Small practices are the preferred targets of cyber attacks
By Debi Carr, AADOM, ADMC, HIMSS, IAPP, ISC2, ISACA, ISSA
For hundreds of articles just for dental assistants, visit dentalryiq.com/dentalassisting.
“Could there have been something we could have done differently?” I’ve heard this question often in dental offices over the past few years when it comes to ransomware attacks and hardware failures. My response is still resounding Yes! Offices can take steps to keep today’s busy hackers away from their systems.
A security management plan is required under HIPAA law. On January 5, 2021, HR 7898 was signed, which amends HIPAA to create a safe harbor requiring a more robust safety management plan. Private firms often ignore HIPAA and security requirements, thinking they are too small or too expensive. Unfortunately, small practices remain the primary targets of cyber attacks, and these attacks can be very costly.
“Health care providers owe their patients to comply with HIPAA rules,” said Roger Severino, former director of the Office of Civil Rights. “When notified of potential HIPAA violations, providers owe it to their patients to resolve issues quickly in order to protect individuals’ health information. “
Here’s how I answer the practice question: “Was there something we could have done differently?” I advise that they implement a written safety management plan, and that it is an ongoing and evolving process. A security management plan is a firm’s security strategy. Team members often mistakenly think that the annual HIPAA training and their IT company are all the security their office needs. Their IT company makes sure they’re HIPAA compliant, right? However, these myths can be very costly.
How does a plan work?
A strong security management plan begins with identifying information essential to the operation of the practice, such as accounting software and practice management applications. Patient information is often hosted in other applications as well, so knowing where your information is created, transmitted and stored is essential for a security plan.
A good starting point when implementing a safety management plan is to perform a risk analysis. It’s mandatory under HIPAA, but it’s also a good idea as it gives insight into your security. A risk analysis should be performed annually or when there are changes in your environment. It should include a review of your required administrative, physical and technical controls. The aim is to expose potential vulnerabilities in patient information.
Another aspect of a strong safety management plan is having policies and procedures in place that guide your team on how patient and practice information should be handled. These should be in writing and available to all team members, who should receive regular training on security policies and procedures, including awareness training. We know that most infections come into practice through malicious emails. Training team members to identify these emails is essential for a strong security management plan.
Create and implement a backup protocol that enables rapid recovery. Full on-site system backups enable rapid recovery in the event of a hardware failure. Offsite backups preserve critical data but do not provide fast recovery time; however, they are useful if there is an installation problem such as a fire or natural disaster. There should always be a backup that is not connected to the network in any way. Too often, when malicious actors gain access, they delete onsite and offsite backups. Having a backup of the backups helps guard against this scenario. It is important to make backup testing part of your security management plan.
By following these suggestions and realizing that the expense is worth it, you can help protect your practice from today’s active hackers.
Also read: How the evolution of the dental industry invited cyber attacks
Debi Carr is a consultant and speaker in cybersecurity and crisis management, and CEO of DK Carr and Associates LLC. She helps private firms achieve and maintain HIPAA HITECH compliance, including performing risk analysis, team safety training, crisis management, and incident response. Carr holds multiple certifications including as a Healthcare Information Security and Privacy Practitioner, Certified Healthcare Management and Information Systems Associate, and is a member of AADOM, ADMC, HIMSS , ISC2, ISSA, ISSAC, InfraGard, SCN.