The entire dental industry is, increasingly, in the crosshairs of regulators and lawyers focused on safeguarding protected health information (PHI). The “bad guys” want to steal your customers’ data, and regulators want to punish you if the bad guys succeed.
The dental industry suffers the same trends and penalties as the rest of health care, including an uptick in cyber-attacks, social engineering, malware, and cyber ransom that can cost millions of dollars for response, credit monitoring, and fines. The Office of Civil Rights (OCR) is taking a closer look at how PHI is protected—across all forms of healthcare, including dentistry.
No. 1 Cause of Breaches: Theft
It may be surprising, but half of all dental PHI breaches are theft.
In a single case in Nevada in 2015, 12,000 records were compromised when a device with unencrypted data was stolen. In another, a laptop was stolen from the car of a business associate that impacted 76,000 victims.
Other types of incidents are surfacing, however. One dental practice last year exposed 151,000 records, complete with patient names, Social Security numbers, birth dates, phone numbers, and home addresses when hackers used malware to obtain an employee’s user name and password for the practice’s membership database.
Sense of urgency needed
Theft and hacking are just the beginning. An increasingly popular tactic is crypto-ransomware, a type of malicious software (malware) that infects a computer and restricts access to it until a ransom is paid to unlock it.
In fact, ransomware has become so pervasive, the FBI has warned that it has become one of the biggest threats to consumers and businesses. Victims can infect their computers by clicking on links in malicious e-mails that appear to be from legitimate businesses, through compromised advertisements on popular websites, or by simply visiting the wrong website. This was discovered in one major case in California, where a hacker used crypto-ransomware downloaded via browser drive-by (visiting compromised websites) that resulted in the practice being taken offline for several days. Data recovery using backups was only the beginning; the dental practice had to notify regulators, and a federal investigation ensued.
Data breaches are crippling because practices can experience millions of dollars in losses from lost business, fines, remediation, and litigation.
How protected are you?
One way for dentists to avoid a PHI breach or loss is to regularly conduct HIPAA security risk assessments (SRAs). SRAs look at the current state of affairs and then provide a remediation roadmap to correct gaps in compliance from a technical, physical, and administrative perspective.
Another way to reduce risk is to use cloud computing. Storing data in the cloud is a popular choice for dentists due to its agility and cost-effectiveness. By moving their servers from the office to the cloud, dentists remove the number one cause of compromised PHI –physical theft of the server due to insecure office environments.
Henry Schein TechCentral, and its security partner, ClearData, can conduct SRAs and offer cloud technologies and managed services that can help you protect your practice from data thieves. To learn more about TechCentral support and maintenance options, call 877.483.0382 or visit www.henryscheintechcentral.com.
About the Author: Chris Bowen is the Founder and Chief Privacy & Security Officer of CLEARDATA. He is responsible for ClearDATA’s defense-in-depth approach to cybersecurity and privacy by design. A security partner of Henry Schein TechCentral, ClearDATA conducts SRAs and offers cloud technologies and managed services that can play an important role in protecting dental practices from data thieves.