As 2022 comes to a close, we answer some of the most-asked questions in data security.
Like many businesses, I am updating my website. One thing I plan to add is a section on FAQs (frequently asked questions). Between my online presence, lectures, webinars, and these articles, I get outreach every day from dental offices needing my help.
What I have noticed, however, is that the same questions seem to keep cropping up. So, the theme of this article is to identify the 5 most frequent questions that I am asked regularly.
1. Can you get us 100% Health Insurance Portability and Accountability Act (HIPAA) compliant? In a word, no. And if anyone promises you that or guarantees that they can ensure you pass a HIPAA audit, then my advice is to run away, fast. In my experience, it is impossible for any entity, especially a dental office, to get 100% compliant. There are close to 700 pages of rules and regulations, and many are known as addressable, meaning how you deal with those is open to some interpretation. We often hear about multimillion-dollar HIPAA fines and settlements in the news; those typically involve large healthcare organizations with multiple HIPAA compliance experts on the payroll. Dental offices are at a distinct disadvantage.
2. Why is ransomware so important? For starters, there is no more valuable asset on the black market than a patient health record. Most contain contact information, date of birth, credit card information, and more. Dental offices have been, and always will, be a target of these criminals. Anyone hit with ransomware knows that even with a great backup and disaster recovery process in place, you are still looking at hours if not days of downtime to remove the virus and restore your systems. Finally, in 2016, the US Department of Health and Human Services determined that a ransomware infection qualifies as a breach, meaning you must notify all your patients and the local media.
3. If I use a cloud-based practice management software (PMS), do I still need a server? Yes. Cloud-based software offers a nice advantage in that all the data is housed on someone else’s server, not yours. But even though the PMS has most of the data, in almost all cases it does not contain all your data. Emails, QuickBooks, Word documents, spreadsheets, Invisalign…anything that contains a patient name, phone number, chart ID, or 15 other identifiers is considered electronic protected health information. That means you must encrypt it, back it up, and control access to it—exactly what a server is designed to do.
4. What is the best way to protect my data from viruses? Unfortunately, the days of just slapping some free antivirus software on your computers and being safe are long over. I really recommend a 3-pronged approach. First is a business-class firewall to stop most viruses from entering the network. Second are antivirus and anti-ransomware software to deal with the viruses that get through. Finally comes application whitelisting software to prevent any unapproved programs from running if the first 2 steps fail.
5. What is the best way to back up my data? What I highly recommend is a local copy of the entire server (called an image), plus an off-site copy of the data in the cloud in case of a disaster at the office like a fire or flood.
Was your most pressing question on this list? If not, please feel free to reach out to me.