DENTAL OFFICES HAVE THE SERIOUS OBLIGATION of ensuring that their patients’ personal and financial information does not fall into the wrong hands. Theft of these details could result in a nightmare for both dentist and patient. Although security has always been a top priority for e-commerce and financial websites, a dental practice might not see itself as a natural target for cyber criminals. Health-care websites, however, are among the most common to come under threat from data thieves.
Tech-savvy patients want to feel safe when visiting a dental website, particularly when submitting sensitive information about themselves, including email addresses, patient information, and credit card details. If a data breach occurs in the transfer of information such as this, it’s highly likely to break the bond of trust between dentist and patient.
When a patient settles into your dental chair, he or she is putting faith in you to care for him or her. The patient expects the same level of assurance when visiting your website. This is why dental online platforms require robust security measures to protect patients.
While the security of patients’ data is crucial to reinforce the trust that a dental practice has established among its patients in demonstrating its commitment to professionalism and quality care, a data breach can also cost a dental office many hundreds of thousands of dollars in fines, civil lawsuit damages, and HIPAA violations.
Data thieves think dental websites are soft targets
There are two main reasons why cyber criminals are increasingly targeting digital records of patients. First, they view dental websites as soft targets, compared with big corporations or banks. Second, electronic health records (EHRs) of patients are extremely valuable.
As you know, a dental practice holds a vast store of information about its patients, including names and addresses, dates of birth, phone numbers, banking details, health histories and Social Security numbers.
At the beginning of 2017, Becker’s Healthcare, a business and legal resource for health-care leaders, reported that data breaches were costing the US health industry $6 billion a year. (1) Protenus, specialists in protection of patients’ privacy, says patients’ data is a “virtual goldmine” for criminals. It says EHRs comprise a complete ID kit, enabling data thieves to steal a person’s identity and commit a host of offenses. (2)
Digital identity theft enables the perpetrators to sell patients’ records on the black market, acquire medical equipment or drugs they can resell, and make fraudulent insurance claims. A victim of a digital data breach faces more far-reaching problems than in the case of conventional ID fraud: if you realize someone has taken your credit card, you can simply cancel it, but when a fraudster is armed with an array of information including medical details, it can repeatedly be sold on the Dark Web—and accessed by criminals using special software to carry out untraceable transactions.
The importance of a secure dental website was underlined in 2015 when personal details of more than 150,000 patients were stolen from an Oregon dental practice after data thieves infected its computer with malware. The dental office had to offer the patients theft protection and credit monitoring services. (3)
Coincidentally, while the attack on the Oregon practice was taking place, a legal specialist in dental cyber security breaches was warning that website security was now a necessity for dental professionals. Writing for DentistryIQ, Stuart J. Oberman emphasized how cyber criminals were targeting small dental offices because they believed they lacked adequate online security. He said health-care organizations were involved in one-third of all data breaches, making them the single biggest victim of data breaching.
EHRs provide a versatile haul for criminals, typically worth ten times more than financial information on its own, because stolen EHRs can be bundled up in different packages that attract high levels of attention from predators scouring the Dark Web for sensitive information they can sell on an ongoing basis.
How can my practice’s website be made secure?
Website security typically comes in the form of a Secure Sockets Layer (SSL) or Transport Layer Security (TLS). SSL came onto the scene in 1995, launched by the now-defunct Netscape browser, followed by TLS in 1999. These technologies establish a coded connection between a browser and a web server, while the intricacies of the complex process remain concealed from users. SSL creates two cryptographic structures—a public key and a private key—that enable a web server to establish a coded link between the website and the patient’s web browser. SSL cannot stop hackers who attack computers and servers directly, so the server itself requires securities in place and the computer should have robust antivirus software.
You can tell whether a website is secure if its URL is preceded by “Secure | https.” HTTPS stands for Hypertext Transfer Protocol Secure. It protects information being sent from a computer to the site it’s connected to by encrypting all communications between your browser and the website. This encryption turns data into a secret code, and is the best method of providing security of information. To view the original file requires a key or password. Unencrypted data is known as plain text; encrypted data is called cipher text. Information sent to the destination server stays encoded until it is received, foiling anyone trying to intercept the data en route in so-called “man-in-the-middle” attacks.
Adequate levels of security for a dental website are required by law if the practice is considered a “covered entity”—that is, one involved in electronic transmissions of patients’ information. Under the Security Rule of the Health Insurance Portability and Accountability Act (HIPAA), overseen by the US Department of Health and Human Services, safeguards are necessary to ensure the security and integrity of health information submitted online. The Department of Health and Human Services says 21 million health records have been compromised since September 2009, and the Department’s Office for Civil Rights is now conducting random audits of relevant websites, with fines averaging $1.1 million. (1) The American Dental Association describes secure encryption as an “excellent” method of safeguarding information that patients send to practices electronically.
Benefits of a secure online dental platform
Besides being a legal requirement in many cases, a secure dental website can bring many benefits to a practice.
Having a secure website can generate more patients. When a prospective patient visiting your online platform gets the reassurance of security certification, they know they will be safe when making an electronic appointment request. If your site does not display security verification, a potential patient is likely to look elsewhere for treatment.
Another way a secure dental website helps to attract new patients is that it improves search engine rankings. Google, the largest search engine in the world, boosts websites that protect the user’s information. Although this measure does not currently have a huge impact on search engine results pages, it is expected to gain momentum over time, which could see any unsecured dental websites plunging down the rankings into obscurity. If patients use Google Chrome, a potentially unsafe website will show a lock with a red “X” over it. People are far more likely to stay on sites that display a green lock and an “https” address instead of just “http”.
If an online appointment request form contains a description of symptoms of the problem, HIPPA deems this as Protected Health Information (PHI) that requires rigorous data security standards.
Maintaining trust by keeping your patients safe
The web comprises a complex matrix of interactions, with information of all sorts traversing across numerous networks and servers before arriving at its final destination. Any one of these systems can be hijacked by data thieves if this information is not properly protected during its journey.
A dental practice holds an enormous amount of information about its patients, including banking details and health histories, and theft of this data could have devastating consequences for both practice and patients. Trust is a crucial component in the dentist-patient relationship, and website security is essential to maintain that confidence by protecting them from cyber criminals.
Understanding the importance of website security enables dental offices to maintain the same degree of trust their patients place in them online as they have when they visit their practice for treatment. A secure site also guarantees you won’t fall foul of the law.
Editor's note: This article first appeared in the Apex360 e-newsletter. Apex360 is a DentistryIQ partner publication for dental practitioners and members of the dental industry. Its goal is to provide timely dental information and present it in meaningful context, empowering those in the dental space to make better business decisions. Subscribe to the Apex360 e-newsletter here.
1. Dietsche E. Healthcare breaches cost $6.2B annually. Becker’s Health IT & CIO Review website. http://www.beckershospitalreview.com/healthcare-information-technology/healthcare-breaches-cost-6-2b-annually.html. Published January 19, 2017. Accessed July 2017.
2. A Virtual Goldmine: Why Criminals Target Patient Data (Part 2). Protenus website. https://www.protenus.com/blog/a-virtual-goldmine-why-criminals-target-patient-data-part-2. Published February 15, 2017. Accessed July 2017.
3. Greenberg A. More than 150K patients impacted in Advantage Dental breach. SC Media website. https://www.scmagazine.com/more-than-150k-patients-impacted-in-advantage-dental-breach/article/535820/. Accessed July 2017.