It may come as a surprise, but getting through the HIPAA compliance surveys, adopting information security policies and training your employees are only a few of the milestones along the way in comprehensively securing your dental group practice. The skills learned along the path to compliance help, but you still must implement technology controls to actively enforce all of the procedures and policies required. This is where security, the hidden component of HIPAA compliance comes into play.
Security is not a one time or even an annual event. Security is a non-stop endurance contest between evil and your practice. Evil attackers have all the time in the world to try and try again to break down your defenses, while you the good guy have a business to run and little or no time for added security responsibilities. Even worse, you need to win every round to stay secure, while the hacker needs only win once to ruin your business.
But fear not, it is far from a lost cause. Advances in technology and outsourcing put HIPAA compliance and cyber security within the reach of any size dental practice. The key in understanding the breadth of necessary security, is understanding the many different ways your business might fall victim:
- Hackers operate 24/7 – The power of the “always on” Internet, also means that you are always vulnerable to attack. While it might be nighttime or vacation time for you, someone sitting half a world away is wide awake and ready to attack. Simply put, security needs to operate 24/7/365.
- You aren’t a personalized target – Outside of banks, government and Fortune 500, most businesses aren’t attacked because of their unique value, rather they are attacked because they are online and they may have value. Hackers are indiscriminate here and attack via SPAM email, hostile website advertisements, or even simply because you had the next IP# from your ISP. Whether you are a solo practitioner, an owner of 100 practices, a dental support organization, everyone is a target.
- Mac vs. PC, iPhone vs. Android doesn’t matter – The reality is that everything on your network, regardless of brand or form factor is at risk. Even your X-ray system, milling machine and telephones can be vulnerable to compromise. If it is on the network you are at risk.
- Not all threats are from the outside – Unfortunately the only employee you can trust 100% is yourself. An ambitious doctor associate, may want to go out on their own and take your patient database with them. Or perhaps your office administrator sells cosmetics on the side and thinks your customer base would be perfect in building this new business. Maybe you have a disgruntled hygienist or IT worker on the team, who wanted an increase in compensation or time off and when then do not get it, harms your patients and your business. You must be constantly vigilant.
- Sometimes the threat comes in other ways – Earlier, in 2016, the American Dental Association accidentally sent out thousands of USB drives with updated dental diagnostic and procedure codes, that were malware-infected, to all its members. Watch out for familiar colleagues and associations.
- The firewall, while still a building block in security, simply isn’t enough anymore, especially because it is often initially set-up without anyone checking the security logs. That basic firewall your Internet provider has bundled in, or that was purchased at a big box store or on-line for $100 may itself be insecure. You need more.
Among the items that should be on your shortlist are:
- Next Generation Firewall – An integrated network platform that combines a traditional firewall with other network security functions, including an application firewall, an intrusion prevention system, anti-virus, data leakage protection, real time threat feeds and other options based on the size and nuances of your practice.
- Web-site filtering – Limit how much time your employees spend online shopping, gambling, browsing adult content or anything else. And remember that many of these websites are just the kinds of watering holes that hackers leave hostile content on.
- Application control – Do you want your employees on Facebook, Pinterest, Netflix, Facetime and similar during the work day? Or maybe it is OK, but you want to log which employees can and how much time is spent.
- Vulnerability scanning and asset discovery– Always know every system on your network and track what systems need to be patched and when it gets performed.
- End node security – Your smartphones and tablets, as well as, any notebooks you bring back and forth from office to home need extra security. Make sure you are protected from what may be on a USB stick, or what happens when your teenager borrows your device.
- Logging – The only thing that might be worse than a breach, would be a breach and no logs of what happened, how it happened or what was stolen. Certain breaches don’t need to be publicly disclosed if you can prove customer records were not compromised. Offsite logs are the only sure way to handle this.
- 24/7 monitoring – Hackers don’t sleep and neither should your security. You have a company to monitor your burglar alarm, you need an equivalent on your network security.
- Computer security specialists – Computer security is a specialized discipline and most IT service companies aren’t equipped to manage it. You might have a skilled in-house IT team or DSO managing your desktop and operatory IT, but security needs a dedicated team.
Security remains one of the hidden components in HIPAA compliance. It must be addressed and you can’t afford to do it wrong. It is possible to separately procure privacy assessments, 24/7 threat management, vulnerability scanning, training and other sub-components on the path to HIPAA compliance, but this piecemeal approach brings about its own risk of un-intended gaps and finger pointing at the other guy. Gaps that your business can’t afford. A turnkey solution to Security and Compliance is almost always going to be the best choice for the dental practitioner.
We at Data Guardian Pros deliver all this and more as a single provider to the dental industry. Join us as we build our network of dental organizations committed to being HIPAA compliant and protecting PHI in this world of cyber threats.
About the author – Charles Kaplan
Charles is the co-founder and Chief Technology Officer, Data Guardian Pros. Charles has a 20+ year career with key roles at both Global technology companies as well as nascent security start-ups, Charles is solely focused in addressing critical global information security and compliance issues. He served as the technology face and spokesperson with such companies as: Deputy CTO at Riverbed Technology, Chief Information Security Officer and Senior Director of Research at VeriSign.