By Dan Gospe
For dentists, HIPAA compliance is often overlooked. HIPAA is a broad law, meant to cover all practices from the small, 2-operatory practice, to the large hospital-level enterprise. Although you may not have the same breadth of patient data that these larger organizations have, it’s important to achieve compliance not only for the sake of following the law, but also to secure your network against threats that are prevalent in every business environment.
Here are 5 common mistakes that dentists make, which have easy fixes.
Mistake 1: Backup is only backing up files & folders, or is not encrypted.
Your backup should consist of a full server image – not just files and folders. Many times, dentists will use Henry Schein’s built-in Dentrix backup or another like-minded backup solution, and think they are okay. Unfortunately, under these systems, not everything is actually being backed up. Restoring from a backup that only consists of files and folders is cumbersome, and can add hours to your downtime as you reinstall and reconfigure your network. Instead, make sure you are getting a full server image for your backup, so that if your server goes down, you can restore to another device and be back up much more quickly.
The most common problem we’ve seen with backup systems, even if they do include the entire server, is that they aren’t encrypted – such an easy thing to do. Keep in mind, that a non-encrypted backup drive is the singlemost vulnerable part of your practice! If you lose that drive or it gets stolen, it constitutes a breach of epic proportions. Simply by using encrypted media or software to perform your backup will mitigate this huge risk, and if you don’t want to pay for an expensive piece of software, many flavors of encrypted backup drives are available that will ensure that your backup is as secure as your practice PCs are.
Mistake 2: Emailing specialists without encryption
When you send an email from your office to another, it bounces through dozens of servers before reaching its destination. Any one of these servers can be compromised, and it’s impossible to speak to the security of any of those relay servers. This is why encrypting email is so important. Many people ask “Why are faxes compliant when pages of data are spit out for anyone to see, but email needs to be encrypted?” The simple answer is, a fax is a direct line-to-line message, whereas emails go from Point A, to Point Z, and every point in between.
There are many services that provide email encryption. A common concern is that recipients may have trouble opening the encrypted emails, but some companies have made it very easy – we like the ones the plug right into Outlook or a web-interface, and where the recipients don’t need to create an account to view the email. Unfortunately, most encrypted email providers do require recipients to create an account, but many do not! Before giving up on email encryption, make sure you try one that is easy on your recipients.
Mistake 3: Antivirus scans are never running, or are not business-class
The first thing you need in an antivirus, is a license for business use. This means that free AVG or Norton will not comply with the licensing agreements, thus constituting a HIPAA violation (as well as a violation of other applicable software laws). Once you choose a business-class antivirus such as Bit Defender, Kaspersky, or others, you need to really make sure it’s actually running full scans of your systems on a regular basis. Many times when I come into an office for a consultation, I look in their AV and see that a full scan has never been run since it had been installed. Since definitions are always being updated, a virus may have gotten through that would be caught on a subsequent scan. Set up a scan schedule, and make sure that it is going to alert you if it finds a piece of malware on your systems. Unfortunately, malware is found more often than not on these unmanaged antivirus environments.
Mistake 4: No Risk Assessment
This should actually be Mistake #1, because it is the most prevalent omission from a dental practice. Your risk assessment needs to be a thorough evaluation of the risks to your network, and it must contain a plan to mitigate these risks wherever possible. For example, perhaps you’ve identified that your server is unable to manage your network securely. If this is the case, you need to document it, and come up with a plan to secure it. If you need new hardware, you can simply apply a roadmap to getting it done. Don’t let anyone tell you that you need to spend lots of money to become compliant right away! You can budget for the big changes you may need, and to reach compliance you simply need to document your risk!
Mistake 5: No Passwords on PC Boot
Using a Domain Server, passwords for PCs are automatically implemented. But, if you are not on a domain setup, your PCs still need a password right when they boot, and you need to change this password periodically. You also need a form that employees can sign off on when the password is changed. The best way to manage password compliance is to use a Windows Domain Server, but in smaller practices it may not be something you absolutely need in order to comply with the password requirements.
A common criticism of passwords on PC boot is this: “My Database is protected by a password already”. Unfortunately, there is a wealth of patient data on your workstation, and if you don’t require credentials on boot, then anyone can get access to your emails, your documents, and yes – even shared folders on the server, if it’s not properly locked down. Put a password on those PCs. Right now.