Why you should consider regular network scans and risk assessments for your practice.
Most of us visit our physicians on a regular basis in the hopes we can be given a “clean bill of health.” But what about your IT systems? Have you been given a clean bill of health for them?
What do I mean by that? For the sake of cybersecurity, I’m saying nobody has access to files, folders and data who shouldn’t have this type of access. If you’ve taken a device out of commission (replaced a computer, for example), then it shouldn’t be able to access your network. There shouldn’t be any new devices connected to the network that look unfamiliar to you or you don’t recall adding. Everyone should be using strong passwords or other techniques, such as fingerprint scanners, to protect network access. Each person should be assigned permissions on what he or she can and can’t do on the network that are in line with your security policies. You shouldn’t have open ports in your router/firewall that put the network at risk. You get the idea.
Having done network scans and audits for more than a decade, I know they can be a bit disruptive to your practice. They’re time-consuming, intrusive and not cheap. However, in my experience, when we do a proper scan, we catch 99 percent of all issues and 100 percent of the most common ones.
The system we currently use only takes around 20 to 30 minutes for us to run the scan. Unlike some systems out there, we don’t install “agents,” which are small programs that would stay on your server and computers until we remove them.
Once access is given to a technician, the office can go about its business of treating patients and let the IT people work in the background. We simply run the scan software on the server and workstations and everything happens automatically after that.
It’s important to understand there are two types of scans that can be done. The first, as I described above, is what we call a “tech audit.” It only takes a few minutes and can give a good overview of the network setup. It’s a service my company never charges for, as it doesn’t take long and it can be very helpful to a practice to get a better idea of where it stands when it comes to HIPAA.
A more comprehensive scan, which HIPAA refers to as a risk assessment, is significantly more time-consuming and thorough, but as with the tech audit, most of the work happens behind the scenes and should only cause a minimal amount of disruption to the practice.
It’s also important to understand that even if you do a formal risk assessment, it doesn’t end there. First and foremost, if the risk assessment was done properly, it should generate a HIPAA Management Plan, which is their version of a treatment plan but for HIPAA compliance.
Doing a risk assessment but not following through with resolving the issues is worse from a HIPAA standpoint, as they consider this to be willful neglect. The largest amount of fines and penalties are applied to practices deemed to have been aware of issues but chose not to address them.
Second, risk assessments should be updated on a regular basis. I normally recommend two to four per year. Computers and networks aren’t static devices, and every day there’s new data being added, new programs or files being downloaded, multiple people using the computer, etc.
I highly encourage all dental practices to call their IT provider to see if they have a clean IT bill of health. You might not be happy with the results, but if the assessments are done properly, you’ll have a much better idea of the best path forward.