. Published 2019 Jul 1.
5 US Department of Health and Human Services “Breach Notification Rule.” Available at https://www.hhs.gov/hipaa/for-professionals/breach-notification/
6 Ibid
This article originally appeared in Dental Product Shopper
Certain components of the products or services described may be provided by third parties. Henry Schein One, LLC. and its affiliates are not responsible for, and expressly disclaim, all liability for damages of any kind arising out of the use of those third-party products or services.
Dr. Emmott is recognized as the nation's top expert on computer technology in the dental office. His high-energy programs provide the tools needed to make wise technological decisions, saving time and thousands of dollars. Learn more about his presentations at www.drlarryemmott.com and read his blog, Emott on Technology, at www.emmottontechnology.com.