CybersecurityAug 28, 2020
The healthcare industry has been a primary target for data hackers. Some of the most valuable information for hackers such as social security numbers, names, addresses and health information that can be a literal goldmine are housed inside health records.
Hospitals, pharmacies, health insurance companies and urgent care clinics are the targets that make the news. Small health organizations actually dominate the healthcare industry and are often times outmatched and the most vulnerable. Even if the small organization can afford the necessary security investment to protect themselves, they are unlikely to have the staff or expertise to act on a breach quickly and correctly. According to a 2017 study sponsored by IBM security and conducted by Ponemon Institute, the cost is $380 per record for a breach and for a dental practice with 2000 patients that’s over $750,000 that would cripple a practice.
The healthcare cybersecurity breach of 2015 with mega-insurer Anthem made headlines when nearly 80 million patients records were exposed. Small offices are far more numerous but rarely make headlines and we in dentistry are not immune. In November of 2019, a ransomware attack hit 100 dental practices that prevented the dentists but accessing their own patients records. The good news, however, was it appeared the attackers encrypted the data but did not access it.
An area that is increasing exposure to threats is the web portal model. Now we as patients can access our medical records and often times medical offices, to cut costs, have us “self-serve” before an actual visit. All of your private data is entered into a system before you even walk in the door. Dentistry does something similar to help alleviate the time-consuming medical history and verification of benefits for all new patients.
As dentistry’s reliance on electronic data increases so does our risk. A dental practice with no firewall or security team makes them a target. We hold birthdates, social security numbers and even banking information for our patients and have to address this concern. The majority of data breaches happen when staff members exercise poor judgement or don’t follow office procedures. Recent data shows that there is a 50% to 75% reduction in cyber-attacks against healthcare entities that properly train their staff. The unfortunate trend of phishing emails is not just confined to relatively harmless, time-wasting emails that a well-trained (in terms of information security) employee can spot and delete without much concern. Sometimes these phishing attempts can actually cause major data breaches that can cost organizations a lot of money and possibly even damage their reputation, all because an untrained or careless employee opens and them and downloads an attachment. Staff using office computers to surf the web or check their own personal email and social media accounts can potentially open up breaches in office systems. Does your office actually have specific policies and procedures that the entire team is aware of? Dentists and staff should undergo cybersecurity training on a regular basis as part of HIPAA compliance and have multiple data backups, including an external hard drive they keep disconnected from the rest of the network.
Making sure that all firewalls are adequate, operating systems, hardware and software devices are up to date and secure and that our wireless networks are shielded from public view are a few steps to help reduce our risk. Data transmitted to health plans, labs, and other providers need to be encrypted and social media, SMS and email are a susceptible point of violation. Major instant messaging services are not encrypted and do not provide a recall option. Our increase in technology equipment and the integration of the new technologies and information systems to manage patient treatment and information can be a challenge to keep our security strong.
HIPAA violation penalties vary and use a Tier system. A Tier 1 violation can yield anywhere from $100-$50,000 per violation and a maximum of $1.5 million per year, and a Tier 4, willful neglect yields a $50,000 per violation with a maximum of $1.5 million per year. 49 states have their own breach notification laws some of which are more stringent than the federal governments.
Unfortunately, there is not enough information specific for the dental community about reducing their risks. A recent paper in Issues in Information Systems, addressed specifically dentalcare. A systematic review looked to identify specific cybersecurity literature for dental offices as small practitioners and the need to expand this particular type of literature.
Hiring qualified IT personnel is the first step to protecting not only your patients but your entire practice. According to Gary Salman, CEO of Black Talon Security, who lectures on cybersecurity to dentists, he recommends asking specific questions of your IT company. Do they have a third-party cybersecurity company that evaluates the security of its infrastructure?
A self-audit of your practice should be done once a year starting with a risk assessment which is required under HIPAA. Next, create a defense in depth which would include firewall, anti-virus, device encryption and disaster recovery to name a few. It is a layered approach that is the best defense. Next created strong policies in areas such as acceptable use data destruction, business continuity and security monitoring. Proper employee education could be the most important because it is often times the weakest link in the chain. Finally have a disaster recovery and incident response plan and remember that every day you are spending trying to restore data and get back to operations is a day you are losing money.
Eliel Melon, Wilnelia Hernandez. Cybersecurity in the Dental Healthcare Sector: The Need of Knowledge for Small Practitioners. Issues in Information Systems. 2020. 21(1):118-124. https://iacis.org/iis/2020/1_iis_2020_118-124.pdf