By Stuart J. Oberman, Esq.
The provision of health care is changing rapidly as providers try to maintain maximum efficiency while navigating a technology-rich climate. As a result of their reliance on electronic data, dental offices have become vulnerable to cyber security threats. The growing volume and sophistication of cyber attacks suggest that dental practices will have to grow increasingly vigilant to ward off these threats. A breach of cyber security will inevitably lead to significant expenses, both financial and reputational, which can wreak havoc on a dental practice.
Many dentists believe that cyber criminals are not a threat to their small dental offices. However, when choosing between a large corporation or bank with security teams and firewalls, or a dental office with no firewall or security team, a dental practice will become the target. In fact, many hackers specifically target small dental offices because they believe small businesses don’t have the resources for sophisticated security devices and do not enforce employee security policies.
Dental practices are becoming targets for cyber criminals more frequently. These offices hold a vast amount of data, including names, health histories, addresses, birthdates, social security numbers, and even banking information of hundreds, if not thousands, of patients. The threat of this information being stolen by a staff member or a cyber criminal is great, and dental practice owners must address this concern before a theft creates a legal nightmare for the practice.
Health care organizations make up roughly 33% of all data security breaches across all industries, and the health care industry is the most breached industry in the U.S. According to the U.S. Department of Health and Human Services, almost 21,000,000 health records have been compromised since September 2009. It’s been shown that human error causes the majority of personal health information data breaches, and that the actions of health-care employees cause three times as many breaches as external attacks.
The most common causes of data breaches in health care organizations are theft, hacking, unauthorized access or disclosure, lost records and devices, and improper disposal of records. A significant proportion of health care breaches are a result of lost or stolen mobile devices, tablets, and laptops. Security breaches are not inflicted solely upon the large HMOs, as more than half of all organizations that suffer from security breaches have fewer than 1,000 employees.
The Health Insurance Portability and Accountability Act (HIPAA) requires health-care providers to maintain the privacy of patient health information, and to take security measures to protect this information from abuse by staff members, hackers, and thieves. The penalties imposed on health-care providers for HIPAA violations are great. Monetary penalties can range from a $100 fine to a $50,000 fine per violation, with a $1,500,000 maximum annual penalty. In addition to federal penalties, dentists may face penalties imposed at the state level, as well as lawsuits filed by disgruntled patients whose health information was compromised.
It’s crucial for dentists to take steps to ensure that their practice is in compliance with HIPAA provisions regarding computer security. Because the majority of data security breaches occur when staff members exercise poor judgment or fail to follow office procedures, the location of computers in the dental office is key. All computers should be placed in areas where the computer screens are not visible to patients and visitors, and each computer should be protected with encrypted passwords. Passwords should contain mixed-case letters and numbers or symbols and should be changed regularly. Also, passwords should not be written down under keyboards or kept on desks or surfaces where the public could access them. Dentists should ensure that all staff members understand the importance of maintaining the privacy of patient health information.
Every dental practice should have a policy for safeguarding patient information, and should educate staff members about how to comply with the office policy. A strict Internet and computer policy that prohibits staff members from checking personal email accounts or visiting Internet sites that aren’t work-related should be enforced. It’s also important for dentists to make sure that all firewalls, operating systems, hardware, and software devices are up to date, strong, and secure, and that wireless networks are shielded from public view. Antivirus software should be installed on every computer, kept updated, and checked regularly.
When accessing office data remotely, dentists should use only trusted Wi-Fi hot spots and never use shared computers. Smartphones and tablets should be password protected to prevent easy access to patient information in case a device is lost or stolen. In addition, all hard copies of documents with patient information should be shredded. Finally, to make sure your dental practice is HIPAA compliant, data transmitted to payers, health plans, labs, and other health-care providers may need to be encrypted to ensure that a hacker will not have access to the data.
Because dental practices are subject to heightened government enforcement, and the scope of fines and penalties for data breaches have increased, many practices rely on cyber insurance for protection in the event of a breach. These policies cover the cost of investigating a theft, compensate the insured for all state and federal fines and penalties imposed, and fund all related lawsuits and legal fees, thus relieving the dentist of the financial and time burdens imposed by the security breach.
If a security breach in your office does occur, it’s imperative that you take appropriate action immediately. This includes determining how the breach occurred and the extent of the breach. You must be very careful who you initially contact and provide with information. Any improper or accidental disclosure to a third party other than legal counsel may be subject to the rules of discovery if litigation occurs, which could increase the liability exposure of the practice owner.
Stuart J. Overman, Esq.
Stuart J. Oberman, Esq. handles a wide range or legal issues for the dental profession including cyber security breaches, employment law, practice sales, OSHA and HIPAA compliance, real estate transactions, lease agreements, non-compete agreements, dental board complaints and professional corporations.
For questions or comments regarding this article please call 770.554.1400 or visit www.obermanlaw.com