Cybersecurity starts with training dental teams
August 28, 2017
. — In 2015, Dr. Lloyd Wallin's dental office was victimized twice in one month by hackers using ransomware — a type of malicious software that threatens to publish the victim's data or block access to it unless a ransom is paid.
"It happened out of the blue," said Dr. Wallin, now a semi-retired dentist in Faribault, Minnesota. "It hit us pretty hard."
In the wake of the attacks, Dr. Wallin decided to train his staff on data security. Since those two attacks, his office's computers haven't been hacked.
Dr. Wallin's training of his staff was exactly what he should have done, based on a July news release by the U.S. Department of Health and Human Services' Office for Civil Rights. The release encourages all health care providers to train their staffs on the importance of safeguarding the privacy and security of patients' protected health information in the face of cyberattacks such as ransomware.
The Office for Civil Rights said that there has been a 10 percent increase over the past two years in the number of providers and health plans that have had instances of security-related Health Insurance Portability and Accountability Act violations or cybersecurity attacks related to protected health information.
The release continues: "This increase in HIPAA violations includes breaches due to ransomware events … and other cyberattacks which could have been prevented by an informed workforce trained to detect and properly respond to them. Training on data security for workforce is not only essential for protecting an organization against cyberattacks, it is also required by the HIPAA Security Rule.
"The security rule specifically requires covered entities and business associates to 'implement a security awareness and training program for all members of its workforce.' Note the emphasis on all members of the workforce, because all workforce members can either be guardians of the entity's protected health information or can, knowingly or unknowingly, be the cause of HIPAA violations or data breaches."
The Office of Civil Rights release includes recommendations on what health providers should consider:
- How often to train workforce members on security issues. Many entities have determined that biannual training and monthly security updates are necessary, given their risk analyses.
- Using security updates and reminders to quickly communicate new and emerging threats.
- What type of training to provide, whether it be computer-based, classroom training, monthly newsletters, posters, email alerts and team discussions. The Office of Civil Rights offers training resources at hhs.gov.
- How to document training.
Drs. Mitchell Rubinstein, Kenneth Aschheim and Bijan Anvar are members of the New York State Dental Association who regularly provide training to dental societies, dentists and dental teams on protecting their computers from a data breach and how to meet the HIPAA security requirements.
The three dentists had basic recommendations on how dentists and their teams can help remain safe and protected from cyberattacks.
Dr. Rubinstein said that unlike large corporations, dental offices generally don't have an IT department to help dental teams protect themselves. "But we have to follow the same regulations."
He said that computers in the office should only be used for dentistry-related matters, and that team members should have individual passwords for using workstations.
"The most important thing is to do a risk assessment," said Dr. Aschheim. "Most people have no clue what that means."
"The one thing I stress is that staff is included in my lectures," said Dr. Anvar. "It's very important to get the entire team involved and trained." He recommended that aside from computers that contain protected health information, dental offices should have a computer that is used only for email, since email users sometimes click on links they shouldn't be clicking on. Encrypting data is also important, he said. "If the data is stolen, at least it will not be accessible."
Data breaches are not only devastating, but also costly.
"These HIPAA fines are serious fines," Dr. Anvar added.
"Nobody is immune," said Dr. Aschheim. "It's unrealistic to believe you're bulletproof."
To help dentists implement a step-by-step HIPAA compliance program, the ADA offers the ADA Complete HIPAA Compliance Kit (J598). Readers can save 15 percent on the HIPAA kit and all ADA Catalog products with promo code 17143 until Nov. 17. To order, visit ADACatalog.org or call 1-800-947-4746.
ADA 2017 – America's Dental Meeting will host a course led by Drs. Aschheim, Rubinstein and Craig Ratner, HIPAA Security Compliance: Protecting Your Practice and Your Patients (8107). Created in partnership with the ADA Council on Dental Practice, this half-day course is designed as a practical guide for dentists and their team to protect patients' electronic protected health information and comply with HIPAA security regulations. Based on standards and guidelines developed by the ADA, this course aims to provide practical, common-sense, realistic, step-by-step guidance, with an accompanying workbook, to help dental teams comply with complex regulations and avoid unwanted fines. Registration is open at ADA.org/meeting for the annual meeting in Atlanta Oct. 19-23.
The ADA will be hosting a free webinar on ransomware Wednesday, Sept. 20, at noon Central Daylight Time. Presented by ADA staff, the webinar will feature ways in how dental teams can decrease the likelihood of having their practices be attacked through ransomware and/or phishing and the HIPAA implications of security breaches. One hour of continuing education credit will be available. The registration link is https://cc.readytalk.com/r/xf56tz1str6w&eom.
For more information on how dentists can protect their practices, visit the Center for Professional Success at Success.ADA.org and search for "Tips to Safeguard Your Practice from Computer Hackers."