Data security and privacy seem to be in the news almost daily. From hacks into various government sites to the latest credit card leaks from major retailers, we are reminded that understanding the risks of data ownership is imperative in today’s digital age. Dental practices must make sure that their data—especially patient data—is protected by implementing a proper security plan.
Since the enactment of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), requirements to fortify against the improper use and access of patient health information have called for entities to improve protection strategies and tactics. These requirements have only been reinforced with the HITECH Act (Health Information Technology for Economic and Clinical Health) of 2009 and the Omnibus Final Rule of 2013.
When implementing a security plan, you should consider multiple safeguards for data access and data use. As you develop and implement plans to fortify against potential threats, it is also important to note that “security is not a one-time project, but rather an ongoing, dynamic process that will create new challenges as covered entities’ organizations and technologies change.” (Security 101 for Covered Entities (CMS, November 2004))
Henry Schein strongly encourages practices to work with both computer and security policy experts to create and implement a comprehensive security plan. Henry Schein offers assistance in implementing appropriate network security through TechCentral, our office technology and security experts. For more information about TechCentral and its Protected Practice solutions and services, visit www.hstechcentral.com/ProtectYourPractice. To speak with a Henry Schein TechCentral expert today, call 877.483.0382.
At Henry Schein, we are working to help providers know and understand the rules and requirements for data security. Under the law, there are 3 types of components to the “Security Standards for the Protection of ePHI”: Physical, Administrative and Technical. As a dentist, you should review the ADA Complete HIPAA Compliance Kit for in-depth information about how to comply with HIPAA regulations, notification requirements for a breach, types of data protection or encryption and what types of information need protection.
HIPAA involves much more than just hardware and software. Offices should review all aspects of the HIPAA regulations to ensure that they are in compliance.
As mentioned in the answer to “What are the HIPAA Security Rules?” technical security is only one of three components in the security rules under HIPAA. While Dentrix Enterprise provides tools to help facilitate compliance for certain technical safeguards (e.g. Passwords for Access Controls), the covered entity must implement those features in accordance with their overall risk assessment and in accordance with the required standards set forth in the law (see “Do I need to perform a Security Risk Assessment” for more information).
There seems to be a lot of confusion about who is responsible for encryption and what to do if there is a security breach. Perhaps some of the confusion stems from some of the ambiguous language in HIPAA that refers to encryption as “addressable.” Some providers have taken this language to mean that it is not mandatory to achieve encryption. In “Security 101 for Covered Entities,” released by the U.S. Department of Health and Human Services, they note that “addressable does not mean optional.” While the language is somewhat difficult, HIPAA is clear that dentists are responsible to ensure that their data is protected and that encryption plays a critical role in that.
For protected health information we recommend full disk encryption utilizing technology such as Microsoft Bitlocker. Please note that full disk encryption is only one of the many policies, procedures and technical safeguards you should implement for a complete security plan. In its “Guide to Storage Encryption Technologies for End User Devices,” the National Institute of Standards and Technology (NIST) states that full disk encryption does not “mitigate OS and application layer threats (such as malware and insider threats).” As such, other precautions should be taken to ensure these gaps are addressed (see “Do I need to perform a Security Risk Assessment” for methods to identify and remediate security gaps).
Yes. According to HealthITSecurity.com, “Without a risk analysis, it is much more difficult for healthcare organizations to know where they are in terms of security. This can be detrimental not only for HIPAA audits, but also in maintaining comprehensive data security. Periodic reviews will help facilities continue to work toward maintaining HIPAA compliance and keeping sensitive data as secure as possible.” (http://healthitsecurity.com/news/what-happens-in-hipaa-audits-breaking-down-hipaa-rules
). We offer a service through our partner ClearData for Security Risk Assessments (SRAs) and would love to help you through this process. To learn more about this solution, please visit us at www.hstechcentral.com/ProtectYourPractice
or call us at 877.483.0382.
We recommend installing an all-in-one unified threat management (UTM) network security solution in your practice. UTM solutions integrate complete protection, such as HTTPS inspection, antivirus, anti-malware, web filtering, anti-spam, application control, intrusion prevention services (IPS) and data loss prevention (DLP), all in one device. If you are unsure whether your firewall or router are properly configured for complete protection, our office technology and security experts at TechCentral can assess your network and discuss the commercial grade firewall options your practice needs. To speak with a Henry Schein TechCentral expert today, call 877.483.0382.