Editor’s Intro: Cybersecurity alert — safeguard your patients and practice from data breaches.
Gary Salman and Justin Joy discuss ways to keep patients’ records safe
An independent cybersecurity audit to analyze your current security posture is one of the most important things you can do to protect the confidentiality of your patient records. As an owner or associate of the practice, you must have a thorough understanding of the state law related to cybersecurity and HIPAA. Strictly “hoping” that the correct measures are in place may leave you in a compromised situation in the event of a security or privacy incident impacting your patients and practice. As a clinician, you must take a proactive approach and have a very clear picture of exactly where you stand from a cybersecurity and HIPAA perspective. For instance, are you conducting documented cybersecurity awareness training? Have you conducted a risk assessment and risk analysis, and is it up to date? Have you implemented advanced security measures such as quarterly vulnerability scanning and network penetration testing to demonstrate the effectiveness of the current security measures? Have these tests been documented, and are they part of your HIPAA documentation? If the answer is no, then it is critical that you engage with an independent company that can assist in these matters.
In the IT space, progressive IT companies typically recommend to their clients that they engage with a company that specializes in cybersecurity to audit the work that they have performed. IT companies that tell their clients, “Doctor don’t worry about that, we have it taken care of,” are the ones who typically do not understand the complexities of cybersecurity, and how easy it is to exploit a network if the proper steps have not been put in place to identify and mitigate vulnerabilities. Engaging with a company that specializes in cybersecurity is critical for two reasons. First, the complex nature of computers and networks often leaves room for misconfiguration errors or improper practices resulting in the ability for hackers to exploit these mistakes and gain access to your data. It only takes one vulnerability on your network for your data to be exploited. The next thing you know, your patients’ data is being bought and sold on the dark web. Second, the sophistication of cyberthreats has evolved to the point where, if you are not immersed in this field on a daily basis and do not have the tools and technologies to combat them, you are way behind. A reputable cybersecurity company invests heavily in the tools and human resources needed to protect and defeat the complex assaults against our healthcare system.
Covered entities (orthodontic practices) are required to completely and accurately assess the potential risks and vulnerabilities to the security of electronic protected health information (ePHI) held by the practice.
IT firms and managed service providers are good at keeping your practice’s network, desktops, and applications running on a day-to-day basis. In most instances, however, these firms lack the expertise to assess and identify vulnerabilities, resulting in risk to your practice’s data. It is simply not their area of focus. Additionally, from an audit perspective, if your IT firm engineered and set up your network environment, it is necessary for an independent party to examine the work and provide feedback to you, the client, as to the security posture and vulnerabilities within the environment.
The U.S. Department of Health and Human Services Office for Civil Rights, which enforces HIPAA, requires that the assessment of your practice’s risks and vulnerabilities be documented. If you are relying on a company that does not have expertise in information security to identify and assess technical vulnerabilities, you are not only potentially exposing your practice to considerable security risk, but also likely not meeting the HIPAA Security Rule requirement for identifying and assessing all vulnerabilities to your ePHI.
You must also be aware of your requirement to analyze your risks and vulnerabilities on an ongoing basis. Here again, an audit by an independent firm is not only valuable but in many cases necessary, to reduce risk to your practice’s data and meet regulatory requirements. The Security Rule requires that assessment documentation must be updated any time there is an environmental or operational change potentially affecting the security of your group’s ePHI. Given the never-ending proliferation of cyber threats, these environmental changes are ongoing, and the assessment of the risk to your group’s PHI as a result of any vulnerabilities in the face of these threats must be ongoing as well.
Another key area for you to be cognizant of is your interaction with your business associates. Under HIPAA, business associates such as your IT company, practice management software company, imaging company, consultants who have access to your computers, and third party software integrators must comply with the same HIPAA rules that you do as an orthodontist. In the event of an audit or security incident, the Office for Civil Rights often requests you to provide copies of signed business associates agreements with all of your vendors. Make sure that you check to see that you have executed agreements with these parties.
When making purchasing decisions or engaging with IT companies, ask them if they are familiar with and comply with both the HIPAA Privacy Rule and Security Rule. Some of the items that they need to have in place are the following:
- A complete HIPAA compliance manual, including a risk assessment and risk analysis
- Annual HIPAA training
- Annual cybersecurity awareness training
- Documented security measures that protect their data such as vulnerability scanning and penetration testing
Ask them for proof of this documentation; don’t just take their word for it. Imagine what would happen if their networks were breached, and the hacker gained access to your practice’s IP address, user name, and passwords for your servers and work-stations. It could potentially be a disaster for all parties involved. Compliance and cybersecurity must be implemented by all parties that have access to your network and data. It is a team effort, not just a requirement for the covered entity (healthcare provider).
Another vital reason to have an independent security audit to evaluate your security posture is to reduce the chances of a data breach resulting in patients becoming the victim of identity theft — especially minors. In the event of a data breach, most states and the federal government will expect you to offer identity theft monitoring to your patients. The cost associated with this is extremely expensive and often twice the price for minors. As orthodontists, a majority of your patients are minors — think what that means from a public relations perspective. No parent is going to be happy knowing that his/her 13-year-old child has been a victim of identity theft due to a data breach that occurred at your practice. According to a Carnegie Mellon study on identity theft, a child is 51 times more likely to be a victim of identity theft than adults.1 Don’t put yourself, your practice, and especially your patients in a compromised position by eroding patient trust for something that is highly preventable.
Learn more about cybersecurity?
- Power R. Child Identity Theft. Carnegie Mellon CyLab. https://www.cylab.cmu.edu/_files/pdfs/reports/2011/child-identity-theft.pdf. Accessed September 28, 2018.