How to improve data security in your practice
If you are a dentist running a dental practice, you are probably also the de facto chief technology officer, which means you’re the one ultimately responsible for protecting PHI. There are many threats to the security of your patients’ data—ransomware, disaster, physical theft, and regular old broken technology. Here’s what you can do to protect your practice’s most valuable asset.
If you are the typical North American dentist, you own a practice and employ a handful of people. In short, you are a small business owner. As president, as the saying goes, you wear many hats. You don’t necessarily need to know how everything works—rather, your responsibility is to make sure responsibilities are handled successfully.
One of the hats you wear is that of the chief technology officer, and you’re responsible for the security of your patients’ oral health information. Here are four key areas to remember.
Keep your PHI physically secure
The Office of Health and Human Services has a list of physical safeguard requirements to which you must adhere to remain HIPAA compliant. If a server sits under your roof, you have some hoops to jump through. If your practice is on the cloud, compliance to these physical safeguards is greatly simplified. In any event, I think you would agree that protecting your patients’ information is paramount. Here are four simple things you can do to improve physical security:
- Create and maintain adequate perimeter security (e.g., security systems, video surveillance).
- Position your server in a locked enclosure. Only authorized team members should have physical access to your server. If your server is under your desk or in the broom closet, you should make a change right away.
- Make sure every computer requires a login and is locked when not in use.
- Maintain a daily backup process. Make sure your backup will restore and that backup media is carefully tracked, secured, readily accessible in the event of disaster, and when the time comes, is properly disposed.
If you move your practice to the cloud, securing your data is greatly simplified. A cloud-based management system removes PHI from your practice, minimizing the risk of a breach from theft, making it highly accessible in the event of disaster, and providing a built-in backup process.
Keep your PHI digitally secure
Ransomware is today’s biggest threat. Make sure your team is educated and policies are strictly enforced. You should also use an encrypted backup, back up locally and offsite, invest in antiransomware software, and invest in an enterprise-level firewall, according to my communications with Dr. Lorne Lavine, a certified HIPAA security professional.
Security is a natural benefit of cloud-based dental software because the systems involved are architected and maintained by a professional data center. Further, because your data is not stored locally, it cannot be held for ransom.
Expect your server to fail
Budgeting for the enevitable failure of your server is 100% your responsibility. Most IT professionals will advise you to replace your server according to the manufacturer’s warranty and recommendations, usually from three to five years.1 Diligent financial planning will make sure you have the capital available to replace your server. Moving your practice to the cloud may avoid recurring server investments altogether.
Plan for disaster and theft
I spoke to Dr. Zarian Rasheed shortly after her Houston practice was severely damaged by Hurricane Harvey. She recounted to me that when she purchased the building for her practice, she was assured by neighbors flooding had never affected the neighborhood. Yet as she hauled soaked carpet out of her practice, surely there was a lesson to be learned: you must always be prepared for the worst.
In Dr. Rasheed’s case, she had prepared for the worst by moving her practice to the cloud. While the physical condition of her practice was in bad shape, the most vital part of her practice, her patients’ data, was never at risk.
One morning, Dr. Saljae Aurora of Vancouver, British Columbia, drove to his practice to find the front door forced open and his computers gone. Fortunately for Dr. Aurora, his patient data is on the cloud, not on local computers, which saved him from having a difficult conversation with his patients.
If the cloud is not an option for your practice, you can still plan for the worst. An offsite backup, with the necessary media to restore both your management system and your data, only makes sense. In the event of theft, an encrypted database and backup is optimum; however, a local encryption of your database is completely dependent upon your dental software provider and may not be possible. In the worst-case scenario, perimeter security becomes even more important.
With the help of an IT professional and the support of your team, a little thought and planning in each of these four areas will reward you with better data security. Then you can try on another hat. And the adventure continues!
1. Dyer G. How often should I replace my servers? https://www.revolutiongroup.com/blog/how-often-should-i-replace-my-servers/. Published February 17, 2017.
Andy Jensen is vice president and CMO at Curve Dental Inc., a software development company that provides web-based management solutions for dentists and dental groups. You can learn more about choosing the right software by downloading a free dental software buyer’s guide at curvedental.com/buyers-guide.