What to do After a Dental Data Breach

May 2016

With big healthcare names such as Anthem taking up all the cyber-attack spotlight, it can be too easy to forget that dental data is just as valuable and just as vulnerable as general medical data — that is, until incidents like what recently happened in Wisconsin wake us up to reality.

Just this past February, the data of almost 3,000 individuals was impacted by a flash drive that was stolen from Oneida Health center. The information stolen included dental patient IDs, dates of service, and dental insurance identification numbers. In response. Oneida contacted local law enforcement as well as all affected individuals. Although this was definitely the responsible action to take, there is more we can learn from this incident, specifically around proper response, risk assessment, and creating policies that can help any dental practice avoid ending up in a similar situation (or worse).

Responding The Right Way

Since it takes a local or highly publicized breach to get most practices thinking seriously about data security, we’re going to start with how exactly you should respond. This will apply to theft or loss of a device, someone inside your organization or even an electronic attack from a remote location.

First, you will want to assess the situation. If you’ve had a breach, it’s important to generally understand the extent of the potential damage to which you’ve been exposed. If you are bound by the rules of HIPAA, though, your assessment and response will need to follow very specific guidelines and time limits. It will be especially important for you to understand whether patient information was actually acquired or accessed, as this will determine whether you’re subject to mandatory reporting requirements.

After assessment is complete, it’s time to start thinking  about notification. If a breach has taken place, under HIPAA you are required to let affected individuals (as well as the Department of Health and Human Services) know that their information has been compromised.

If the breach is large enough, you may even have to alert the media. While many practices look at this as a form of “airing dirty laundry,” try to consider this an opportunity to present yourself as a responsible practice, as well as an opportunity to inform your patients of how they can protect themselves if in fact their information has been compromised (via identity theft and fraud protection, credit monitoring, reviewing their medical bills, etc.). As far as the government is concerned, notification requirements will be covered under the HIPAA Breach Notification Rule.

Understanding Your Risk

Whether you’ve experienced an actual breach, or you simply want to avoid making the local news in a bad way, understanding what kind of risks your practice and patient information are subject to on an ongoing basis is crucial.

First, understand that the bigger a role technology plays in your practice, the greater your risk of a data breach. Every mobile phone, tablet, flash drive, and laptop is a potential access point. With a new breed of mobile-friendly practice management and billing systems hitting the market, chances are much of your staff accesses patient information via mobile, meaning that the chances for loss, theft, and even malicious use is higher than it was before the age of the connected dental office.

The same goes for practice management and billing systems that communicate via the Internet, as well as good, old-fashioned email (a particularly vulnerable point for accidental leaks in the form of incorrect recipients or unencrypted attachments).

Creating Effective Policies

Once you understand your level of vulnerability, it’s time to start putting together best practices that will allow you to enjoy the benefits of a connected dental environment with minimal risk.

Here are a few major points you will want to consider:

  • Acceptable use policies around company devices: You may think that rules around company devices are common sense, but don’t take this for granted. Work with your employees in developing best practices and make sure they are written down as well as regularly updated and reviewed.
  • Password protection and use: Employees should be changing passwords regularly and not engaging in compromising practices such as writing them down or sharing them with employees or others outside the office.
  • Encryption: Encryption is a complex topic and one that should be addressed by a security professional. Regardless, if you are sharing information, encryption should be part of your security solution.
  • Best practices around reporting of lost and stolen devices: HIPAA binds you to report breaches to the government, but your employees may be reluctant to report an incident. Make sure they feel comfortable enough with your reaction to admit honest mistakes to keep you informed of potential breaches due to loss, mistakes, or theft.
  • Onboarding and Off-boarding employees: New employees should understand their responsibilities around sensitive data. On the other side of that coin, employees who have been let go or are leaving the organization should also have their accounts and access promptly and properly terminated.

We’ve covered quite a few topics here, but as in most cases around dental information security, it is definitely worth considering bringing in a professional who understands your needs, your threat environment, and the wide range of solutions available to you. Get started by asking colleagues for recommendations and by contacting professional organizations in your area.

Contact the professionals at GPP for information about how to protect the financial health of your dental practice.

Note: This content is accurate as of the date published above and is subject to change. Please seek professional advice before acting on any matter contained in this article.

« Back To eNewsletter Home

16800 N. Dallas Parkway, Suite 240, Dallas, TX 75248   |   Main # 972-818-5300   |   Toll Free # 888-346-5346   |   GPPcpa.com
ArrowArrow
ArrowArrow
Slider