As we welcomed in the New Year January 1, 2020, no one could have imagined that by March, thousands of dental practices would be forced to close their doors to non-emergency cases in order to help stop the spread of the coronavirus pandemic.
Nobody anticipated the crisis and no one was really prepared. However, dental practices with a well-established technology infrastructure, including complete digital patient records and secure cloud-based technologies, were in a position to deal with the shutdown far more effectively than dental offices without advanced technology in place.
There are two things a dental office can do if they have the proper technology: teledentistry and work remotely from home. These options will not take the place of having the office up and running, but they will provide some limited cash flow and give team members something productive to do that will provide value to the office. However, to do these things right, safely and securely, the dentist needs to be aware of the security issues involved.
Teledentistry is defined as “the use of electronic information, imaging and communication technologies, including interactive audio, video, data communications, as well as store-and-forward technologies, to provide and support dental care delivery, diagnosis, consultation, treatment, transfer of dental information, and education.”1 In order to practice teledentistry, you must have a technology system in place, meaning a full infrastructure for your computer network, a reliable server, secure Internet access, and complete digital records, including patient, financial, and communication records.
During the pandemic shutdown, dentists can use teledentistry to do basic office visits and triage emergencies. Do not make your patients go to the emergency room for a dental problem.
Of course, accessing protected health information (PHI) remotely carries certain HIPAA (Health Insurance Portability and Accountability Act) risks. Teledentistry falls under “telehealth remote communications,” as defined by the Office for Civil Rights (OCR) at the U.S. Department of Health & Human Services (HSS). Informally referred to as “the HIPAA police,” OCR is responsible for enforcing certain regulations under HIPAA to protect the privacy and security of PHI. As a sign of the times, OCR recently granted covered health provider’s permission to use popular applications that allow for video chats, without risk of penalty for noncompliance with HIPAA rules.2
Ideally, technology vendors should offer HIPAA-compliant video communication products and would be willing to enter into a HIPAA business associate agreement (BAA); however, OCR will not impose penalties against health care providers in the absence of a BAA. Rather, “providers are encouraged to notify patients that these third-party applications potentially introduce privacy risks, and providers should enable all available encryption and privacy modes when using such applications.”2
That leaves an important question: as a dentist practicing teledentistry, what can you do to minimize security risks for your patients and your practice?
Prior to working remotely, there are multiple IT considerations to address. First, you should work with your IT provider to set up a secure virtual private network (VPN) and make sure other remote access systems are fully patched. While VPNs are available commercially, I recommend using one from a provider who’s willing to enter a HIPAA BAA.
Additionally, you should make sure your employees are accessing the VPN with a secure password-protected Wi-Fi connection. Your network should implement multi-factor authentication for in-office use as well as remote access. Depending on your level of preparedness, you should ensure all machines have properly configured firewalls, as well as anti-malware prevention software installed.
This may seem like a lot of boxes to check, but these are just security “basics.” It’s important to get these basics right, which is why I recommend working with the dental IT experts at TechCentral by Henry Schein One.
TechCentral is a national service provider that has local offices as well as a national presence, plus years of dental experience that works with your office’s HIPAA requirements. Their deep knowledge of dental IT infrastructure can help inform your teledentistry setup. Moreover, they have the capability and resources to fix many IT problems in a remote, socially distanced session.
Prior to practicing teledentistry, a dental practice should have their own cyber security manual for employees. The manual would be part of a larger effort to create a “culture of security” in the dental practice. Although it’s more difficult to enforce employee protocols when working remotely, communicating basic expectations in key areas can help maintain network security.
Typically, the security protocols outlined in the manual would limit employee use of personal devices and personal web browsing on the practice network. Often, dentists go so far as to block certain websites to further limit exposure to third-party threats.
I’ve also found that dentists can be very casual about password usage in the office. Team members often write passwords on sticky notes in the event they take a day off and someone needs to use their computer. Every time a team member leaves their computer, they should log out and shut it down, but that’s seldom the case.
This is why I recommend you set up password protocols that allow only certain employees access to certain records, whether they’re working in the office or from home. Network passwords should be separate and secret, meaning employees would not share them with each other. Passwords should also require multi-factor authentication, and they should be changed every few months. Ideally, your system would be set up to keep records of which employees did what and when.
TechCentral has the capability to set up your passwords and network access with these best practices in mind.
Another best practice that should always be in effect—whether in-office or out-of-office—is to never click on an email without first looking at the sender, and to avoid clicking attachments that might expose your network to malware.
Ransomware has emerged as the fastest-growing malware threat, and can arrive in the form of an email attachment. Once hackers have access to your network, they may hold your network hostage in exchange for ransom. Worse yet, they may threaten to expose PHI, which could potentially constitute a HIPAA violation.
A firewall and a secure hybrid backup solutions, with remote, cloud-based technology and encryption, are two basic protections against malware that all dental practices should have. However, as I wrote previously about dental office technology, not all of these basic protections are created equal. They should be enterprise-grade solutions maintained by a good, reliable IT professional. This is yet another reason to work with a reputable company like TechCentral.
One of the solutions TechCentral offers is OmniCore, a “network-in-a-box” solution that eliminates many of the concerns of routine monitoring and maintenance. After helping to install OmniCore, TechCentral takes care of all the maintenance remotely and their advanced software makes sure your backup is working properly.
Keep in mind that hackers rely on human nature to trick us into not stopping and thinking about the information they’re sending us. In what’s known as “phishing” schemes, hackers send emails purporting to be from reputable companies in order to induce individuals to reveal personal information. A related and emerging scheme is SMS phishing or “Smishing,” in which hackers manipulate text message services to gain access to PHI.3 Smishing might be of particular concern to dental practices that have integrated text messaging into their patient communication systems. It also might be of concern to dentists who are using text messaging for patient outreach on an informal basis during this time.
This brings us to a separate but related topic: what, exactly, can dentists do safely and securely as part of their teledentistry efforts? On one hand, they can triage patients remotely using video conferencing and other applications. On the other hand, there are 5 IT goals dentists and staff members can accomplish while working remotely.
1. Patient communications – You can communicate with patients generally about the pandemic, and you can also search your appointment book and database to discover patients in need of more timely treatment. For instance, if a patient has a temporary, you can reach out to make sure they understand what’s needed for follow-up.
2. Make treatment plans – Several of your patients may be on hold after an initial examination, and you may know they need substantial amounts of non-emergency work done. You can treatment plan from home, provided you have access to digital patient records and diagnostic images.
3. Run reports – There are several business analysis reports we’re supposed to run on a frequent basis, but rarely do. This may include collections data, recall percentages, and chair-time analysis. Reports can lead to insights that can help you become more effective once you get back to work full-time.
4. Purge data bases- Databases tend to become cluttered with duplicate sets of data we no longer need, which can slow things down and lead to bad searches. When you clean out databases, there are things you want to delete, such as duplicated patient contact or insurance provider information. There are other data sets you want to deactivate so they’re no longer in your search. For instance, you may want to deactivate (not delete) treatment plans that you created for patients, as part of the patient record.
Maintaining databases is one of the managed IT services a provider like TechCentral can help you with. They have the tools and software to identify redundancies in your data that might be taking up space. Also, in the event you accidentally delete important data, they can help you retrieve it from an archived backup.
5. Reestablish security protocols - Use this time to go through systems and reestablish security protocols. Delete from the system staff members who may have password access but no longer work for you. Revisit or create your cyber manual and give thought to how you can create a “culture of security” and a workplace in which every employee takes security seriously. Keep in mind that when it comes to maintaining HIPAA-compliance, the majority of work is administrative paperwork, including staff training. If you ever get audited, you’ll need to provide records of who attended training and when, so make sure these records are up to date and organized.
As your IT partner, TechCentral provides general security protocols to their dentist customers and can provide a general framework to communicate best practices to your staff.
When it comes to IT services, do your due diligence and don’t cut corners. Working with a reputable IT provider, like TechCentral, will not only make your life easier, but help you deliver on the promise of data security.
The COVID-19 pandemic has reminded dental professionals not to take for granted the amazing 21st century technologies available to us. They can help us maintain a business operation remotely during unthinkable circumstances. We’re also reminded we have some work left to do to make this transition safer and more secure. Don’t forget: “The future is coming, and it will be amazing!”
This article originally appeared in Dental Product Shopper
Certain components of the products or services described may be provided by third parties. Henry Schein One, LLC. and its affiliates are not responsible for, and expressly disclaim, all liability for damages of any kind arising out of the use of those third-party products or services.
Dr. Emmott is recognized as the nation's top expert on computer technology in the dental office. His high-energy programs provide the tools needed to make wise technological decisions, saving time and thousands of dollars. Learn more about his presentations at www.drlarryemmott.com and read his blog, Emmott on Technology, at www.emmottontechnology.com.