What to consider to secure practice data and keep it protected.
Most dentists who come to me for help don’t have a thorough understanding of how their networks are configured, or who inside-and external to-the practice has access to what information and programs.
In fact, while most of these dentists are well- aware of the possibility of external threats from viruses, malware, phishing scams and the like, they don’t even think twice about the very real access their employees have and the damage they could potentially inflict on the company-whether planned or through simple ignorance. We all want to trust our employees to always do the right thing, but is that really the best approach to take here?
Your IT administrator holds the IT access keys to your practice more so than the financial keys held by whoever handles the company banking and payroll. When you think about all the sensitive information stored on your servers and individual computers, including company financial data, patient records, employee personnel information, and business and personal email correspondence, it’s all there for the taking, all there to be manipulated, stolen or destroyed.
This is pretty much the entire reason the Health Information Technology for Economic and Clinical Health Act (HITECH) laws were enacted; a realization that as more and more data became digital, the practice was at an increased risk of having that data compromised.
It’s not just a matter of whether you trust your current IT administrator. Even well-intentioned and honest IT pros make mistakes and can inadvertently leave the door open for others to gain access to information you don’t want them to see or have. Just as you have specific procedures, controls, regular checks and reports on your practice’s financial position and systems, you should be asking for and receiving the same for your IT position and systems.
How well do you know the IT company you’re working with? Was it a referral from a friend who liked the work they did at their practice? Is it a relative who dabbles in IT on the side? What steps did you take to call their references? (You did ask for references, right?)
That’s why we recommend every office that has a network, no matter how small or simple, regularly run a simple network assessment scan at least on a quarterly basis. You should have your assessment performed by a qualified network technician who’ll be able to analyze the results and quickly cure any deficiencies, vulnerabilities and improper network settings.
Part of HIPAA’s rules and regulations include the fact by law, you must perform a risk assessment and have a HIPAA management plan and this must happen on a regular basis. What’s considered regular? There are no hard and fast rules on this, but in my experience, three to four months is more than enough time for practices to get lazy or develop bad habits that can create additional risk for the office.
How frequently do you think network assessments should be performed, and who do you think should do them: internal staff or independent third parties? The key factor is to make sure whoever does it knows what he or she is doing. HIPAA spans three distinct areas: administrative, physical and technical. Be wary of any companies that specialize in OSHA and may have just tacked HIPAA on to their list of services; unless they have significant IT experience, they won’t be qualified to handle the technical evaluation of the risk assessment.
Your practice is at risk every minute of every day. The steps you take to protect and secure your data will determine whether you continue to have a smooth -running office or whether you’re dealing with the fallout from having to notify your patients of a breach of that data. The choice is yours!