Stuart J. Oberman, Esq
The provision of health care is changing rapidly as providers endeavor to maintain maximum efficiency while navigating a technology-rich climate. As a result of the reliance on electronic data, dental offices have become vulnerable to cybersecurity threats. The growing volume and sophistication of cyberattacks suggest that dental practices will have to grow increasingly vigilant to ward off these threats. A breach of cybersecurity will inevitably lead to significant expenses, both financial and reputational, which can wreak havoc on a practice.
Many dentists believe that cybercriminals are not a threat to their small dental offices. However, when choosing between a large corporation or bank with security teams and firewalls, and a dental office with no firewall or security team, the latter will be the chosen target. In fact, many hackers specifically target small dental offices because they believe that the small business may not have the resources for sophisticated security devices and do not enforce employee security policies.
Small practices hold a vast amount of data, including names, health histories, addresses, birthdates, Social Security numbers, and even banking information of hundreds, if not thousands, of patients. The threat of this information being stolen by a staff member or a cybercriminal is great, and practice owners must address this concern before a theft creates a legal nightmare.
Health-care organizations make up roughly 33% of all data security breaches across all industries; the health-care industry is the most breached industry in the United States. According to the U.S. Department of Health and Human Services, almost 21,000,000 health records have been compromised since September 2009. It has been shown that human error causes the majority of personal health information data breaches, and that actions of health-care employees cause three times as many breaches as external attacks.
The most common causes of data breaches in health-care organizations are theft, hacking, unauthorized access or disclosure, lost records and devices, and improper record disposal. A significant proportion of health-care breaches are a result of lost or stolen mobile devices, tablets, and laptops. In addition, security breaches are not solely inflicted upon the large HMOs, as more than half of all organizations that suffer from security breaches have fewer than 1,000 employees.
The Health Insurance Portability and Accountability Act requires health-care providers to maintain the privacy of patient health information, and to take security measures to protect this information from abuse by staff members, hackers, and thieves. The penalties imposed upon health-care providers for HIPAA violations are great. The monetary penalties can range from a fine of $100-$50,000 per violation, with a $1,500,000 maximum annual penalty. In addition, dentists may face penalties imposed at the state level, as well as lawsuits filed by disgruntled patients whose health information has been compromised.
It is crucial for dentists to take steps to ensure that their practices are in compliance with HIPAA computer security provisions. Because the majority of security breaches occur when staff members fail to follow office procedures or exercise poor judgment, the location of computers in the dental office is key. All computers should be placed in areas where the computer screens are not visible to patients and visitors, and encrypted passwords should protect access to each computer. Passwords should contain mixed-case letters and include numbers or symbols, and should be changed regularly. In addition, passwords should not be written down under keyboards or kept on desks or surfaces where the public may be able to access them. Dentists should ensure that all staff members understand the importance of maintaining the privacy of patient health information.
Every dental practice should have a policy that includes steps for safeguarding patient information, and educate staff members as to how to comply with the office policy. A strict Internet and computer use policy should prohibit staff members from checking personal e-mail accounts or visiting Internet sites that aren't work-related. It is also important that dentists ensure that all firewalls, operating systems, hardware and software devices are up to date, strong, and secure, and that wireless networks are shielded from public view. Antivirus software should be installed on every computer, kept updated, and checked regularly.
Health-care organizations make up roughly 33% of all data security breaches across all industries; the health-care industry is the most breached industry in the United States.
When accessing office data remotely, dentists should use only trusted Wi-Fi networks and never use shared computers. Smartphones and tablets should be password-protected to prevent easy access to patient information in case the device is lost or stolen. All hard copies of documents with patient information should be shredded. Finally, to ensure that your dental practice is HIPAA compliant, data transmitted to payers, health plans, labs, and other health-care providers may need to be encrypted to ensure that a hacker will not have access to this data.
Because dental practices are subject to heightened government enforcement and the scope of fines and penalties for data breaches have increased, many dental practices have relied on cyberinsurance for protection in the event of a breach. These insurance policies cover the cost of investigating a theft, compensate the insured for all state and federal fines and penalties imposed, and fund all related lawsuits and legal fees, thus relieving dentists of the financial and time burdens imposed as a result of the breach in security.
It would be prudent for all dentists to invest in data security and in the proper training of staff members. If plans and policies are put in place proactively and steps are followed to ensure HIPAA security compliance, a dental practice should be able to prevent the significant cost and headache involved in responding to a cyber-breach.
If a security breach in a dental office does occur, it is imperative that appropriate action is taken immediately, which includes determining how the breach occurred and the extent of the security breach. In addition, if a security breach does occur, the owner of a dental practice must be very careful whom they initially contact and provide information to. Any improper or accidental disclosure to a third party other than legal counsel for the dental practice owner may be subject to the rules of discovery if litigation occurs, which could increase the liability exposure of the practice owner.
Stuart J. Oberman, Esq., handles a wide range of legal issues for the dental profession including cybersecurity breaches, employment law, practice sales, OSHA and HIPAA compliance, real estate transactions, lease agreements, noncompete agreements, dental board complaints, and professional corporations. For questions or comments regarding this article, please call (770)-554-1400 or visit www.obermanlaw.com.