One of the largest threats to any dental practice is the possible breach of patient information. Since so much is at stake by the types of data stored in these practices, HIPAA and HITECH laws demand that specific security measures are taken to reduce the risk of stolen patient data. HIPAA compliance can often be overlooked in medical or dental computer networks, due to the cost of compliant security systems. Competition by general “small business IT” companies is a common pitfall – the services are cheaper, but there is quite possibly nobody on staff with direct experience in HIPAA compliance.
Obtaining a specialized IT company that works with HIPAA is a must. Even a company which deploys secure networks with encryption may not be covering the law in its entirety. If in doubt, it is best to obtain a third-party consultation to make sure that your systems are secure in a manner complying with the law. A professional audit of your systems by a dental or medical IT specialist is a must, not only to determine your compliance, but also to document your compliance as required by HIPAA.
HIPAA Compliance – Required Services
1. Data must be encrypted, at minimum when in transit.
Most HIPAA breaches arise from theft of data, either physically or electronically. Whether your data is moving through your internal network ports, transmitting over the web in the form of email, or sitting on an external thumb drive or hard drive, encryption is necessary to make sure patient data is not at risk. Simply put – if the in-transit data is not encrypted, you is out of compliance. Even if you are using an encrypted cloud backup service, you must make sure that the data is encrypted before it is uploaded to the cloud.
2. If you have a mid-to-large dental practice, each user must have a unique network account.
This is the piece that is missing from many, many practices from my experience. In order to comply with this, a practice with more than 4-5 PCs should have a Domain Server set up – this centralizes user management, enforces password compliance protocols, and allows monitoring software to be installed which can log user activity – a requirement of HIPAA.
3. Test-restore your backups HIPAA demands that your data be safe, and accessible.
You need a plan to restore your server from a local backup drive or your cloud backup solution. This needs to be tested at leats once per year to comply with HIPAA – never wait for a disaster to learn how to restore your data. Some practices elect to perform a test restoration a couple of times per year. Each test restore gives you insight into how long you’ll be down during a true disaster.
4. Perform a Risk Assessment
This is an internal process that must be documented, and the first thing a HIPAA auditor will ask for. Part of your risk assessment might contain a vulnerability scan. This assessment identifies possible security holes, as well as fixes – it is a work in progress and generally cannot be “faked”. A risk assessment is a timeline of security hole discovery and solutions for fixing the problems.
5. Regular patching of Windows, Java, and other vulnerable software.
Malware and spyware programmers are constantly finding holes in the security of software such as Windows, Java, Adobe, and browsers. All of your network-capable programs need to be updated – hackers are always looking for security holes, and they find them. Malware is automated – you might not be targeted specifically. This is why security patching must be part of your routine. Every month, you should do an internal audit of your PCs to make sure everything is up to date. Otherwise, you can contract out to an IT company that performs this for you. The value of contracted IT services cannot be understated – they can develop and enforce your HIPAA compliance on your network.
For information or a free trial of our email encryption solution, follow the link to dmi Networking’s Dental IT company page.