From formal risk assessments to encryption, here is a comprehensive list to ensure your practice data is safe.
Many of you who used to watch David Letterman are very familiar with his “Top 10 List,” a nightly segment where he counted down the top 10 things related to a specific topic. Although I wish my list was as funny as his usually were, that’s probably not the case, as what we are talking about is serious business. So, allow me to present a list of the top 10 things (in no particular order) dentists can do to protect their data.
1. You must do a formal risk assessment and have a Health Insurance Portability and Accountability Act (HIPAA) risk management plan in place. You wouldn’t treat a patient without doing a diagnostic workup and presenting a treatment plan, and HIPAA works the same way. You can’t know where you’re falling short of the rules, regulations, and best practices until you actually, you know, look.
2. Set up a secure and compliant backup and disaster recovery system. If a patient goes to 5 different dentists, they’re going to get 5 different treatment plans, and the same is true for dentists working with information technology (IT) providers. That being the case, your protocol at the very least should involve a local backup of the entire server (also known as an image), an offsite backup either to the cloud or hard drives that are taken home nightly, and regular testing and verification.
3.Keep all your software current and up to date. It’s not just smart, it’s the law and is called patch management. This is usually best done by an IT company. Although you can patch Windows on your own, I don’t recommend that. Most offices have dozens of software programs they use, and manually patching all of those on your own is complex and time-consuming.
4. Encrypt every device that contains electronic protected health information (ePHI). At the very least, this includes the server, but many offices add the doctor’s computer, office manager’s computer, etc. If it has a patient name, chart ID, date of birth, phone number, or any of 14 other identifiers, then it’s ePHI and must be encrypted and backed up. Fortunately, pretty much any computer built in the past 8 to 9 years already has a free encryption program, BitLocker, which is built right into Windows.
5. Speaking of encryption, you also must encrypt your online communications with patients and referring offices. Most of the better solutions will work with your existing email address, and you shouldn’t have to pay more than $40 to $50 per month for a good, encrypted email system.
6. Invest in a business-class firewall. A firewall keeps the bad guys (malware) from entering your network. Stay away from consumer-level devices, such as Linksys and Netgear. Instead, consider a firewall from companies like Sophos or SonicWall.
7. Firewalls are a great start, but they are not infallible, so you should have good antivirus software in place. Emsisoft, ESET, Trend Micro, Bitdefender—there are numerous good antivirus programs.
8. Although most antivirus programs say they are effective against ransomware, that isn’t always the case. Consider anti-ransomware-specific software, such as Intercept X or HitmanPro.
9. With many viruses being zero-day—meaning they are so new that your software won’t recognize them as a virus—you must consider using application whitelisting. Basically, all your good programs that are on the list can run, and any that aren’t on the list, such as viruses, get stopped in their tracks.
10. Finally, invest in annual training for you and your staff to stay on top of these security risks.
If your office follows all these top 10 items, you’ll be ahead of the game when it comes to meeting HIPAA laws and cybersecurity best practices.