DIA past-president and member, Bryan Currier, recently wrote this article for Sally McKenzie. It can be seen in whole on her site HERE
IT Security 101: What Every Doctor Needs to Know
What is IT Security?
Defining IT Security is a good starting point since it can have different meanings to different people.
According to Wikipedia,
IT Security is the process and mechanisms by which computer-based equipment, information and services are protected from unintended or unauthorized access, change, or destruction. It is of particular and growing importance in line with the increasing reliance on computer systems in most societies worldwide.
What does IT Security involve?
As you can see from the definition, IT Security encompasses certain things that most people don’t consider. For example, when you think of IT Security for your practice, what comes to mind? If you’re like most, you probably concern yourself with safe-guarding your system against hackers and crashes – which you should be doing.
However, notice the first words I emphasized – process and mechanisms. Process implies people, which has more to do with IT security than anything else. Additionally, you may have considered protection against unauthorized access and destruction. What about unauthorized change?
No one would dispute we are exponentially more reliant on computer systems now than we were just ten years ago. For instance, when I first started in dental IT a computer crash was nothing more than a minor inconvenience. But today? A crash can have major consequences and directly affect patient care – so protecting this information should be of paramount concern in any practice.
What is a high-level overview of the threats to IT Security? How can you mitigate those threats?
Viruses: The key here is complete anti-virus protection that you can prove is monitored, managed, and automatically updated. Additionally, you need a secure firewall with a gateway anti-virus.
Malware: An anti-malware system is a must – think CryptoWall and CryptoLocker. In addition, you need content filtering as part of a sound firewall strategy.
Hacking: Your primary defense against hacking is a solid firewall that is continually updated, monitored, and managed. Also, you should only be utilizing secure remote access. Using free tools to remotely access patient information from home or an iPad is simply a recipe for a data breach.
User Error: Often overlooked, user error represents one of the most common causes of unauthorized data change and loss. Staff training is your best bet to mitigate this risk. A great starting point is finding the answers to such questions as:
When was my team last trained on how to effectively use the practice management system? How much turnover have we had since the last training?
Are new staff members correctly trained in the current version of the software? How many bad habits are being picked up because someone at the front desk is just “showing them how to do it”?
Plus, you need to check their access credentials. Not everyone in the practice needs full administration rights to your management system, so take time to audit that.
Phishing: The key here is telling staff members to not check personal email at work. When you do check email of any kind, be extremely careful what links you click on. Not 100% sure? Simply don’t click on them. Another great defense against phishing is content filtering at your firewall.
System Crash: What’s the best prevention against a crash? First, you need to be using servers and workstations with business class pedigree and warranties — think Dell and HP systems.
Second, and more importantly, you need to have a managed IT service. This is a provider that is managing your system – servers, workstations, firewalls, anti-virus, etc. – on a continual basis. Someone essentially acting as your IT department. The Dental Integrators Association is a great resource to help you find local, independent IT companies that will work with you and on your behalf to help reach your goals.
Natural Disasters: This once again emphasizes the importance of having a dedicated IT provider that is supporting you with a solid backup and recovery plan. In addition, they should be providing you with a clearly defined contingency plan in the case of a disaster.
What are 5 practical steps to take into my practice?
1. Implement an acceptable use policy – what they can and can’t do on your computers.
2. Use ‘need-to-know’ access. This means auditing all user names in your practice management system. For example, Susie the hygienist cannot make changes in a patient’s ledger balance.
3. Protect your key data by ensuring your IT provider sets up a secure, backup, and disaster recovery strategy that is HIPAA compliant.
4. Make sure you’re only using secure remote access.
5. Confirm your IT provider offers a working knowledge of HIPAA, HITECH, PCI, and any other regulations that you may be subject to. It is extremely important that they have a solid understanding and are designing systems that work for you.
Again, a great resource to get you started in the right direction is the Dental Integrators Association. Their sole job is to provide a system which educates IT providers to a manner in which raises them above the norm.
Bryan Currier is the President of Advantage Technologies, an IT company that focuses on dental and dental specialties. It serves as the leader in utilizing cutting-edge technology to keep its customers in the forefront of dental technology. In the last 15 years, he and his team have worked with more than 1,000 practices, helping them effectively integrate computers and digital technology. Bryan has spoken at numerous conferences throughout the country, and has served on the Microsoft Partner Advisory Council and published articles in the Doctor of Dentistry magazine and The Journal of American Association of Oral and Maxillofacial Surgeons.
Bryan has a bachelor’s degree in Business Leadership as well as various dental and technological certifications. He lives in Nashville, TN with his wife and four children. He can be reached via email at: Bryan@adv-tech.com