OR WAIT null SECS
Dr. Lorne Lavine, founder and president of The Digital Dentist, has more than 30 years invested in the dental and dental technology fields. A graduate of USC, he earned his DMD from Boston University and completed his residency at the Eastman Dental Center in Rochester, N.Y. He received his specialty training at the University of Washington and went into private practice in Vermont until moving to California in 2002 to establish TDD, a company that focuses on the specialized technological and HIPAA needs of the dental community. He can be reached at email@example.com or 866-204-3398.
I recently had the pleasure of speaking for a practice management software company’s annual meeting in Nashville and the title of that course was “Cybersecurity: What You Don’t Know CAN Hurt You” and I thought that would be an excellent tie-in for this month’s article.
Security holes. Unauthorized or outdated users. Unknown devices. Unlicensed software. Ports on your firewall that are open to the internet. These are just a few of the big liability issues that I see on at least 90 percent of the networks that I evaluate. And, this is true even for dental offices that are supposedly monitoring their networks on a regular basis. When is the last time you had a third-party individual or company come into your practice (or remotely) and take an objective look at how your network is configured?
Many of us in the IT world have switched away from the older break-fix model (you call us when there’s a problem) to the more modern managed services model, where you pay monthly for ongoing services. Break-fix is inherently more costly in the long run for both service and repairs, not to mention putting a dollar value on any downtime that you suffer. But, more importantly, with that older model, there’s nobody that is monitoring your critical network settings that control access to your patient data.
If you’re one of the many offices that have made the switch to a managed services model, that’s a great first step. But, it still never hurts to have someone who is an expert in HIPAA and cybersecurity take another look. Often, that second set of “eyes and ears” will find things that your regular IT providers might have missed, or at the very least, they can validate if your current IT is using best practices for protecting your data. This is not to suggest your current IT doesn’t know what they are doing-far from it. But, given how complex modern dental networks are and the multitude of things you need to monitor for HIPAA compliance, even the best local IT people can occasionally miss something important.
The good news is most Office Managers and HIPAA Compliance officers welcome these types of evaluations. In my experience, the local IT company will also normally be receptive to this, if you phrase it in such a way that you’re not looking to replace the services they provide for you but rather, to supplement what they are offering. At the end of the day, you, as the Covered Entity, are ultimately responsible for your entire IT systems-you can’t point the finger at your IT folks if the HIPAA auditors ever come calling.
The other good news is these scans can often be quick and painless. When we do this for an office, we call it a “tech audit”, it normally takes no more than 20 to 30 minutes and when done, it will give you a treatment plan of where your office isn’t meeting accepted standards for data protection and security. It’s done remotely, we simply run some software on a few computers and ask your staff a few questions to get a clear picture of where you are at. You should not confuse this tech audit, though, with a full-blown risk assessment. Risk assessments normally take at least 4 to 5 hours, not to mention the time needed to then develop a HIPAA Management plan.
As HIPAA audits are becoming more common and the fines and penalties rising on a regular basis, you should ask yourself when is the last time you did a network evaluation, and if it’s been longer than six months, what are you waiting for?