Since last year, dmi Networking has provided HIPAA Consultations as a free service. In our evaluations, we have found several issues which keep popping up, and many have low- or even no-cost fixes. Below, I’ve listed a few things that a dental office will need in order to maintain compliance with the law.
Absence of a Risk Assessment
When HHS begins its random HIPAA audits this October, the agency is likely to begin with a phone call requesting your latest Risk Assessment. When a Covered Entity can not provide one in a specified time frame, then the agency will likely come in for a complete HIPAA audit.
There is no standard format for a Risk Assessment, but what must be included is a detailed look at the most vulnerable points of your practice, and steps planned to remediate the issue. The document can be in the form of a Word document, or charted in an Excel graph. There are many examples online that can give you an idea of what is covered in a thorough assessment.
Identifying possible vulnerabilities might take a third-party consultant. As part of our free HIPAA consultation, we provide guidance in starting this document, identifying the issues with your IT infrastructure. From there, you can expand your assessment to include guidelines for employees and patient privacy.
Unsupported Software
The issues that fall under Unsupported Software come in two varieties. First, the biggest one we have seen is the use of Windows XP machines on the network. Since this is no longer supported by Microsoft, security patching will not take place. Keeping in mind that Malware is produced as an automated, mass deployment which seeks specific security holes in software, it is vitally important to get these unsupported machines off of the network. Cyber criminals will exploit these holes, and malware instances are sure to increase.
The second form of Unsupported Software that we see arises from dental offices breaking the licensing agreement for the software that they do have. If the licensing agreements are not followed, the result (aside from operating outside of the law), is that these companies are not required to support the end-user.
Free anti-virus is the most common among the dental offices who are using unsupported software. Another arises from purchasing home-class PCs from Costco, Best Buy, or other retailers. Windows 7 Home is an operating system specifically licensed for home users, while Windows 7 Professional carries the licensing for use in business. Upgrading to Windows 7 Professional is relatively painless, and also provide extra features which strengthens the security of multi-user PCs.
Unencrypted Data
The specific requirements of HIPAA are to encrypt data, “at minimum when the data is in transport”. Where this comes into play is during nightly backups, and email. Encryption is a very low-cost solution, and can be accomplished in a few different ways.
For nightly backups, hardware or software encryption can be used. An example of hardware encryption is the purchase of external drives that are imbedded with a keypad – the data on it is jumbled until the correct code is entered. Software encryption, on the other hand, uses backup software to encrypt before writing data to a non-encrypted external drive, such as a Passport drive.
For email, the technical reason that end-to-end encryption is required is due to the relay servers that carry your message to its destination. For every email that is sent, there are usually over a dozen relay servers that all may have vulnerabilities. If your email messages are traveling in free-text, then they can be retrieved from any of these locations. End-to-end encryption, however, solves this problem by encrypting the data before the message is sent, and requiring a password to decrypt the message at the recipients terminal. dmi recommends RPost“, a robust system which integrates with Outlook or uses a web-based approach to sending encrypted emails.
No Password for Users
All dental offices should have password entry protocols on their practice management database. However, the requirement for this stipulation is to require passwords to even boot the computer up. This layer of protection is usually not enforced in a dental office, and is easy to implement.
The important thing to remember, is that PHI does exist on the workstations in most dental offices. We find PHI on most of our evaluations – in the My Documents folder, or in an email program. Additionally, HIPAA requires high-level reporting capabilities of user activity in the event of a breach. Without each employee and doctor having their own login credentials, it is virtually impossible to enforce this section of the law.
Start Right Now
Thankfully, most of these solutions come at little to no cost. Take the first step, and begin your risk assessment if you don’t already have one. Start with a self-assessment – how can PHI be breached in your practice? Write down what you find, and begin your plan for plugging the holes. dmi is here to help with free on-site HIPAA evaluations in the Bay Area, where we can help you create the network and data security aspect of the law. Feel free to contact our HIPAA experts for details.