How to protect your dental EHRs from cyber attacks

There has been some recent publicity regarding an online scheme where practices are having their patient database accessed by unauthorized individuals. Based on this, some providers have been worried about potential dangers of using electronic health records (EHR) that store patient data on a server database.

There has been some recent publicity regarding an online scheme where practices are having their patient database accessed by unauthorized individuals. Based on this, some providers have been worried about potential dangers of using electronic health records (EHR) that store patient data on a server database.

Read about the hacking scheme that resulted in several dentists having to pay ransom to regain access to their patient databases

Worries like this have been vocalized for a number of industries over the past few years. There have been instances of financial databases being hacked. So does that mean that banks and financial institutions should go back to keeping all their customer records on paper? Or, with the recent outbreaks of hacking into retail store databases, should retail stores stop using credit cards and go back to cash and checks? Obviously, this would be extreme and utilizing recordkeeping "good old days" style might prevent online unauthorized access of information, but we can't go backward with technology.

If you have been reading my articles over the past couple of years and listening to my podcasts with industry experts, you should know that adoption and integration of the EHRs in dentistry is essential and has numerous benefits. The medical industry has embraced EHRs in their daily operations and the EHR train has left the station in the dental industry. In some of the stories I've read, practices have mentioned that, in spite of having virus protection, unauthorized individuals have still gotten into their patient databases. But just having a virus protection on your computer in many cases is not enough to prevent sophisticated hacking schemes and there must be an ongoing strategy for incorporating and updating security tools and procedures.

The recent outbreak of incidents gives us an opportunity to discuss the protection of patient data and how to give yourself the best chance of protecting your patient records. I believe most of us understand that there are two main models for storing your patient records. One is managing a local database server which is in house in your practice or group. The other model which is becoming popular is to have your EHR and associated patient database hosted by a third-party vendor in the "cloud".

More from Mike Uretz: How EHRs are changing oral systemic health

In-house EHR and data management

if you have chosen to have your server reside in-house, it is essential to engage with a trusted IT company or individual that has knowledge of database security. They should be able to give you a plan and timeline for continually updating your security on your in-house databases. Fees for this can come in either a service contract or on an hourly basis as needed. Whichever model you choose, it is critical, because your patient data is so important, to leave ongoing server security to the IT experts. In fact it is not a bad idea to have a security analysis done from time to time.

Practices that are engaged in the EHR incentive program and meaningful use must have a security analysis done as a prerequisite to obtaining EHR subsidies and having this work done should be extended to dental practices in general. This also crosses over with HIPAA security. To get a leg up on learning more Security Risk Assessment and a free tool available follow this link Security Risk Assessment Tool provided by the ONC (Office of the National Coordinator). However, having access to tools such as this does not minimize the need to have a continual engagement with your IT company or professional regarding keeping your security updated.

Finally, make sure you have timely backups that you can restore should you run into issues with your data. If you do decide to go the route of engaging in a service contract with an IT company or professional, I would highly suggest structuring a detailed IT service contract which outlines their responsibilities and commitments.

Continue to page two for more...


Cloud-based EHR and data management

The other route that has been gaining more and more traction recently is to not worry about managing your server and databases in-house, but contract with either your EHR vendor, if they offer a cloud-based solution, or a third-party hosting center to take care of all the data management and security. The benefit of this approach is that if they are a quality company, they will have high-level IT experts on staff and will manage your databases and security 24/7. In addition, the creation of timely backups, which are critical to restoring your operation should something go wrong with your database are now in the hands of IT professionals on a regular basis and not dependent on you or your staff.

More from Mike Uretz: Stage 3 EHR incentive meaningful use proposal will affect dentists

The main advice I would give you regarding engaging in cloud-based server operations, after having contracted with numerous cloud vendors over the years, is that because you're now dependent on a third party to manage your EHR and data in the cloud, it is critical to develop a detailed cloud services agreement which encompasses uptime, service guarantees, control of data, termination for cause, and numerous other factors that you need to think about. For more information review the “Cloud Hosting Section” of the Contracts Checklist.

At the end of the day no security technology can guarantee that you will not have an incident of unauthorized access to your database. But having qualified IT professionals watching your back on this on a regular basis will give you the best opportunity for success.

Check out the story of Dr. Lloyd Walling, a Minnesota dentist whose practice was targeted twice in one week by hackers, who held his patient database hostage and demanded ransom for its release. Dr. Wallin's story can be read here

More from Mike Uretz: Does encrypted email satisfy HIPAA?

About the author

Mike Uretz is a nationally-recognized dental software and Electronic Health Records (EHR) expert. He is the founder of  as well as the Dental EHR Editor for Dental Products Report and conducts a popular podcast on dental software related topics.

As a leadingindustry consultantand educator Uretz has helped both individual and group practices evaluate and select software vendors and solutions, structure and negotiate vendor contracts, and provide vendor management. He also has assisted practices with obtaining subsidy payments through the federal EHR Incentive Program. Mike can be reached atmikeu@dentalsoftwareadvisor.comor 425-434-7102