Protecting against the perils of dental patient data breaches
This pattern of data breaches is very concerning for dental practices, which are charged with protecting people’s most sensitive information. What can practices do to protect themselves against this growing problem?
By Isaac Kohen, Contributor
October 4, 2019
There has been a surge in data breaches at companies from virtually every sector during the past few years. Practically every week, the news media reports new breaches that seem to be increasing in scope and severity.
This pattern is very concerning for the health-care industry, including dental practices, which are charged with protecting people’s most sensitive information. With copious amounts of patient data on file, many dental offices are sitting ducks in today’s perilous data landscape.
Unfortunately, this trend is getting worse, not better.
According to the Protenus 2019 Data Breach Barometer Report, “There was a small annual increase in the number of health-care data breaches, but a tripling of the number of health-care records exposed in data breaches.”
This presents a two-pronged problem for dental practices. First, HIPAA charges companies that are storing patients’ personally identifiable information (PII) to protect this data, and in many ways it’s a tangible expression of the Hippocratic oath in the digital age.
Of course, there is also an economic component. A data breach has devastating financial consequences for companies, costing them as much as 12% of their annual revenue to repair the damage. Although exact estimates vary, the average cost of a compromised health record is $380, meaning that a data breach executed at scale can quickly put a company out of business.
This is problematic for any health-care company, but it can be especially devastating to dental practices that store the same sensitive PII as large medical practices, but operate in smaller, less fortified digital environments. Fortunately, there are steps dental offices can take to protect their patients’ PII and ensure HIPAA compliance.
Implement data loss prevention strategies
When it comes to data loss prevention (DLP), the best offense is a strong defense, and that requires a DLP strategy. While there are some tangible measures, such as phishing email awareness training, that can have an impact on data security, the most important solution is found in software that prevents data movement and enforces data standards throughout the practice. In this regard, dental practices have many options. Regardless of the software selection, some features need to be non-negotiable to ensure that DLP standards are upheld.
First, choose software that restricts access to PII. Every dental practice has many team members who provide patient care. However, not everyone needs (or should have) the same access to sensitive patient data. By limiting accessibility, a practice restricts the risk pool, making it less likely that data will be accidentally or maliciously misused.
At the same time, implementing software that prevents unauthorized data movement can ensure that IT administrators are notified of unusual or unapproved data movement, which can stop a data breach before it escalates in scope and severity. To put it simply, the relatively affordable price of DLP software is the most cost-effective way to prevent a practice from being the victim of a data loss event that has vast legal and financial implications.
Train employees on proper data management
Data breaches often feel like an existential crisis perpetrated exclusively by external bad actors. The reality is much more personal, meaning that data loss events are often more explainable and preventable than people believe. Human error frequently plays a central role in a data breach, and that’s good news for practices wanting to protect their patients’ data because proper training can mitigate this risk.
For example, HIPAA Journal identified a significant uptick in medical providers using personal technology to communicate patient data. The report notes, “The Department of Health and Human Services enforces HIPAA compliance via the OCR, which is issuing financial penalties for HIPAA violations and taking a particular interest in the use of mobile technologies and communication of PHI in health-care centers and between health-care providers.”
There is a myriad of ways that indifference and ineptitude can create a data breach, and dental practices can actively protect this information by training employees on best practices. What’s more, they can leverage their DLP software to enforce these standards. The right employee monitoring or DLP software can provide the oversight necessary to hold employees accountable for proper data management, or it can offer real-time training to build better data management habits.
Manage IT forensics to maintain a burden of proof
Unfortunately, even when practices implement their best take on cybersecurity practices, it’s possible that a data loss event will still occur. Every dental practice needs a plan for accounting for that episode. With HIPAA’s enforcement rule implying steep penalties for any dental practice that fails to protect patients’ PII, maintaining a burden of proof through IT forensics is a critical component of any modern data protection protocol.
Therefore, implement appropriate monitoring solutions that create a burden of proof for HIPAA compliance. If a security event occurs, your practice needs to be able to determine who accessed the affected data, how the information was retrieved, and where the data went after it was accessed.
When combined with advanced features such as metadata alerts, keystroke logs, screen session recording, and history playback, your practice can quickly understand the intricacies of the event. This can help avoid HIPAA fines while creating a framework for improving best practices.
Dental practices have many reasons to reevaluate their cybersecurity posture, especially when it comes to protecting their patient data. There is no indication that the digital landscape is becoming any more secure, so the impetus is on dental practices to take the steps necessary to ensure that their data integrity standards can meet the moment.
Providing excellent patient care has to include protecting patient data, and by implementing an employee monitoring and DLP software solution, dental practices can address some of the most prescient problems that compromise their patients’ PII. In doing so, they protect themselves from the legal and financial consequences of a data breach.
Isaac Kohen is the Founder and Chief Technology Officer of Teramind, a leading, global provider of employee monitoring, insider threat detection, and data loss prevention solutions.