It’s easy to believe that cyberattacks won’t happen to you. Why would a criminal choose your office as a target over corporations with more money and assets? Big businesses have plenty of resources to throw at security and firewalls, whereas your office may only have a few basic protocols in place. Better yet, every patient record they get can be sold online for over $400! About 79% of all reported data breaches in the first 10 months of 2020 were against health care entities, according to a report by Fortified Health Security. Understanding what risks exist in your office and proactively addressing them will help keep you and your patients safe, especially with moves towards teledentistry during the COVID-19 pandemic.
How data breaches happen
Internet-enabled devices within your office offer many points of entry for a criminal. Any computers, security cameras and tools connected to the internet can be open doors to thieves who want in.
Hacking and IT incidents are the biggest cause of data breaches, accounting for 69% of reported incidents. IT incidents include malware that’s installed by clicking on links in phishing emails or visiting unsecure sites.
The second leading cause was unauthorized access, which resulted in 20% of all breaches. This includes mistakes, like a lost tablet or folder of patient information, or intentional sharing of information by an insider in your office.
Teledentistry and additional risk
Teledentistry, while a fantastic option for reaching patients, opens a new door for cyberattacks. Text messaging and free video chat software aren’t viable options for telehealth, because all communication between you and your patients must be encrypted to be compliant with HIPAA.
The Office for Civil Rights (OCR) at the Department of Health and Human Services has announced that it will not penalize health care providers for using popular video chat applications during the COVID-19 pandemic, with a few caveats. You should notify your patients that these apps can introduce privacy risks and you should enable all available encryption and privacy modes when using them.
While some tools without encryption, like Skype and Facebook Messenger, have been given the go-ahead by OCR for use during the pandemic, HIPAA-compliant tools offer better protection of patient data.
Although you can never be completely invulnerable to attacks, having strong practices can make the difference between a scare and a nightmare.
The first steps you can take to proactively manage risk are some of the easiest:
- Wi-Fi. Only use password secured Wi-Fi networks. If your office wants to have a network for patients or staff’s personal devices, create a password protected guest network.
- Passwords. Use strong passwords on all your office devices. A strong password contains at least 10 characters and includes numbers, symbols, uppercase and lowercase letters. And remember to keep them safe. Don’t create strong passwords only to write them down on a sticky note!
- Software. Before buying new applications, rigorously vet their compliance with HIPAA. A company might say its product is for health care practices, but that doesn’t mean it complies with laws around protected health information (PHI). And when you buy software, make sure to install updates promptly, since many software updates fix security problems that could be exploited by hackers.
- Physical documents. If your office plans to dispose of hard copies of documents with patient information, destroy them so that any PHI is indecipherable and cannot be reconstructed.
- Team protocols. Set up and enforce security protocols with your team. Have a regular, holistic evaluation of your protocols and how well they’re being followed. The National Coordinator for Health Information Technology (ONC) has a great list of tools, training and guidance to help you maintain your office’s strong security practices.
Beyond that, you can greatly reduce the financial burden of a breach by getting cyber insurance that covers the cost of investigating thefts, compensates for fines and penalties and funds lawsuits and legal fees.
If a breach does happen, take action immediately. Determine how the breach occurred and what information was affected. Get in contact with legal counsel before anyone else.
It’s going to take work and will probably be frustrating if you’re just starting out. But by implementing a strong cybersecurity defense, you’ll know you’ve done everything you can to keep your practice and patients safe.