I recently had the pleasure of speaking for a practice management software company’s annual meeting in Nashville and the title of that course was “Cybersecurity: What You Don’t Know CAN Hurt You” and I thought that would be an excellent tie-in for this month’s article.
Security holes. Unauthorized or outdated users. Unknown devices. Unlicensed software. Ports on your firewall that are open to the internet. These are just a few of the big liability issues that I see on at least 90 percent of the networks that I evaluate. And, this is true even for dental offices that are supposedly monitoring their networks on a regular basis. When is the last time you had a third-party individual or company come into your practice (or remotely) and take an objective look at how your network is configured?
Many of us in the IT world have switched away from the older break-fix model (you call us when there’s a problem) to the more modern managed services model, where you pay monthly for ongoing services. Break-fix is inherently more costly in the long run for both service and repairs, not to mention putting a dollar value on any downtime that you suffer. But, more importantly, with that older model, there’s nobody that is monitoring your critical network settings that control access to your patient data.
If you’re one of the many offices that have made the switch to a managed services model, that’s a great first step. But, it still never hurts to have someone who is an expert in HIPAA and cybersecurity take another look. Often, that second set of “eyes and ears” will find things that your regular IT providers might have missed, or at the very least, they can validate if your current IT is using best practices for protecting your data. This is not to suggest your current IT doesn’t know what they are doing-far from it. But, given how complex modern dental networks are and the multitude of things you need to monitor for HIPAA compliance, even the best local IT people can occasionally miss something important.
The good news is most Office Managers and HIPAA Compliance officers welcome these types of evaluations. In my experience, the local IT company will also normally be receptive to this, if you phrase it in such a way that you’re not looking to replace the services they provide for you but rather, to supplement what they are offering. At the end of the day, you, as the Covered Entity, are ultimately responsible for your entire IT systems-you can’t point the finger at your IT folks if the HIPAA auditors ever come calling.
The other good news is these scans can often be quick and painless. When we do this for an office, we call it a “tech audit”, it normally takes no more than 20 to 30 minutes and when done, it will give you a treatment plan of where your office isn’t meeting accepted standards for data protection and security. It’s done remotely, we simply run some software on a few computers and ask your staff a few questions to get a clear picture of where you are at. You should not confuse this tech audit, though, with a full-blown risk assessment. Risk assessments normally take at least 4 to 5 hours, not to mention the time needed to then develop a HIPAA Management plan.
As HIPAA audits are becoming more common and the fines and penalties rising on a regular basis, you should ask yourself when is the last time you did a network evaluation, and if it’s been longer than six months, what are you waiting for?