In cooperation with my friends at Aspida, here’s the next article in the Compliance Corner series. Each quarter, we’ll feature a new article about HIPAA compliance, regulatory news, keeping patient data private & secure, and other topics to help keep dental practices and their patients safe. In this article, Laura Miller, Compliance Manager at Aspida, writes about best practices for protecting dental offices from cybersecurity breaches.
A report from IBM and conducted by the Ponemon Institute said that cybersecurity incidents continue to grow in both number of incidents and complexity, averaging a cost of $4 Million Dollars! This is a 29-percent increase from 2013 and the upwards trend could only grow.
How exactly should you protect yourself and your practice? Let’s look into a couple of best practices.
Be wary of email –
Use a mail solution that has antivirus and a robust spam filter enabled. Inspect all email messages thoroughly, including the senders address and do not open any email that looks suspicious. Don’t believe what you see. Just because an email looks real, doesn’t mean it is. Scammers can fake anything, from a company logo to the “Sent” email address.
Before you click a link in any email, try to verify its authenticity. Hover your mouse or pointer over the link to see where it’s directed if you click. Err on the side of caution and confirm before taking any action.
Encrypt data –
Encryption is certainly a hot topic right now. It’s one of safest ways to protect data from being viewed by an unauthorized party. Very simply, encryption is the translation of data into a secret code that you must have the proper key to view.
Anytime electronic Protected Health Information (ePHI) is being sent in an email, HIPAA recommends implementing procedures to ensure encryption both in transmission and storage (while at rest). This could include a secure email provider that also securely stores your email, encryption on your server, workstations, laptops, and other portable devices.
Conduct an annual Security Risk Analysis –
One of the first things the HIPAA security regulations require you to do is perform a security risk analysis. In this analysis, you will identify and evaluate the vulnerabilities and threats to your organization’s electronic protected health information (ePHI) and calculate the effect of each threat on your ePHI if it were to actually occur.
At Aspida, we recommend you perform this annually and work closely with your vendors to ensure their compliance as well. Lastly, make sure your staff and all new employees participate in a yearly HIPAA training to understand how they can protect and safeguard patient data.
Know your vendors –
A Business Associate (BA) is more responsible and accountable than ever before to protect your data. Since the Omnibus Rule, BAs must follow the same rules and guidelines you as a Covered Entity face.
We recommend making a list of each vendor you work with. If you provide them access to your patient data (as needed to perform their job) it’s integral to have a contract, a Business Associate Agreement – BAA, in place to ensure this BA is assuming responsibility for obtaining, maintaining and protecting your patient’s ePHI. It’s also best to confirm your BAs are taking responsibility to execute a BAA with their own subcontracts. Lastly, ensure the agreement clearly states liability and/or assumption of financial responsibility in the event they cause a breach due to their mishandling of PHI.
Be Prepared –
Even through proper training, addressing risks and documentation of policies and procedures, breaches can still happen. Ensure your office has a documented plan and policy in place for what steps to take to address (and report) incidents and breaches.
In these instances, businesses must respond quickly to help protect impacted individuals and the business’s reputation. Data Breach or Cyber Liability insurance helps tame the significant costs of a cyber-attack and/or data breach by offering coverage for mailings to clients, credit monitoring, lawsuits, penalties/fines and more.
Working within an industry that is federally regulated and has strict data security compliance standards comes with inherent risk. A plan to address and mitigate these risks is imperative and any time or money spent on these procedures should be considered well spent.
About the Author:
Laura Miller is Compliance Manager of Aspida, who has quickly established itself as an industry leader in providing compliance security products and services for healthcare providers.
Their first product to market, Aspida Mail, offers medical practices affordable Encrypted Email without compromising security.
Miller has over 9 years of experience in the healthcare industry including 4 years with a primary focus on HIPAA Compliance procedures.
Thank you for reading! And as a special Thank You, Aspida is offering readers of this site an exclusive discount on your first three months of Aspida Mail – get the first three months for $3 with Promo Code “DUNN”.