There is Hope

“A Match Made in _____”
Cyber Threats and HIPAA Compliance – There is Hope

By Patrick Jacobwith, Sunset Dental

President, DIA

Guest Writer for Sally McKenzie

 

Are we at the beginning, middle or end?  Please let it be the end.  Recent events have caused many in the business community to think these thoughts, especially in healthcare.
Cyber Crime has exploded.  The global cost of cybercrime will reach $2 trillion by 2019, a threefold increase from the 2015 estimate of $500 billion.  Last year, IDG detected 38 percent more cybersecurity incidents than the year prior.  Source – SecurityIntelligence by IBM
HIPAA enforcement is real.  Due to the intensity of compliance and regulations, the costs per breach to organizations in the health care and financial services sectors top all other industry groups, according to the Ponemon study.
Small Business Beware!  Small and midsized organizations (SMBs), defined as those with less than 1,000 employees, are hardly immune to cybercrime — actually quite to the contrary.  According to Keeper Security’s “The State of SMB Cybersecurity” report, a staggering 50 percent of small and midsized organizations reported suffering at least one cyberattack in the last 12 months.
A Cyber Attack may be considered a HIPAA breach according to the OCR’s Wall of Shame and as outlined in the following headline from HealthITSecurity.

“Cybersecurity Attacks Leading 2016 Data Breach Cause
The top 10 healthcare data breaches of 2016 were mainly caused by cybersecurity attacks, including ransomware and unauthorized access.”

So the marriage has been made.  Cyber-attacks are directly linked to HIPAA breaches.  This presents a real and present risk to all dental practices.  As we know, a breach can occur at any time and many dental practices are still open doors for cyber criminals.
We are not at an end, we are more near the beginning.  Cyber criminals are well-funded and becoming increasingly organized.
Ransomware – the latest wave
What is ransomware?  Ransomware is a virus designed to block access to the data in a system until money is paid.  Ransomware usually is planted in a clinic’s network environment via an attachment to an email.  The virus immediately does three things:
1. Begins encrypting data on the computers
2. Sends the decryption key to their own “secret” location
3. Grabs all contacts and forwards the nasty email (then it looks like a “friendly email”)

There is Hope
What can we do?  In the IT Managed Services arena, the Dental Integrators Association (DIA) recent national conference discussed this topic at length with guests from the FBI Cybersecurity Division.  DIA member companies are well aware of the threats and have been working diligently to create solutions.  The best thing you can do, is work with a managed IT provider who will secure your systems before you have a breach.
In closing below are a few simple short-term tips for each of you.  Beyond the short term, please build a plan for the long term.
Simple and Practical suggestions for all dental practices:
‘ ‘ ‘ ‘ ‘

• Partner with a credible IT/Cyber Security company.  The DIA and its member companies take these matters seriously.
• Make Cybercrime and HIPAA a higher priority and invest resources in solutions
• Cyber Tips

‘ ‘ ‘ ‘ ‘

o Allow the partners to deploy a credible firewall
o Allow the partners to deploy a credible back-up solution that includes Business Continuity
o Do not open email attachments!  Make sure the attachment is clean.  Clean can be because the email was sent via encryption, or just call the sender and verify they actually sent the email.

‘ ‘ ‘ ‘ ‘

• HIPAA

‘ ‘ ‘ ‘ ‘

o Build a comprehensive plan to address HIPAA in your organization
o Begin with a HIPAA risk assessment
o Train your staff
o Get Business Associate agreements in place
o Go back to your comprehensive plan

Most importantly, please work with a professional IT company. The Dental Integrators Association is an organization dedicated to educating IT professionals. To be sure you have cutting edge knowledge on your side you can find a professional at the Dental Integrators Association website www.dentalintegrators.org

 

sunset-p-jacobwithPatrick Jacobwith is the CEO of Sunset Dental Technologies a multi-state organization based in Minnesota.  Patrick is also the President of the Dental Integrators Association.  He believes in excellent service and building healthy and productive relationships.  Patrick’s core values are built on three words: Service, Humility and Love.

Patrick can be reached at patrick@sunsetdt.com

 

Selling Your Practice? Beware of This Scam

Selling Your Practice? Beware of This Scam

‘ ‘ ‘ ‘ ‘

Amy Wood, ACS Technologies

‘ ‘ ‘ ‘ ‘

I can’t believe I have to write this, but I’ve been told of this scam by several dentists as well as practice transition consultants.

‘ ‘ ‘ ‘ ‘

 The scam is this:  A local doctor comes in looking to expand their patient database by purchasing your practice.  Seems legit, right?  They then ask for access to your computer or server to get an idea of your patient pool, or to run a report in your practice management program.  This is when they install a spyware program to secretly take your patient information to directly market to them.

‘ ‘ ‘ ‘ ‘

Seriously?  As if we don’t have enough security threats to worry about, now we have to worry about your fellow dentists?

‘ ‘ ‘ ‘ ‘

You can easily protect yourself by adhering to this simple rule: NO ONE gets access to your computers, server or network unless they are your staff or one of your HIPAA Business Associates.  If a potential buyer needs reports or information, you provide it to them.  This applies to consultants too.  They are not staff and they are not hired to interact with, create, receive, maintain or transmit Protected Health Information on your behalf, so they don’t get access to your systems.

 

 

 

 

Amy Wood is a HIPAA Data Breach Mitigator specializing in making dental practices compliant and secure.  She is president of ACS Technologies, LLC, a Northern California HIPAA Compliance & IT firm.  Amy has written many articles for various dental publications and spoken at dental associations, study clubs and private practices.  She runs ACS with her husband, Scott and lives in Santa Rosa, CA with their three daughters. 

Amy can be reached at hipaa@acsdt.com

HIPAA Compliance: More than Just Data Breaches

DIA Board Member, Amy Wood, recently wrote this article for Sally McKenzie.  It can be seen in whole on her site HERE

 

Amy Wood, ACS Technologies

HIPAA Compliance: More than Just Data Breaches

By Amy Wood, President of ACS Technologies, LLC

 

At this point we have all heard about the data breaches and million dollar fines, and how your HIPAA security alleviates these major concerns. But have you ever thought about all the other ways HIPAA compliance helps your practice?

Human Resources Issues
Imagine a problem employee. The one who casually browses the internet instead of working, even though you’ve told them not to. Worse yet, one who thinks they know enough about HIPAA and holds you hostage for the things you don’t yet have in place.

Proper Training is key to ensuring your staff actually knows and understands HIPAA regulation. Policies & Procedures are another component. Your entire staff should review and sign an acknowledgment of reading which includes privacy, security and technology policies. The most important one is a sanction policy which should outline what happens should the employee violate HIPAA or security in the practice – write up, termination or even jail depending on the violation or repeat violation.

Business Insurance
It’s become commonplace for business insurance carriers to ask about basic security. Do you have business grade antivirus? Do you have a firewall? Do you use secure email? Do you have backups? The new trend in insurance is cyber-liability and data breach coverage, as most data breaches are happening in the digital data space. Their questions are even more comprehensive. Do you have the knowledge to answer these questions? If you are covered by a managed service IT provider, they can help you answer all of these.

Patient Insurance Audits
MACRA, the Medicare Access and CHIP Reauthorization Act which was enacted late last year, tied Medicare reimbursement rates to a practice’s level of security and thus, HIPAA compliance. Early in 2017, we started seeing major dental insurance carriers ask for proof of basic security practices as well as HIPAA risk assessments, other HIPAA related documentation and cyber-liability/data breach insurance. Failure to have these things results in lower reimbursement rates after the audit. These are basic business best practices anyway – protect those margins!

Patient Complaints
Over the years, I have fielded many patient complaints regarding HIPAA and security. One complaint asserted that the doctor, let’s call him Dr. Compliant, had sent multiple patient records to a single patient via unencrypted email. As it turned out, Dr. Compliant had used an encrypted secure email system to send several patient records to a second doctor, Dr. Not-So-Compliant, which was proved through the secure email program.

When the patient requested the x-rays by email, Dr. Not-So-Compliant forwarded the emails with all the files sent from Dr. Compliant on to the patient without checking the contents first, thus breaching the other patients. The patient demanded free treatment in exchange for silence. Thankfully, Dr. Compliant had embraced security and the use of encrypted secure email, and we were able to prove Dr. Compliant did not breach data.

PCI
Payment Card Industry (PCI) requires an annual questionnaire that asks numerous questions about paperwork and security, including your technology equipment and setup. Many of these requirements overlap with HIPAA requirements, which are, again, basic business best practices. Unfortunately, many doctors protect credit card data better than full PHI contained in their patient charts.

Summary
When we are talking about digital data security, there are simple ways to do it right and many ways to do it wrong. Talk to your IT provider to ensure you are using current standard of care for things like backups, anti-virus, firewall, secure email and patching. Most IT providers will provide you with a package of these services, as it is commonplace as well as expected by the Office for Civil Rights. Your provider doesn’t provide this? Find a healthcare specific IT provider at the Dental Integrators Association.

 

Amy Wood is a HIPAA Data Breach Mitigator specializing in making dental practices compliant and secure.  She is president of ACS Technologies, LLC, a Northern California HIPAA Compliance & IT firm.  Amy has written many articles for various dental publications and spoken at dental associations, study clubs and private practices.  She runs ACS with her husband, Scott and lives in Santa Rosa, CA with their three daughters. 

Amy can be reached at hipaa@acsdt.com

IT Security: What Every Doctor Needs to Know

DIA past-president and member, Bryan Currier, recently wrote this article for Sally McKenzie.  It can be seen in whole on her site HERE

 

Bryan Currier, Advantage Technologies

IT Security 101: What Every Doctor Needs to Know

 

What is IT Security?


Defining IT Security is a good starting point since it can have different meanings to different people.

According to Wikipedia,

IT Security is the process and mechanisms by which computer-based equipment, information and services are protected from unintended or unauthorized access, change, or destruction. It is of particular and growing importance in line with the increasing reliance on computer systems in most societies worldwide.

 

 

What does IT Security involve?
As you can see from the definition, IT Security encompasses certain things that most people don’t consider. For example, when you think of IT Security for your practice, what comes to mind? If you’re like most, you probably concern yourself with safe-guarding your system against hackers and crashes – which you should be doing.

However, notice the first words I emphasized – process and mechanisms. Process implies people, which has more to do with IT security than anything else. Additionally, you may have considered protection against unauthorized access and destruction. What about unauthorized change?

No one would dispute we are exponentially more reliant on computer systems now than we were just ten years ago. For instance, when I first started in dental IT a computer crash was nothing more than a minor inconvenience. But today? A crash can have major consequences and directly affect patient care – so protecting this information should be of paramount concern in any practice.

 

What is a high-level overview of the threats to IT Security? How can you mitigate those threats?

Viruses: The key here is complete anti-virus protection that you can prove is monitored, managed, and automatically updated. Additionally, you need a secure firewall with a gateway anti-virus.

Malware: An anti-malware system is a must – think CryptoWall and CryptoLocker. In addition, you need content filtering as part of a sound firewall strategy.

Hacking: Your primary defense against hacking is a solid firewall that is continually updated, monitored, and managed. Also, you should only be utilizing secure remote access. Using free tools to remotely access patient information from home or an iPad is simply a recipe for a data breach.

User Error: Often overlooked, user error represents one of the most common causes of unauthorized data change and loss. Staff training is your best bet to mitigate this risk. A great starting point is finding the answers to such questions as:

When was my team last trained on how to effectively use the practice management system? How much turnover have we had since the last training?

Are new staff members correctly trained in the current version of the software? How many bad habits are being picked up because someone at the front desk is just “showing them how to do it”?

Plus, you need to check their access credentials. Not everyone in the practice needs full administration rights to your management system, so take time to audit that.

Phishing: The key here is telling staff members to not check personal email at work. When you do check email of any kind, be extremely careful what links you click on. Not 100% sure? Simply don’t click on them. Another great defense against phishing is content filtering at your firewall.

System Crash: What’s the best prevention against a crash? First, you need to be using servers and workstations with business class pedigree and warranties — think Dell and HP systems.

Second, and more importantly, you need to have a managed IT service. This is a provider that is managing your system – servers, workstations, firewalls, anti-virus, etc. – on a continual basis. Someone essentially acting as your IT department. The Dental Integrators Association is a great resource to help you find local, independent IT companies that will work with you and on your behalf to help reach your goals.

Natural Disasters: This once again emphasizes the importance of having a dedicated IT provider that is supporting you with a solid backup and recovery plan. In addition, they should be providing you with a clearly defined contingency plan in the case of a disaster.

 

What are 5 practical steps to take into my practice?

1. Implement an acceptable use policy – what they can and can’t do on your computers.

2. Use ‘need-to-know’ access. This means auditing all user names in your practice management system. For example, Susie the hygienist cannot make changes in a patient’s ledger balance.

3. Protect your key data by ensuring your IT provider sets up a secure, backup, and disaster recovery strategy that is HIPAA compliant.

4. Make sure you’re only using secure remote access.

5. Confirm your IT provider offers a working knowledge of HIPAA, HITECH, PCI, and any other regulations that you may be subject to. It is extremely important that they have a solid understanding and are designing systems that work for you.

Again, a great resource to get you started in the right direction is the Dental Integrators Association. Their sole job is to provide a system which educates IT providers to a manner in which raises them above the norm.

 

Bryan Currier is the President of Advantage Technologies, an IT company that focuses on dental and dental specialties. It serves as the leader in utilizing cutting-edge technology to keep its customers in the forefront of dental technology. In the last 15 years, he and his team have worked with more than 1,000 practices, helping them effectively integrate computers and digital technology. Bryan has spoken at numerous conferences throughout the country, and has served on the Microsoft Partner Advisory Council and published articles in the Doctor of Dentistry magazine and The Journal of American Association of Oral and Maxillofacial Surgeons. 

Bryan has a bachelor’s degree in Business Leadership as well as various dental and technological certifications. He lives in Nashville, TN with his wife and four children. He can be reached via email at: Bryan@adv-tech.com

You can find Advantage Technologies online at www.adv-tech.com and the Dental Integrators Association can be found at www.dentalintegrators.org

IT Nation 2017

it-nation

it_nation-pic

 

 

 

Have you heard about it?

Have you attended?

How much did you learn?

 

IT Nation, hosted by ConnectWise a long time partner of the DIA, is the premier conference for technology solution providers and the largest event of its kind – offering a world-class experience for attendees.

Here at the DIA, we are constantly trying to advise the public and remind other dental IT providers that the DIA is here as a resource for them, both of them. IT Nation was just another example of this, eight DIA member companies (18 individuals) attended this conference. Our association, was able to provide a ‘home base’ for these attendees in a sea of more than 3,000!

The DIA is more than just comradery, it’s about education and advancement of your businesses. We are proud to announce that, our president, Patrick Jacobwith of Sunset Dental and Christina Archer of Dental PC were asked to sit on the Partner Panel of How to Create Lasting Change & Make Your Business Model Changes Stick. This session was detailed:

 
‘ ‘ ‘ ‘ ‘

To stay competitive and profitable, top MSPs are on a continual march of evolution. If you want those changes to stick, you’ve got to excel in a few critical areas. In the partner panel, Paul Dippell will dive into the key places your organization should focus to make your business model changes stick. Partners who have successfully implemented the as-a-service model will share the lessons learned and challenges they overcame to make lasting changes in their organization.

‘ ‘ ‘ ‘ ‘

IT Nation Education Panal

We are proud of our DIA Members and thrilled that the dental community sees their worth as well! If you would like to learn more about the DIA and how to become a member yourself, please email michelle@dentalintegrators.org or https://dentalintegrators.org/join-dia/

DIA President & CW CEO

 

Arnie Bellini, Connectwise CEO

Patrick Jacobwith, Sunset Dental CEO & DIA President

IT Nation 2017, Orlando FL

br>p

Did you know that your data can be compromised?

ransomware

By Patrick Jacobwith, Sunset Dental

President, DIA

Guest Writer for Sally McKenzie

 

 

Hackers have become more sophisticated, and technology has advanced resulting in an increased level of vulnerability to your network.

  • Did you know more than 400,000 new viruses were written in 2015?
  • Did you know there is a daily “black market price” for personal information?
  • Did you know that healthcare companies are a target of hackers due to the wide scope of information stored for each person?
  • A successful hack can result in a data breach that is costly, may add HIPAA compliance issues and could result in a loss of business?

 

 What can you do in the face of this new and growing threat? Outlined below is a recent customer case study involving an infection.

 

Case Study

At approximately 3:15am a clinic’s system was infected with a ransomware virus. This particular infection not only encrypted files on the server, but also spread to every computer on their network. The hackers hold the data “ransom” and for a fee from the clinic. To obtain the decryption key from the hackers, the clinic must pay the ransom.

In less than one hour the virus infected all 16 workstations plus the server. Once the files are infected they are encrypted and unusable by the clinic staff. By 9am, a plan was created with a goal to have the office fully functioning by the next morning.

Resources/Team (IT)

  • First response team
  • Engineering
  • Command Center
  • Team lead

 

The team now set in motion a path to allow the clinic to see its business information as soon as possible. In simplified terms the server and the workstations required immediate attention. The clinic kept paper records during the day.

Server

  • A loaner server deployed that had VMware ESXi installed.
  • It was essential to get new/replacement equipment on-site and in use.
  • Engineering restored a backup file to a virtual machine on the ESXi.
  • The new/replacement equipment was populated with a recent back up file to allow the clinic to see its schedule and continue operations.
  • As the backup exported to a virtual machine format, the server then started up in its virtual format seamlessly.

 

A conventional process would take several days; this process allowed the team to get the server up and running within 5 hours.

 

Workstations

The team re-imaged all of the computers. To expedite the imaging process, a pre-configured image was deployed on an imaging server. This allowed the team to reimage all 16 workstations in approximately 30-35 minutes each. The conventional process would have taken at least two to five hours per computer.

Once the server was up, the team connected the computers to the domain and moved forward with installing and configuring software. Prior to leaving the site at 5pm, all computers were able to access the practice management software and peripherals. In the evening, the team spent several hours configuring the software to get the workstations as close to their original state, prior to the infection, as possible.

The team spent the following morning at the clinic working with the staff to address any questions and make any changes necessary. The clinic staff entered the previous day’s appointments in to the practice management software.

 

Recovery Timeline

Item Case study time to respond/recover “Market” time to respond/recover
Phone call Immediate One day
Diagnosis Less than 1 hour Up to one week
Server repaired and back online 5 hours Up to one week
16 Workstations repaired and back online 8-9 hours Up to one week
Resources Pre-defined team Support Techs
Media Message to customers to prevent a disaster from spreading Unknown

 

Impact Assessment

Daily average production for this clinic                             $15,000

Saved days (Case Study vs Conventional)                           7 Days

Ransom Fees Avoided                                                            $5,000

Estimated Dollar Savings                                                     $110,000           

In addition:

  • the clinic continued to see patients even during the virus containment
  • a possible HIPAA breach was averted
  • the staff only needed to re-enter one day of patient activity

Unfortunately, as hackers become more sophisticated, these situations will increase. Below are a few key suggestions to minimize your risk:

  • Monitor the health of your network
  • Continuously monitor and manage your server and workstations
  • Schedule reviews to discuss changes in technology and security
  • Implement a disaster recovery plan
  • Obtain adequate insurance coverage

 

Most importantly, please work with a professional IT company. The Dental Integrators Association is an organization dedicated to educating IT professionals. To be sure you have cutting edge knowledge on your side you can find a professional at the Dental Integrators Association website.

 

sunset-p-jacobwithPatrick Jacobwith is the CEO of Sunset Dental Technologies a multi-state organization based in Minnesota.  Patrick is also the President of the Dental Integrators Association.  He believes in excellent service and building healthy and productive relationships.  Patrick’s core values are built on three words: Service, Humility and Love.

Patrick can be reached at patrick@sunsetdt.com

 

Do your Dental Patients Witness you Violating HIPAA?

HIPAA CompliantDentistry IQ Article: August 29, 2016

By Amy Wood

 

HIPAA has been around for 20 years now, yet many dental practices have barely started their HIPAA compliance journey. Despite two decades of regulation, I see multiple violations before even passing the front desk in many offices. As a HIPAA Risk Assessor, I’m trained to look for these things. But have you considered how many of your patients also see these risks?

An office manager at the office of one of my clients had just completed the annual HIPAA class a few days before taking her mother to her primary care physician. The front desk person in that office printed her mother’s information on the wrong form and instead of shredding it, she crumpled it up and tossed it in the garbage. “Wait, you’re going to shred that, right?” she asked.  “Of course I am,” the front desk person said with a meek laugh as she smoothed the paper and put it in the shredder. Her mother’s information might have been compromised had my client’s office manager not known what to look for.

Being told that you’re doing something wrong is never fun, but what about the people who notice your violations and say anything to you? A friend of mine moved and a few months later asked me about a few things she’d noticed that “weren’t quite right” with her new dentist. Instead of notifying the office about her concerns, she left the practice. The practice is still not secure with patient information.

Another example is from one of my employees. Shortly after starting with us, she visited her dentist who her family had been seeing for years. While sitting in the waiting area, the front desk person shouted across the waiting room, asking waiting patients about family members’ treatment, payment, insurance information, and medical issues. Our employee told us she was afraid to go back to that office knowing how blatantly they were ignoring basic.

Unfortunately, these stories are not uncommon. Your patients are watching. In states like California that have Private Right of Action laws, patients can sue if their information is compromised in your care.

What things are not compliant that patients are seeing? Anytime I walk into an office, these are the top violations I see in almost every practice.

  • Conversations, especially within earshot of other people. You never know who is listening. 
  • Outdated notice of privacy practices (NPP). Many practices have NPPs from 2003, or they use something they found on the internet and didn’t update for their office. One time I saw a notice that was supposed to be for a dental practice, but it contained an optometrist’s contact information. The Department of Health and Human Services created colorful, easy-to-ready NPPs for download on their website because they want people to easily access compliance.
  • Printed schedule or computer screen. Most current practice management systems have settings to limit what information you see on a schedule. You can have no name, first name, last name, or initials. While it may appease the staff to see who is coming in next, you don’t want patients to see others on your schedule, or what their procedure is.
  • Open Wifi. I know more about 90% of the offices I walk into by accessing their wifi before I even speak with the doctor. I have a free app on my phone that runs a quick scan once I have access to the practice’s wireless. I can see all devices, cell phones of patients and staff, office computers, printers, tablets, laptops, and the server. If I can do that with a free app, a thief or even a bored 14-year-old with a laptop can siphon patient information and an office would never know about it. “But I have a password” is the response I hear. “The password you just gave me and the last four patients?” A colleague recently did a Twitter search for “Hacked Dentist Wifi” and came up with a list of patients who had publicly posted on Twitter that they had accessed their dentist’s network and could see everything.

These are the easily identifiable vulnerabilities patients can see within a few minutes of visiting your practice. When you dig a little deeper, there are all kinds of risks that haven’t been considered. Doing a thorough risk assessment will identify your vulnerabilities and allow you to address them. The government doesn’t expect you to be Fort Knox, but they do expect you to have basics in place. In fact, there is a lot of leniency if you are up front about your risks and are able to offset those risks until a permanent solution can be implemented.

Technology and HIPAA: Where are the risks? The risks on the tech side of your business are ever evolving. Five years ago the biggest threat was backup failure from a portable backup drive. Now we’re dealing with encryption, cybersecurity, ransomware, hacking, and IT people that don’t support your needs. The threat landscape certainly has changed since HIPAA was enacted 20 years ago.

Shadow IT/Multi IT Verizon does an annual study that repeatedly shows that Shadow IT, or multiple people making IT choices and decisions, is the top cause for data breaches. My own panoramic films were involved in a data breach due to Shadow IT. An employee thought she was “helping” by making an unauthorized backup of data to a thumb drive, and lost it. The IT staff had a secure protocol for that and the employee breached thousands of records that contained my name, birthdate, last four digits of my social security number, and my entire medical record number—in other words, enough to steal my identity.

When it comes to IT, it’s not about cleaning up messes; it’s about proactive security. The only way it can be done is to have one vendor that is ultimately responsible for making technology decisions. Multiple vendors having unattended access and making changes will increase your chance of causing a data breach.

Inadequate/Incomplete risk assessment A lot of practices want HIPAA to be quick and cheap. It isn’t. A thorough risk assessment and risk management plan is the single most important thing you can do for your practice in regards to HIPAA. I tell people that if it’s not intrusive and uncomfortable, then they aren’t doing it right. Not only is it required under HIPAA, but it allows you to identify risks and do something about them. Inadequate or incomplete risk assessments are the top reason for penalties in breach investigations.

There are a lot of options out there when it comes to risk assessments, but I advise practices to look for one of two types of Risk Assessors: a privacy and security expert, or a privacy expert that works with your IT (if they’re doing what they’re supposed to do for your practice).

Secure your server Think about the information you have in a single patient record—name, birthdate, social security number, insurance information—a virtual treasure trove for an identity thief. With full medical records demanding around $500 per record on the black market, you have a very large asset in your office. The average American dentist has roughly 2,500 active charts in addition to 10 years of stored inactive charts. With conservative numbers hovering around 4,000 charts, dentists are looking at around $2 million to a thief. What would you reasonably do to protect $2 million?

Fortunately, there are easy and affordable solutions for dental practices. With servers, we’re looking at physical theft or loss. This is addressed by locking it or encrypting it. But having encryption is not the end all and be all. You have to prove it was in place, document its configuration, and show evidence of testing it. In addition, there are many considerations with encryption. The safest place to encrypt data is where the data is created.

Properly vet business associates Are your business associates insured? Do they take responsibility in their Business Associate Agreement? Do they have documented risky behavior? I see more business associates in the dental vertical that are doing risky things to their customers than in any other health-care space. It’s worth it to ask them difficult questions, or better yet, have an experienced risk assessor ask questions.

Choose a good IT partner Everyone has an IT “guy” they love, but is the person doing all that is legally required for your dental practice? The Omnibus Final Rule of 2013 placed regulation on IT providers. With Omnibus, IT providers are expected to know and identify any security deficiencies in your practice and offer you paid solutions. If they don’t, they can be held liable for any breaches. If you have to ask for something security related, such as backups, updates, secure email, or a firewall, then chances are the IT person isn’t doing any of the things you and the federal government expect of an IT professional in the health-care space.

It can take years to establish a trust relationship with an IT company. Regardless of your current relationship, you have to ask yourself if your current IT is doing what’s best for your practice and your patient information. If not, you should seriously consider switching. A good place to look for quality, HIPAA-trained IT providers is the Dental Integrators Association.

 

ACS - A. Wood

Amy Wood is a HIPAA Risk Assessor who specializes in making dental practices compliant. She is president of ACS Technologies LLC, a HIPAA and IT firm based out of Santa Rosa, California. Amy maintains multiple certifications in HIPAA, is an active member of the FBI’s Infragard, and she speaks to private practices, study clubs, and dental societies.

DIA Press Release: Data Security

Data Security: A Growing Problem

Who can you turn to, to help protect you and your business?

 

June 10, 2016 – Data security continues to be a growing issue facing small and large dental practices in the United States.  This also means it has become a priority topic for the Dental Integrators Association (DIA).

Recently, there have been several news releases that outline some alarming software security issues specifically within the dental industry.  Although the DIA is not affiliated with any of the parties involved, because of the growing number of data privacy challenges in our industry we believe it is important to comment to bring awareness of the potential risks.

DIA members continue to work diligently to provide safe and secure connections for patient data.  It is essential for all practices to have business associate agreements in place with credible partners.  In addition, the DIA recommends that dentists review each business associate agreement to ensure their partners or vendors can (and will) adequately address security events or data breaches.

The DIA is a non-profit professional organization whereby its members provide valuable IT solutions to dental practices across the country.  The association is dedicated to providing a platform for the industry to develop best practices and collaboration.

 

About the Dental Integrators Association

The Dental Integrators Association comprises more than 40 independent technology firms around the U.S. that are dedicated to providing computer technology integration services to dental practices. All DIA members must uphold the DIA Standards Statement, the industry’s only published standard of care that clearly spells out the approach taken by members to provide the highest quality, most responsive, and most economical service possible for their clients. For more information, call (888) 249-0559, or visit www.dentalintegrators.org.
‘ ‘ ‘ ‘ ‘

 # # #

Contact: Michelle Hambidge
Director of Marketing & Administration
888.249.0559

Six Ways to Make Your Dental Practice HIPAA Complaint

One of the DIA’s own, Amy Wood of ACS Technologies, recently wrote a great article, for McKenzie Management’s Newsletter, “Six Ways to Make Your Dental Practice HIPAA Complaint”.  As usual, Amy is a wealth of knowledge; please feel free to read, adopt and forward – as long as you attribute to Amy Wood and McKenzie Management, you are more than welcome to use it for your practice as well.Blog pic ACS Newsltter

Dental Techology Blame Game

Emmott on Technology

Dr. Larry Emmott is recognized as a leading dental high tech authority in the country and with over thirty years of experience as a practicing general dentist, Dr. Larry Emmott’s mission is to help dentists make good technology choices. 

In his most recent blog, he took on the topic of what he calls the Ping Pong Blame Game.  In the end, one of the highest authorities in technological dentistry suggested contacting us, the Dental Integrators Association, to find a competent local IT service company!

 

Ping Pong Blame Game

by Larry Emmott on August 3, 2015

 

Ping Pong is  the back and forth blame game that can happen between tech vendors. The hardware guy blames the software. The software folks blame the hardware and they all blame Microsoft (it probably is Microsoft).

As a dentist caught in the middle you are the ping pong ball! Back and forth waiting to get slammed.

There are two strategies to avoid ping ponging. First don’t buy random technology. Many times I visit offices where the hardware came from three different sources, it is running three different operating systems and hasn’t been updated in years. The software is just as bad. A second tier management system with non dental photo management that is not part of the digital record. Then the doctor adds a stand alone radiology package.

In that kind of a system when something fails, and it will fail, it is very difficult to determine why and how to fix it.

The second strategy is to find a good local IT company with dental experience and let them handle everything. That includes setting up hardware, setting up the network, installing programs, trouble shooting conflicts and monthly maintenance.

If you have a good relationship with your local supply company Henry Schein. Patterson and Benco all have computer IT services available for dentists. If you are looking for a competent independent vendor start with DIA Dental Integrators Association.
‘ ‘ ‘ ‘ ‘

by: Larry Emmott at .

 

You can find out more about Larry Emmott here