Cyber security new necessity for dental practices

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.dentistryiq.com/articles/2015/02/cyber-security-new-necessity-for-dental-practices.html

The provision of health care is changing rapidly as providers try to
maintain maximum efficiency while navigating a technology-rich climate. As
a result of their reliance on electronic data, dental offices have become
vulnerable to cyber security threats. The growing volume and sophistication
of cyber attacks suggest that dental practices will have to grow
increasingly vigilant to ward off these threats. A breach of cyber security
will inevitably lead to significant expenses, both financial and
reputational, which can wreak havoc on a dental practice.

Many dentists believe that cyber criminals are not a threat to their small
dental offices. However, when choosing between a large corporation or bank
with security teams and firewalls, or a dental office with no firewall or
security team, a dental practice will become the target. In fact, many
hackers specifically target small dental offices because they believe small
businesses don’t have the resources for sophisticated security devices and
do not enforce employee security policies.

Dental practices are becoming targets for cyber criminals more frequently.
These offices hold a vast amount of data, including names, health
histories, addresses, birthdates, social security numbers, and even banking
information of hundreds, if not thousands, of patients. The threat of this
information being stolen by a staff member or a cyber criminal is great,
and dental practice owners must address this concern before a theft creates
a legal nightmare for the practice.

Health care organizations make up roughly 33% of all data security breaches
across all industries, and the health care industry is the most breached
industry in the U.S. According to the U.S. Department of Health and Human
Services, almost 21,000,000 health records have been compromised since
September 2009. It’s been shown that human error causes the majority of
personal health information data breaches, and that the actions of
health-care employees cause three times as many breaches as external
attacks.

The most common causes of data breaches in health care organizations are
theft, hacking, unauthorized access or disclosure, lost records and
devices, and improper disposal of records. A significant proportion of
health care breaches are a result of lost or stolen mobile devices,
tablets, and laptops. Security breaches are not inflicted solely upon the
large HMOs, as more than half of all organizations that suffer from
security breaches have fewer than 1,000 employees.

The Health Insurance Portability and Accountability Act (HIPAA) requires
health-care providers to maintain the privacy of patient health
information, and to take security measures to protect this information from
abuse by staff members, hackers, and thieves. The penalties imposed on
health-care providers for HIPAA violations are great. Monetary penalties
can range from a $100 fine to a $50,000 fine per violation, with a
$1,500,000 maximum annual penalty. In addition to federal penalties,
dentists may face penalties imposed at the state level, as well as lawsuits
filed by disgruntled patients whose health information was compromised.

It’s crucial for dentists to take steps to ensure that their practice is in
compliance with HIPAA provisions regarding computer security. Because the
majority of data security breaches occur when staff members exercise poor
judgment or fail to follow office procedures, the location of computers in
the dental office is key. All computers should be placed in areas where the
computer screens are not visible to patients and visitors, and each
computer should be protected with encrypted passwords. Passwords should
contain mixed-case letters and numbers or symbols and should be changed
regularly. Also, passwords should not be written down under keyboards or
kept on desks or surfaces where the public could access them. Dentists
should ensure that all staff members understand the importance of
maintaining the privacy of patient health information.

Every dental practice should have a policy for safeguarding patient
information, and should educate staff members about how to comply with the
office policy. A strict Internet and computer policy that prohibits staff
members from checking personal email accounts or visiting Internet sites
that aren't work-related should be enforced. It’s also important for
dentists to make sure that all firewalls, operating systems, hardware, and
software devices are up to date, strong, and secure, and that wireless
networks are shielded from public view. Antivirus software should be
installed on every computer, kept updated, and checked regularly.

When accessing office data remotely, dentists should use only trusted Wi-Fi
hot spots and never use shared computers. Smartphones and tablets should be
password protected to prevent easy access to patient information in case a
device is lost or stolen. In addition, all hard copies of documents with
patient information should be shredded. Finally, to make sure your dental
practice is HIPAA compliant, data transmitted to payers, health plans,
labs, and other health-care providers may need to be encrypted to ensure
that a hacker will not have access to the data.

Because dental practices are subject to heightened government enforcement,
and the scope of fines and penalties for data breaches have increased, many
practices rely on cyber insurance for protection in the event of a breach.
These policies cover the cost of investigating a theft, compensate the
insured for all state and federal fines and penalties imposed, and fund all
related lawsuits and legal fees, thus relieving the dentist of the
financial and time burdens imposed by the security breach.

If a security breach in your office does occur, it’s imperative that you
take appropriate action immediately. This includes determining how the
breach occurred and the extent of the breach. You must be very careful who
you initially contact and provide with information. Any improper or
accidental disclosure to a third party other than legal counsel may be
subject to the rules of discovery if litigation occurs, which could
increase the liability exposure of the practice owner.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!