DPR Top 100: Dr Lavine's Top 10 Ways to Safeguard Dental Practice Data

DPR Top 100: Dr Lavine's Top 10 Ways to Safeguard Dental Practice Data. Image credit: © Georgina Burrows - stock.adobe.com

Over the past 6-plus years, I have written a monthly column on some specific aspect of dental information technology (IT), cybersecurity, or compliance with the Health Insurance Portability and Accountability Act (HIPAA). As anyone who follows technology knows, keeping up with the latest developments is a full-time job. When I work with offices all over the world, their No. 1 concern is figuring out the best and most cost-effective way to protect and secure their critical patient data as well as making sure they follow all applicable local and federal regulations. So in that vein, here is my list of the top 10 ways to safeguard your data and be compliant with HIPAA.

1. Do a formal risk assessment and develop a HIPAA management plan. You would not treat a patient without doing a diagnostic evaluation and presenting a treatment plan, right? Well, HIPAA and cybersecurity work the same way: How do you know where you are deficient and what steps you need to take to correct those issues without looking first? A formal risk assessment is not a 15-minute process where you answer some questions online; done properly, it takes multiple hours to complete and will also take multiple hours to rectify the problems that you discover.

2. Reevaluate your backup and disaster recovery system. For most dentists, there are really 2 parts to this. You want a system that can get you up and running within hours, but equally important, you want something offline that will save you in case the entire office burns down. A local “image” and cloud backup is what I recommend for all offices.

3. There is no reason not to encrypt any devices that contain protected health information. Not only is it a HIPAA requirement, it is your only get-out-of-jail-free card if your data is compromised. All versions of Windows and Windows Server in the past 10 years have a free, built-in encryption software called BitLocker.

4. Speaking of encryption, you really should use an encrypted email system to send and receive emails from patients and referring offices. Most of the better systems will work with your existing email address and almost all are less than $10 per user per month.

5. Although email is the most common way that malware enters your network, a close second is unpatched software with security holes. HIPAA requires that you do “patch management,” and any decent dental IT provider can set up an automated system that handles patching for you.

6. A business-class firewall is your first line of defense against viruses like ransomware. Do not skimp with some home-use router such as Linksys or D-Link; rather, invest in one designed for a small business such as Sophos or SonicWall. Most of the better firewalls have a subscription service that works against viruses that you can add.

7. Every office needs a good, general purpose antivirus software. The antivirus that comes with Windows, Defender, has improved over the past few years, but I still recommend a paid antivirus software such as Emsisoft or ESET NOD32.

8. Although the general-purpose antivirus programs claim to do a good job against ransomware, my experience is that this is not always the case. I highly recommend investing in a ransomware-specific software such as Intercept X.

9. Because many of the newer viruses are so new that your antivirus software will not recognize them as viruses, you should definitely consider a specialized software called application whitelisting. In a nutshell, this type of software only allows preapproved programs to run; anything unapproved, like a virus, is stopped in its tracks.

10. Finally, even with all the best software in the world, nothing beats having a team that is up to speed on best practices for security and compliance. Annual staff training should be a critical component of your regimen.