Cyber security threats are continually evolving - take for example the recent breach reported by Quest Diagnostics. Everyone is vulnerable and these types of attacks pose a real and significant threat to dental practices.
NJDA members have reported their systems were infected with malicious software. This software takes over your hard drive when you click on an infected advertisement, email, attachment or website. It encrypts the contents of a device and any other connected electronic devices. The hacker then demands “bitcoin or cryptocurrency” payments to unlock. With any luck, you will have adequate data from your backups to recover from the ransomware nightmare but then you will have an entirely different mess to deal with – HIPAA Compliance.
Health and Human Services Office of Civil Rights (OCR) is the federal agency that is responsible for enforcing HIPAA Regulations, which includes information security requirements for dental offices. Recently the OCR reported that Covered Entities who fall victim to ransomware are to treat the security incident as a HIPAA breach. For more information on that click here.
These types of breach issues usually involve more than 500 people and therefore require a breach notification to notify effected patients, the OCR, local television and newspaper media within 60 days of the discovery of the breach. FYI: failure to make this timely notification has cost in one Covered Entity over $475,000.
Currently, the Office of Civil Rights investigates every breach that effects 500 or more persons. These types of investigations don’t stop short at why it happened, how it happened and if you did the right thing after it happened. They typically are very comprehensive and evaluate your entire in-office HIPAA Compliance Program including your HIPAA Compliance Employee Manual. So I have to ask, do you have a HIPAA Compliance Employee Manual? Even if you are on the ball and have a tip top compliance manual full of employee signatures showing they completed their training, I wouldn’t recommend an encounter with this agency who is likely ruthless in their enforcement efforts. It is my understanding that investigations can last anywhere from 1-6 years to resolve. To date, I have no information supporting that a dentist has paid a large sum to OCR in fines or settlements, but I’m sure it is on the horizon. Be pro-active and prepare your office and staff to prevent or minimize the risks. Here are some small things you can do to prepare and/or prevent a breach in your office:
Ensure your office’s Notice of Privacy Practices (NPP) is up to date. You can get an updated free version from OCR: click here.
How about your Business Associates Agreements (BAA)? They should be signed by you and your Business Associates. Who are your Business Associates? Anyone that has access to your patients PHI. Do you need a BAA template? Need a BAA? OCR has a template you can implement.
HIPAA Security Rule requires dental practices to complete a periodic RISK ANALYSIS (RA). This should be done (in my opinion, annually or whenever you make any changes to your I.T. environment. So first you need to list all your vulnerabilities (areas where a breach is possible), then you need a written policy to manage and protect them RISK MANAGEMENT (RM)
Here is where you can find some additional information on RA and RM. Risk Analysis process information can be found as well click here.
The world and cyber world changes constantly and there is a lot more to HIPAA Compliance than just what I have suggested, but if you can check some of these things off your list, you will be off to a good start.