Lorne Lavine, DMD, discusses the HIPAA and cybersecurity issues that dentists are currently facing.
Q: What is the single biggest threat that dentists face when it comes to cybersecurity?
A: In my opinion, the biggest threat is ransomware. These are the viruses that will lock your critical files until you pay a “ransom” to get the unlock key. The ransom can range from as little as $300 to as high as $5,000 or more. There are a number of reasons why these viruses are so worrisome. First and foremost, they can be incredibly disruptive to the practice. Even if you have a good, encrypted offsite backup, you are typically looking at least a day of downtime to remove the virus and then restore from a clean backup. The bigger concern, though, are the HIPAA ramifications. Back in 2016, the Office of Civil Rights (OCR) released a memo confirming that a ransomware infection is, in fact, a breach. Most of us don’t think of a breach in those terms. We think of a breach as someone hacking into the network or stealing a computer. But, as far as OCR is concerned, any time you lose control of your data, you have suffered a breach.
Q: So, why is a breach such a big deal?
A: While there are many HIPAA rules and regulations that are ambiguous or unspecific, the Breach Notification rule is quite clear: You must notify all patients in writing, informing them about the breach and what data may have been compromised (eg, social security numbers, credit card numbers, etc). You also have to notify the local news media as well as have your practice permanently listed on the Health and Human Services’ “Wall of Shame.” It is also considered standard of care to provide credit monitoring for the affected patients for at least a year or longer. When you add up the fine and penalties, legal fees, and loss of income from those patients that may leave your practice (and many will), this becomes a loss of hundreds of thousands of dollars or more.
Q: Is there any recourse if this happens?
A: Yes, fortunately, there is. When the Omnibus Final HIPAA rules were released in 2013, they changed things slightly to say that if you can verify that there is a very low risk that the data was compromised, then you do not have to declare a breach. Your best “get-out-of-jail-free card” is encryption. If you encrypt all of your data (servers, backup devices, laptops, etc), and have it documented in your HIPAA manual, then you may not need to declare a formal breach.
Q: If I do get a ransomware virus, what should I do? How do I remove it?
A: Unless you are proficient in handling virus removal, work with an IT company that can assist you in removing the virus. It won’t get your data unlocked, but it will at least ensure that you do not continually have this happening. As long as you have a clean backup that is recent, I always recommend restoring from that instead of paying the ransom; there have been many cases of people paying the ransom and not receiving the unlock key. However, if you do not have a good backup, then paying the ransom may be your only option.
Q: So, how do I prevent a ransomware infection?
A: First and foremost, it starts with staff training. The most common entry for viruses and ransomware is through someone clicking on a link in an email or going to a sketchy website. It’s imperative that you educate your staff (and yourself!) on how to recognize an email that may not be safe. Never click on links or open attachments that come from strangers, and even if it appears to be from someone you know, be careful: The people who send out these malicious programs can often “spoof” the email of someone in your contact list. If you weren’t expecting an email with an attachment from someone, then be careful! Second, you need to have proper protections in place. It starts with an enterprise-grade firewall (not the home-use routers that many people use in their offices). Many firewalls can handle the antimalware protection through an annual subscription. If you prefer to use software, most antivirus programs do an okay job detecting ransomware, but I usually suggest getting a separate program just to deal with ransomware; it’s a small investment to make for your security and peace of mind.
Q: You talked about a “good” backup, but what does that mean?
A: I have not seen a ransomware virus affect an encrypted backup yet. That does not mean it cannot happen, just that I have yet to see it. Many viruses can travel to other devices on your network, so a local backup is not enough; you must have something offsite. I prefer cloud services for this, but if cost is a concern, an encrypted hard drive that is removed from the office every night will suffice in a pinch. Of course, there are many HIPAA rules that cover backups. Not only do they need to be retrievable (offsite), you must also test and verify the backup on a regular basis. Do not trust the software telling you the backup was successful as your test. The best way to test and verify is to simply power down your server and then see how long it takes you to recover from that. If the answer is measured in days, then it is time to re-evaluate your backup protocol!
Q: Are there other classic mistakes that dental offices are making?
A: Yes. The number one mistake I see is practices that have not done a proper risk assessment, nor do they have a formal HIPAA Management Plan in place. The HIPAA rule on this is notoriously vague with just a single sentence that says you must do a risk assessment. However, if you ever get audited, they expect something pretty comprehensive; filling out a 5-minute questionnaire online won’t cut it! While it only officially applies to Federal clinics, the National Institute of Standards and Technology publication 800-30 is considered the “gold standard,” and you should use this as a jumping-off point. Or, just hire someone who does this for a living to help you with it.
Dr. Lavine, founder and president of The Digital Dentist, has more than 34 years of experience in the dental and dental technology fields. He is a leading expert on HIPAA and cybersecurity for dental offices. He can be reached at (866) 204-3398 or via email at email@example.com.