By Debi Carr, AADOM, ADMC, HIMSS, IAPP, ISC2, ISACA, ISSA
For hundreds of articles just for dental assistants, visit dentistryiq.com/dentalassisting.
“Was there something we could have done differently?” I’ve heard this question often in dental practices during the last several years when it comes to ransomware attacks and hardware failures. My answer is always a resounding yes! There are steps that offices can take to keep today’s very active hackers away from their systems.
A security management plan is required under HIPAA. On January 5, 2021, HR 7898 was signed, which amends HIPAA to create a safe harbor requiring a stronger security management plan. Private practices often ignore the requirements of HIPAA and security, thinking that they’re too small, or it’s too expensive. Sadly, small practices remain the prime targets of cyberattacks, and those attacks can be very expensive.
“Health-care providers owe it to their patients to comply with the HIPAA rules,” said Roger Severino, former Office of Civil Rights director. “When informed of potential HIPAA violations, providers owe it to their patients to quickly address problem areas to safeguard individuals’ health information.”
Here’s how I answer practices’ question, “Was there something we could have done differently?” I advise that they implement a written security management plan, and that it is an ongoing and ever-evolving process. A security management plan is the security strategy for a practice. Team members often incorrectly believe that annual HIPAA training and their IT company are all the security their office needs. Their IT company is making sure they’re HIPAA compliant, right? However, these can be very costly myths.
How does a plan work?
A strong security management plan begins with identifying the information that is critical to the operation of the practice, such as accounting software and practice management applications. Patient information is often housed in other applications as well, so it’s critical to a security plan to know where your information is created, transmitted, and stored.
A good place to start when implementing a security management plan is with a risk analysis. It is required under HIPAA, but it’s also a good idea because it provides an overview of your security. A risk analysis should be conducted annually or when there are changes to your environment. It should include a review of your required administrative, physical, and technical controls. The purpose is to expose potential vulnerabilities to patient information.
Another facet of a strong security management plan is to have policies and procedures in place that direct your team regarding how patient and practice information should be processed. These should be written and available to all team members, who should receive regular training in the security policies and procedures, including awareness training. We know that most infections enter a practice through malicious emails. Training team members to identify these emails is critical to a strong security management plan.
Create and implement a backup protocol that allows for a quick recovery. Full system onsite backups help with quick recovery when there is a hardware failure. Offsite backups preserve critical data but do not allow for a quick recovery time; however, they come in handy if there is a facility issue such as a fire or natural disaster. There should always be a backup that is not connected to the network in any way. Too often when threat actors gain access, they delete the onsite and offsite backups. Having a backup of the backups helps guard against this scenario. It’s important to make testing the backups part of your security management plan.
By following these suggestions and realizing that any expense is worth it, you can help protect your practice from today’s active hackers.
Debi Carr is a cyber security and crisis management consultant and speaker, and CEO of D K Carr and Associates LLC. She assists private practices with obtaining and maintaining HIPAA HITECH compliance, including performing risk analysis, team security training, crisis management, and incidence response. Carr holds several certifications, including healthcare Information security and privacy practitioner, certified associate healthcare information and management systems, and is a member of AADOM, ADMC, HIMSS, ISC2, ISSA, ISSAC, InfraGard, SCN.