What Dental Practices Need to Know About Cybersecurity & HIPAA Compliance

Ben Yarbrough


Cybersecurity can be overwhelming. Too often the answer is to implement a complex solution, implying that cumbersome complexity adds additional security. But you know better.

A dentist would not tell a patient to improve their dental hygiene by flossing 17 times daily with only their left hand and holding their pinky out as if drinking tea with the Queen of England. Cybersecurity and HIPAA compliance don’t need to be that arduous either. At Calyptix, we emphasize simplicity for better outcomes.

When I mentioned my plan to write an article helping dental practitioners better understand cybersecurity, one of our founders, Dr. Yuliang Zheng, an internationally recognized authority in cryptography and network security, suggested I find parallels in the physical world. As the son of a surgeon, I have long heard about the importance of patient compliance in successful outcomes. In cybersecurity, good outcomes also rely on adherence to best practices.

Cybersecurity best practices ensure your organization realizes the return expected on its investment in IT systems and services. At a dental practice, this can include many essential business tools such as VoIP phones, electronic medical records, billing or accounting software, email, workstations, dental x-ray machines, and more.

The availability of these tools is critical to the practice’s day-to-day functioning. At the same time, it is important to ensure that data is protected and only the right people are allowed access to any sensitive information. Whether cloud, on premise, or otherwise, measures must be taken to ensure your systems and services will be secure.

The Business of Fortifying Cybersecurity

Looking at cybersecurity through the lens of dental practices, there are many parallels to help us highlight important best practices.

First, just as you will take X-rays and keep numbered records of the gum recession levels of each individual tooth, you need to inventory all devices and software used in your practice. Additionally, as you might pull wisdom teeth that cause crowding or other problems, you want to have only approved systems on your network.

Offering patients access to WiFi while they are waiting in the office is par for the course. Yet you can ensure security is in place by separating that patient-facing network from the practice network that retains sensitive patient files and billing records.

Second, dental hygienists always reiterate the importance of regular brushing and flossing. Similarly, with cybersecurity it is essential to regularly maintain and patch all system hardware and software.

The HIPAA Security Rule calls for dental administrators to evaluate security controls, analyze risks, and develop solutions. This requires regular monitoring of the IT network, similar to regular teeth cleanings. Those visits are how the dentist identifies dental health risks and gains the ability to take proactive steps. Reviewing logs and alerts can help spot cybersecurity risks.

Third, in both environments the tools used (whether the guard against nighttime grinding or a firewall for a computer network) have specific purposes. You would not expect someone to solve their grinding problem with flossing. A remote desktop protocol helping dentists work from home won’t protect your systems from international hackers. You need to specify the tool for that, such as a geo fencing policy.

Creating a Culture of Cybersecurity

Finally, we return to my father’s focal point: patient compliance. In cybersecurity, this translates to user behavior. The patient is more likely to comply when there is a reward or recognition. That is why the cavity-free child gets a sticker or toy from the machine in the practice lobby. Your system users are also more likely to modify behaviors if your practice promotes a culture of cybersecurity.

Cybersecurity is an interactive and never-ending process. You must work toward continued improvement. There is no silver bullet solution. A dental practitioner can create a culture that encourages users to ask questions and think before they act. This can help prevent an employee from clicking on a phishing email or downloading an attachment that infects practice computers with ransomware.

Promote cyber awareness by encouraging continuous learning and offering training. Communicating cybersecurity priorities only goes so far. You need to demonstrate the importance of protecting Protected Health Information (PHI) by taking the utmost care with computer and paper files, X-rays, appointment schedules, medical bills, dictation notes, and information entered into the patient portal. When your users see that the boss, and everyone else, is prioritizing HIPAA Privacy Rule compliance, the culture change is more likely to take root.

Being strict in the face of noncompliance will only go so far. Instead, consider system configurations to help drive the behavioral changes that eliminate threats to critical IT systems. For example, rather than banning employees from checking personal email on office devices, set up a separate computer in the break room for personal use. If your office allows employees to use personal devices, dedicate a segregated wireless access point for the staff’s personal use.

Getting the Cybersecurity Support You Need

Your patients come to you because they do not have the expertise to fill their cavities or replace a crown on their own. Dental practices, likewise, turn to IT experts to help them set up equipment and processes that offer the cybersecurity needed to remain compliant and protect patient and employee privacy.

As cloud-based practice management grows more common, Internet availability becomes a major challenge. Having a router that can support failover WAN connections is critical. Otherwise, if the Internet goes offline, the office is offline.

An IT partner can also help your practice follow other cybersecurity best practices such as:

  • Limit access on an as-needed basis.
  • Establish a backup plan for business data.
  • Ensure credit card processors pass annual PCI scans.
  • Keep up with industry standards and compliance regulations.
  • Implement multi-factor authentication.

At Calyptix Security, we work with many managed service providers that serve dental practice cybersecurity needs. Our purpose-built all-in-one solution for network security and management helps keep customers’ connections fast and reliable, while saving them time and money. Invest in your cyber hygiene, and it will help keep your business on the right side of HIPAA compliance and long term success.

Mr. Yarbrough, CEO of Calyptix Security Corporation, has a strong history working in the computer and network security industry. The University of Virginia Law School grad is a lawyer skilled in firewalls, managed services, business development, and entrepreneurship. In addition to working with small businesses to secure their networks, Yarbrough does also floss daily.

Related Articles

AAO Warns Its Members About the Importance of Cybersecurity

Benco Tests Practices’ Vulnerability to Phishing Schemes

How Data Breaches Impact Dental Practices During a Pandemic