Roadmap to Data Security Compliance
By Dan Gospe
Many dental practices have been using electronic records long before data security compliance regulations came into effect.
Fundamental changes to the way your practice handles data security compliance could be necessary to achieve full compliance with the law. As such, a systematic roadmap to data security compliance is necessary to fully comply with HIPAA regulations.
1. Understand the Scope of Data Security
Most will agree that data security is essential to maintaining the integrity of your dental practice. The goal of data security compliance is to prevent PHI from falling into the wrong hands, or being accidentally altered or destroyed by staff.
The first step to compliance is to understand and define the scope of your security plan. The primary consideration is that your data does not exist in a bubble – through your network, there exists multiple portals to the internet which can be used to access or alter this data if the network is not properly configured. Additionally, data travels across the internet in the form of email and cloud backup.
While these factors help define the scope of your electronic data, it is important to also consider physical access to data. Data security compliance means not only locking down your network, but protecting your data against accidental deletion by your staff as well as physical theft.
Consider using the Risk Assessment Tool from the HHS.gov website – this tool walks you through a thorough risk assessment, and gives some plain-English explanations of some of the requirements to keep your data secure.
2. Ensure Your Staff Takes Data Security Compliance Seriously
The roadmap to data security includes a robust set of policies and procedures designed to protect your data. Unfortunately, human error can disrupt the security of even the most robust physical and electronic safeguards. It is imperative that your staff takes data security seriously, and follows your policies and procedures to the letter. In practice, limiting internet access and the ability to open emails is not feasible, as many services that you use are web-based. The best approach is to have monthly security meetings with your staff to reiterate the content of your policies and educate your staff about your best practices.
A data breach can also ensue from the actions of a disgruntled employee. Designate one trusted employee to have ultimate access, and physically brace your PCs and server with locks that can’t be opened by anyone else. This person should also be in charge of password compliance, and should ensure that staff do not share their passwords with each other at any time.
3. Catalog Every Piece of Hardware and Software
Keeping a detailed catalog of hardware and software is essential to maintaining your network map. On this catalog, document the nature of PHI that is managed or passes through each item. If there are software programs that are not essential to PHI or business function, remove them from the PC or the network. This catalog is required for your risk assessment, and is also useful when determining possible sources of a data breach – if unapproved software is found on a workstation that is not on your initial catalog, then you can assume that other unprofessional activity has taken place on that machine.
Your designated HIPAA security officer should be in charge of maintaining this catalog, as well as conducting an audit from time to time using reports of currently installed software on your machines. A managed service provider can provide ad-hoc reports of currently installed applications across your network, which can be quickly compared with your initial catalog.
4. Conduct Disaster Drills
Periodically, you should test your disaster recovery plan in the face of a data breach or data loss. Pick one area of possible breach, and perform your policy regarding recovery. It’s much better to troubleshoot your disaster recovery or breach reporting capabilities before the actual need arises. Consider the chart below to learn of common sources of breach.
Types of HIPAA breaches
Many sources of data breach are preventable. Physically, CPUs and servers can be anchored to a wall to reduce loss from theft. Electronically, data can be encrypted so that if a PC is taken out of the practice, the data therein is inaccessible. Human error can be reduced both by limiting the access privileges of staff, or conducting training for your staff so they can more easily identify possible sources of malware.
5. Understand your Network and Communications Safeguards
Antivirus is just the beginning. A network vulnerability scan can show you each port on your network, and if it is opened to the outside world. Additionally, a full scan can find vital security patches which need to be applied in order to lock down exploits in network-capable software; hackers and malware programmers can use these exploits to get into unsuspecting systems. By using a network security scan, you can print out a map of your network, with all of the remediation needed to bring compliance and security to your network.
There are both external and internal network scans available. An external scan is a “penetration test”, and consists of running tests from outside of the network from a remote location. These are useful in discovering whether or not there is an open window into your network that you may not be aware of. An internal scan, however, is more comprehensive. Usually, a laptop will be brought in and a scan conducted. Internal scans not only search for the same penetration points, but also examine software on each machine, and whether or not essential security patches are installed. Additionally, internal scans can examine user accounts and document password compliance and determine whether or not audit trails for data access are in place.
6. Ensure that Chains of Trust are in Place with Your Business Associates
Get to know your business associates; especially your dental IT provider. A good dental IT firm will have policies and procedures in place much like your own – all of your business associates have the same requirement for compliance that you do. Request to see their policies if there is any question about how your data is handled. Remember that your business associates are likely subcontracting some of their services out to others; for example, cloud backup services and email encryption are likely not maintained by your IT provider, but packaged and resold through a partnership. If you have any question whatsoever, request to see their Business Associate Agreements with their subcontractors. In the end, you as the Covered Entity are ultimately responsible for any breaches of your patients’ data. Keep this in mind when you choose to partner with another company for services.
7. You’ve Made Your Plan – Stick With It
None of the above measures are useful unless your policies and procedures are followed at all times. A data security compliance plan is composed of a great deal of mechanisms which must be managed and followed. Although many can be implemented and maintained automatically, it is vital that regular training of your workforce and security access levels be maintained – remember that human error can lead to many data breaches and data deletion. With technology reliance and malware sophistication continuing its growth, it is vital that your staff remains diligent in every aspect of data security, from browsing the web to opening email. And finally, if there is an accidental deletion or breach of data, make sure there is a mechanism to report on what happened, and a process to follow to get your practice back into action.