When news of yet another major company hit with a data breach pops up each month, it would be easy to assume that large corporations are the only target of hackers. Don’t assume because there are bigger targets than your practice, that you don’t need to make security a priority.
While Equifax and Marriott breaches definitely make headlines, over 43% of cyberattacks target small businesses, which includes both small medical and dental practices. Just this past August, 400 dental practices were targeted in a nationwide ransomware attack.
It’s important that your practice takes steps to ensure the safety of your patients’ records in compliance with HIPAA. Thankfully, adopting a few key behaviors will make a huge impact.
HIPAA Tip 1: Make sure your emails are secure
Unless your practice is much larger or has it’s own IT team, you are likely sending emails through a web-based service like Gmail, Yahoo, or Outlook. Because your emails are hosted on an external server, your email can be read by anyone with administrative access to that server (Google, Yahoo, or Microsoft). You should avoid sending any patient information through email unless you’ve taken steps to encrypt the information. This includes sending emails between staff members within your practice.
HIPAA Tip 2: Avoid texting patient information
Similar to web-based email services, text messages aren’t secure or encrypted by default. Text messages are also stored indefinitely on your cellular provider’s servers and can be intercepted by someone targeting you. While it may be tempting to use texting to answer questions from teammates if you’re in a hurry, this should never include patient information.
HIPAA Tip 3: This also applies to messaging patients
With a growing number of patients wanting the convenience of reminders and invoices sent through text or email, it’s important to find a way to provide these items securely. Even though you’re communicating directly with the patient through text and email, you are required to send any patient information through secure or encrypted channels. If you have a patient portal, a good practice would be to send messages from the portal that require a login to read.
HIPAA Tip 4: Have a plan for when disaster strikes
Whether it’s a fire, flood, or a car launching into the second floor of your practice, catastrophes can happen. What’s important is that, in compliance with the Security Rule, you backup your patients’ information to a secure location off-site so it can be recovered. Cloud-based platforms can make the process much more automatic, as long as they meet HIPAA’s standards as well.
HIPAA Tip 5: Don’t leave the door open for the bad guys
Make sure you’re limiting access, both digitally and physically, to your computers or other systems. This includes using strong passwords for any account, using a closed wifi network with a firewall, and making sure you stay current with software and anti-virus updates. You also need to keep patients out of view of any office computers that might have patient information on the screen. Make sure your staff is logging out when they leave computers unattended.
HIPAA Tip 6: Don’t assume paper is safe
We typically only think of HIPAA in terms of digital data security, but it’s important that you treat physical copies of patient information with the same care. Stored documents should be locked up and inaccessible to the public. Any documentation that is no longer serving a purpose, no matter how insignificant, should be destroyed with a cross-cut shredder.
HIPAA Tip 7: Stay educated when it comes to protecting patients
HIPAA compliance and security is an ongoing responsibility for your dental practice, which means you and your staff need to stay up-to-date on security awareness. While we will continue our security series for the upcoming weeks, this is no substitute for formal training. Your dental practice should go through HIPAA training on at least an annual basis and regular audits to identify any holes in security. Making sure you are aware of the potential dangers is the best defense to prevent anything from happening to your practice.