Ask your IT provider these key questions

As I am writing this article, we continue to suffer through difficult times: COVID is still a major concern and the country is suffering through protests and social upheaval. Dental offices are under attack, but for different reasons. It is well-known that patient records are the highest value items on the black market, and with many offices more focused on PPE and patient safety than on their digital security, I am seeing a lot of practices that are at high risk.

While many dental offices are doing what they can to protect their data, most will require the services of an IT company to assist in that. Most dentists and staff just don’t have the training nor the experience to manage the ever-changing landscape of HIPAA and cybersecurity. The problem, as evidenced in well-publicized ransomware attacks on dental offices in Wisconsin and Colorado, is too many IT companies are themselves, not following best practices, and are putting their clients’ critical data at risk. If you are working with an IT company, here are a few of the questions you really should be asking them:

1. Is the IT company using 2FA to access their remote access portal? Most of us setup remote access to our clients’ computers so we can provide support, both during the day and after-hours. It’s vital that we ensure that only our technicians, and not strangers, can access those portals. One way to do that is through 2FA, two-factor authentication, or sometimes called multi-factor authentication. In a nutshell, whenever one of our techs attempts to access our portal, they are sent a code to their cell phone that they must use within a few minutes to access the site, they cannot access the site without it. Another technique which some remote access portals use is IP restrictions. Basically, all computers on the internet have a unique IP address, and you can set it up so that only computers with specific IP addresses can access the site.

2. Is this IT company testing your backups? Forget for a second that there is a HIPAA law that says you must test and verify your backups. Even without HIPAA, it’s important to know that your backup is actually working and that you easily restore it should you suffer a disaster. It’s not enough to just see that the software says the backup was successful, as that may not be valid, but you need to confirm that you are actually backing up all necessary files. Should your office ever suffer a ransomware attack, in many cases, having a good (and encrypted) backup is the only way to get your data back without paying a huge ransom.

3. Has your IT provider done a proper risk assessment and created a HIPAA Management Plan? As anyone who has suffered through a HIPAA audit knows, taking a quick 10-15 minute survey online isn’t even close to being adequate for a risk assessment. When a new patient comes in, you don’t start treating them based just on their medical and dental history forms (at least, I hope you don’t!).

You have to diagnose first—you take X-rays, restorative charting, perio probing, etc. And, based on that, you then develop a treatment. Well, HIPAA uses the same method—how can you handle the areas where your practice isn’t meeting HIPAA requirements until you actually look?

The point being, a risk assessment must include a thorough evaluation of your IT systems, and in most cases, your IT providers are the only people who can do this. Unfortunately, in my experience, many IT companies don’t provide that risk assessment or HIPAA Management Plan for their clients.

Many dental offices are paying substantial amounts each month to professionals to make sure that their practice is protected and secure. It’s never a bad idea to review that relationship to make sure you are getting what you need.