According to the California Attorney General’s Office, physical theft of unencrypted datastores is the most common data breach for dental practices. Astoundingly, over 50% of all HIPAA violations occured from physical theft of a device. These devices either held patient data, or contained auto-logins for access to patient data.
Surprisingly, this statistic is unique to dental practices – across all industries, only 17% of data breach is attributed to physical theft.
What Makes a Dental Practice Different?
The first question that comes to mind, is why the most common data breach among dentists is so far outside the national statistic across all industries. The answer to this calls for speculation, as I could find no study as to why this is the case. From our experiences with dental practices and their methods of data access, here are some possible reasons that the statistic is so much higher.
A Properly Managed Domain Server is Less Common
If you are like many dentists, then you may not have a robust Windows Server set up in a Domain Environment to manage your network. The larger the company, the more necessary a properly managed server becomes. Many dental practices are small, and opt to manage security rites locally, or are not handling data transmission properly. Here are a few security concerns that arise without a Windows Domain Server to manage your network:
- Without a Windows Domain Server, it is incredibly difficult, if not impossible, to ensure that there is no patient data on the workstations, due to caching, emails, and more.
- The amount of patient information on individual PCs rises considerably when the data stores are not managed under a full domain.
- This means, that theft of a workstation will amount to a data breach, whereas under a properly configured domain, there would be far less data once the workstation is off the network.
The Theft Occurs from Mobile Devices or Backup Drives
Many effective backup methods designed to be budget friendly call for drive-swapping, or holding backups on an external laptop, thumb drive, external drive, or over the network to another PC. Unfortunately, this increases your exposure to data breach. Consider: your backup holds your entire practice, and might fit in your pocket. This is a huge factor in contributing to physical theft as the most common data breach.
There is an increased risk if you use a drive-swapping method and your backups are not encrypted. A stolen or lost backup drive, if left unencrypted, will amount to a full breach of your entire database.
You can still be safe with a low-budget, effective solution – but consider these recommendations to greatly reduce the risk of theft:
- Encrypt all of your backups. If you use Windows Server Backup or another free program which does not apply encryption, then consider an encrypted hard drive. You’ll want a drive that you can’t possibly read on any system without a keypad entry or other method for decrypting the data.
- Consider a software solution which applies encryption to your backup, as it backs up. These solutions generally cost a little bit more, but are the status quo for larger industries, yet more uncommon among small dental practices.
Lock Down your Systems, Even if they Are Encrypted
Depending on the encryption method used, it still could be possible for a hacker to get through to your data on a stolen machine. It’s very cheap to lock down a workstation physically – for about $40 per PC, there’s no reason not to:
- Use cables or metal cables to lock devices to furniture
- Use metal plates to bolt down devices to a surface or a wall
- Put the server into a locked closet, box or cage
These few recommendations will help bolster your security to reduce the risk of physical theft to be more inline with the national averages. Since many come at no or little cost, it’s a great idea to begin implementation on your backup systems and data stores. Don’t fall victim to the most common data breach in dental practices.