Protecting patient data is a critical part of the modern dental practice – especially in light of HIPAA requirements. How does this translate into daily operations at your practice? Tom Terronez of Medix Dental has put together some tips to make sure you are doing all you can to protect your patient’s data…
1. Are you emailing patient information and digital x-rays to other doctors? Make sure that your office and the receiving office utilize encrypted email services. If you don’t, your data can easily be read on its path from your practice to theirs. HIPAA states that you are responsible for making a reasonable attempt at protecting your data.
2. Do you have a wireless router in your office? If you are using wireless Internet for internal purposes, make sure your router is a current model with the latest security standards. Most wireless routers (especially those purchased from retail outlets) do not default to their most secure settings, making them susceptible even for entry-level hackers.
Do you want to be a HOT SPOT and provide free Internet to waiting patients? Make sure your wireless router is segmented (isolated) from your primary network.
3. It is very important to lock down access to your computers at the end of the day. At the very least, you should log out of your practice management software on all workstations to prevent someone who has access to the office (cleaning people, landlord, or intruder) from easily accessing patient files.
An even better method is to password-protect and completely log off your computer at the end of the day, which will prevent access to documents that are stored outside your practice management software. These are very simple processes to implement.
4. Are you backing up your data properly? In more cases than not, the tapes you are swapping or the portable hard drives you are lugging around are not enough. Tapes can wear out and sometimes do not correctly back up your data. If you are using tapes, then you should regularly conduct test restores to assure that the data you need is being backed up. Portable hard drives, while cheap and easy, can result in the same problems as tapes. Make sure you conduct test restores. In addition, most backups to portable hard drives are not encrypted. This means anyone who plugs in your drive can steal your data.
There are many options available today. There are a lot of good remote backup solutions that use the Internet, but encrypt the data so it is protected. Also, there are new disaster recovery systems that back up data to a local storage device as well as a remote location. Make sure your backups happen regularly and that whatever you back up to is in a safe place outside your office. You can never back up too often or too securely.
5. Is your practice anti-virus and anti-malware software current? It is very important that every computer in your practice is protected by current anti-virus and anti-malware software. It significantly decreases the likelihood of a malicious infection. Unfortunately, it is not 100% foolproof, as users can still bypass threat warnings to access something they think they need. In addition to the software with an active update subscription, your staff needs to be educated on what websites to go to and not to go to. A firewall with built-in anti-virus software and filtering can further enhance security and protect from operator error.
It is well worth the effort to make sure that your practice’s data is secure and protected. After all, your practice data is a good portion of your business. What would you do without it?
Tom Terronez is president of Medix Dental, a dental technology consulting company that provides dental practices the technical expertise, resourcefulness and solutions that will increase productivity and make their practice the best practice they can be. For more information, visit www.medixdental.com.
12 responses so far ↓
1 Cosmetic Dentistry Melbourne // Oct 6, 2009 at 11:00 pm
To help insure the safe keeping of their data, some dentists backup and store their critical files in a fire-proof safe on premises. While this provides adequate compliance with HIPAA’s Final Security Rule, it may not protect your data against terror-related events.
2 D. Kellus Pruitt DDS // Oct 8, 2009 at 7:21 am
Why do x-rays have to be encrypted? Nobody cares what is on dental x-rays.
3 D. Kellus Pruitt DDS // Oct 10, 2009 at 7:17 am
Seriously, Tom, why do dental x-rays have to be encrypted?
D. Kellus Pruitt DDS
4 Cambridge dentist // Oct 12, 2009 at 4:24 am
Yeah, i am also agree with you that in this digital world it is very important to protect information not only from viruses but also from unauthorized access. Either the information belong from dental or any other fields. I think in this world aspect of security is the new challenge infront of us.
5 Martin Eichelman // Oct 12, 2009 at 1:32 pm
Dr. Pruitt:
If you’re simply sending along jpeg images, you are usually correct in assuming there is little (if no) identifying information on the image itself that could be traced back to a particular patient without something related in the content of the email. Things get a little more complicated when you send along DICOM exports, however, as the patient’s name, your name/practice name, the software you use, the name of your system, etc. are embedded in the files. This could easily be construed as a privacy/HIPAA violation in the wrong hands. So for the purpose of covering all situations with one article, likely to be safe than sorry for recommending encryption.
6 D. Kellus Pruitt DDS // Oct 13, 2009 at 1:33 pm
Thanks for responding Martin Eichelman. “This could easily be construed as a privacy/HIPAA violation in the wrong hands.”
Where are the wrong hands? Nobody cares what is in dental records other than the patient and the dentist. Why make life so complicated?
7 Martin Eichelman // Oct 14, 2009 at 7:31 pm
Unfortunately, the “wrong hands” are out there, Doctor. And in many cases, it only takes a small amount of information captured from an email transmission. With that few pieces of personal information, an “innocent” call is made to your office in an attempt to gather a few more bits of personal information. And this continues until they have enough to open credit accounts, etc. in the patient’s name.
A bit far-fetched? Not really. There were several cases of this occurring on large scales over the past two-three years. As a business owner (which I am) of any type, I wouldn’t want my business to the be source of information that started the breach of privacy for my clients/customers.
8 D. Kellus Pruitt DDS // Oct 16, 2009 at 10:48 am
Personal information in the wrong hands? This is still about cavities in teeth and gum problems, isn’t it? There is simply no black market for that information, even from toothpaste manufacturers. And there never will be. What wrong hands are you referring to?
First of all, Mr. Eichelman, I think it is wonderful that you and I are having this unprecedented and transparent conversation about digital dental records, and I appreciate your patience with me. It is my opinion that there is a lot of misinformation on the Internet about what data is important to safeguard and what is not. I say nobody cares about dental information, yet you defend its security because of what I must call an imaginative domino theory.
And then again, does it even matter that we worry about security at all? A few weeks ago, HHS Secretary Kathleen Sebelius came up with the idea that a data breach from a dental office doesn’t have to be reported if the doctor doesn’t think it will cause anyone any harm.
Where is the front line, Mr. Eichelman?
9 Martin Eichelman // Oct 17, 2009 at 5:36 pm
Doctor,
You are absolutely entitled to your opinion. I only hope you understand that others are entitled to their opinion as well. I was attempting to answer a question in direct relation to the original article.
I’m encouraged that you’re willing to question the need for security, but to ask me to provide absolute proof to disway any and all questions you have is a bit much. I am not the absolute authority that makes the rules. I am only attempting to protect business and personal information from data breaches that can have lasting negative effects. If you doubt these events occur, I can only point you to your favorite search engine for a bit of a proof.
As for anything the HHS Secretary has or has not said, I’m unclear how that has anything to do with me, but I also have no interest in a protracted argument of medical/dental business policy. Again, I don’t set the rules or even have a say. I think you’ve mistaken my answers to pointed questions for some type of activist agenda.
As I said in the beginning, you are absolutely entitled to your opinion.
10 Brian Hatch // Oct 18, 2009 at 8:59 pm
Does the personal health information necessarily kept there for treatment purposes present a possibility of damaging the patient if it got out? For instance, if the patient were on medication for a sexually transmitted disease, or if any othe infomation about that disease was in the dentist’s office, and it got out to someone who decided to make it public, who would pay for the damage to the patient’s reputation because the information breach took place. An employer was recently sued for an employee who used another employee’s health information on that very topic and published it on the internet. A dentist could be sued in the same way. In this age of increasing personal information availabilitydental offices have too much personal information not to take appropriate precautions as a definite rule.
Brian Hatch-publisher-Dental Practice Legal Update
11 D. Kellus Pruitt DDS // Oct 19, 2009 at 4:10 pm
Thank you, Mr. Eichelman and Mr. Hatch,
First of all, Mr. Eichelman, I’m not asking for you to defend a law that says dental x-rays are Protected Health Information. I think we both know that it’s indefensible even before its costs and the inability of the HIPAA Act to safeguard PHI. As you and others in the HIT business have said to me more than once, “My job is to help dentists to be compliant with HIPAA. I make money, not law.”
Even if you would rather not discuss the Rule’s inability to add value to dental care, I think it is important for readers to know both sides of the story. Accurate news about the absurdity both you and I recognize is not well known. Not yet. And if dentists are provided the balanced information they deserve from stakeholders, some may elect to abandon computerization rather than subject their practices to HHS inspections. It would be more ethical to provide dentists the whole story.
Does enforcement of HIPAA regulations cost money? You bet. Is it worth it? I say no child in America should go to bed with a toothache because of the expense of absurdity.
For Mr. Hatch, I ask why medical histories must be included in dental information outside a dentist’s practice. Without attached medical information, dental information is worthless to everyone except the patient’s dentist and possibly those who might just conduct open-source evidence-based dental research -without a worry from HIPAA.
We shouldn’t let the HHS stand in the way of progress.
D. Kellus Pruitt DDS
12 Dental Website Marketing UK // Jun 11, 2010 at 1:39 am
Informative conversation between D. Kellus Pruitt DDS and Martin Eichelman. Dentist builds paperless practice & complies with HIPAA Security Rule using an Iomega® NAS Storage Server. Please read – http://a248.e.akamai.net/f/248/3214/1d/www.zones.com/images/pdf/ss_nas_cs_hc01.pdf
Leave a Comment