Sunday, December 14, 2014

Dental IT Security Guide: 6 Basic Steps to Secure Your Practice and Patient Data

Today’s guest post is from Bryan Currier, CEO of Advantage Technologies – Enjoy!



As our dependence on IT systems in dental practices has grown, so has the importance of safeguarding those systems. It has also made those systems a target for malicious use.

Consider this. If you’re a rather unscrupulous identity theft type of individual, what are you looking for? Name, address, social security number, employer information, family info, etc. Sounds remarkably like the patient information section of a practice management system, doesn’t it?

To put this in perspective, a study by the Health Information Trust Alliance (HITRUST) found that there were 495 breaches of healthcare providers from 2009 to 2012. Those breaches exposed 21 million patient records at an estimated cost of $4 billion. Interestingly though, many of the breaches targeted small practices with large-scale automated attacks. That’s in contrast to larger practices, hospitals and health plan systems, which actually experienced a decline in breaches from 2010 to 2011.

So the days of “I’m too small to worry about this” are over. That’s the bad news. The good news is that security is not rocket science. It simply requires intent. This guide will give you some of the basic steps to get started with practice security.

Now, this guide is NOT a replacement for a full IT security audit. That should be done by a qualified IT firm that understands dental practices and government regulations such as HIPAA, HITECH, and PCI. This will, however, help you start thinking about some things that you need to consider.

1. Secure Your Devices – Sounds pretty basic, yes? You’ll be amazed. We find that some people carelessly leave laptops, tablets, and mobile devices out for people to take. Some providers have experienced expert thieves that steal those devices to try to extract data. First, keep the devices physically secure by not leaving them in places where they can be stolen. Second, use passwords and encrypt the device with software that does not allow thieves access.

2. Data Loss Prevention – In addition to general security of your data, dental healthcare providers need to have a data loss prevention system in place. Data loss prevention is required by HIPAA and PCI standards. If you ever need to demonstrate compliance, you will want to be able to show them that your data is being backed up. It’s also nice to know that you’re data is available in case of disaster. Do you know how, or if, your backup works? Do you know what is being backed up? Where, when, and how often? Those are some questions that you should ask.

3. Current Security Software – Every server and workstation should have current business class security software installed and running (anti-virus and anti-malware). It needs to be updated, current, and configured properly. It should also be proactively scanning your systems at appropriate times. Also, you should have a technology use policy in place for your employees so they are not using sites that could expose the network to harmful viruses and malware.

4. Secure Remote Access – If you’re wanting to access your patient information remotely, that’s great. It’s one of the benefits of the cloud that you don’t have to run into the office to see what procedure was done on ‘Mrs. Smith’ two days ago. However, it’s important that you use an encrypted connection. Here’s a good rule of thumb – if it’s free, it’s not encrypted. Get a real business class remote access system that is encrypted and safe. It’s not expensive and it works faster, better, and is safe for you and your data.

5. Use Business Class E-Mail – If your work e-mail ends in Gmail, AOL, Yahoo, etc., then it has no place being in your practice. Don’t get me wrong, using it for personal e-mail is fine, but it should never be used it for patient information. You should have your own domain name
(yourpractice.com) for business email communications. In addition to just looking more professional, you don’t have to worry about the host site going through your e-mail messages looking for relevant keywords to sell you ads. There is basically no privacy on those free hosted sites. If you’re going to send protected health information (PHI) via e-mail, then you MUST use a secure e-mail system (like SecureDDS). No exceptions. Without it, your potential for exposure and fines because of data breaches exponentially increases. Use secure e-mail, or just use good old snail mail.

6. Business Class Firewall – Your internet connection is the gateway to your network. A firewall controls the incoming and outgoing network traffic by analyzing the data and determining whether it should be allowed through or not. The firewall you have in place is specifically designed to prevent anyone from the outside being able to gain access. This is a bit more technical, but the idea is that you don’t want to give people an ‘open door’ to your network.

These are some basic steps to your IT security. The best thing you can do is to be intentional about security. The days of calling someone when something breaks are long over. That’s too expensive, too unpredictable, and too unprofessional for a practice where patient care depends on reliable IT. Get an IT management company that understands dentistry, and let them properly manage your IT systems. IT should be a reliable tool to help you deliver excellent patient care.

Bryan Currier is the CEO of Advantage Technologies, an IT company committed to delivering Hassle Free IT to dental practices. For the past 14 years, he and his team have worked with more than 1,000 practices, helping them effectively integrate computers and digital technology. Bryan is a sought after speaker at dental and IT conferences throughout the country. He has been published in the Journal of the American Association of Oral and Maxillofacial Surgeons and Doctor of Dentistry Magazine.

For more information about Bryan Currier, Advantage Technologies, and dental specific technology solutions, visit www.adv-tech.com.