Be Cybersmart in Protecting Patient Data
Various measures can help avoid breaches
Brian Busto
Modern dental offices and laboratories use technology to streamline appointment scheduling, check-ins, diagnostics, management of patient medical records, case intakes and progression, inventory, and more. These technologies provide automated processes and tasks for the respective workflows. With all these technologies, the security and privacy protection of the data collected is of great concern.
Dental practices and laboratories are required to adhere to regulations under HIPAA, which is a federal statute to protect sensitive patient records. Abiding by HIPAA regulations is increasingly challenging, however, and requires more attention and care as privacy concerns continue to evolve and mature. A breach of patient data can be detrimental to any business's reputation. So how can dental laboratories protect patients' data and privacy? By implementing some basic cybersecurity technologies and controls, they can reduce risk and protect patient data and privacy.
So, where to start? Across all industries, the average "phish-prone percentage" has been estimated to be 37.9%.1 That means one in three employees is likely to click a suspicious email. Hackers use various social engineering tactics to obtain patient data, deploy ransomware to a system, or capture a user's credentials to compromise a system. Implementing security and awareness training for the entire staff is the most straightforward and most affordable change with exceptional results. Many free training resources are available—including those offered by the Cybersecurity & Infrastructure Security Agency (CISA) and Department of Homeland Security (DHS) government websites—with videos to learn how to spot phishing and social engineering tactics. As a certified ethical hacker and security analyst, I can attest that the importance of security training to reduce the risk of potential attacks is imperative.
The second step to protecting patients' data is to ensure there are effective backups to patient data and a plan of action should there be a hack into the system. The laboratory should identify and document its incident response plan (IRP), the plan of action that identifies the processes and procedures to be followed in the event of an incident or a breach. The IRP would explain the process to stop the active breach, preserving the evidence, patient data recovery, and the notifications required.
Additional controls and technologies to implement include email protection, malware defenses, firewalls, and access limitation. Many laboratories have some form of these protections in place; however, assuring they are set up correctly is essential. For example, when Office 365 email is set up correctly, it will notify about forwards created, country blocking management, multi-factor authentication, and audit logs to understand what happened or what was tampered with after an incident. Firewalls are critical in protecting a laboratory from the outside world. Assuring country blocking, intrusion prevention and detection, as well as website blocking should be enabled and changed from the default configurations. Finally, apply least privilege accesses to all data and systems. Granting access to only those who require all access to patient data reduces the risk of allowing a hacker or employee to compromise a system.
Some laboratories utilize various Internet of Things (IoT) devices, including televisions to display images, music sources, and Alexa or different virtual assistants for music. These devices are installed with default configurations and credentials and are readily available outside the network. Best practice suggests using these devices only on a network created separately from the network where patient data resides, and changing all manufacturer defaults. In addition, all software and firmware updates should be updated on these devices to ensure all the latest security features are installed.
Furthermore, awareness of all vendors that are used is a critical part of cybersecurity. Knowing whether the IT vendor, HVAC maintenance company, or software provider have uncontrolled remote access to any systems and patient data is critical to ensure the protection of that sensitive information. Does your laboratory have protections in place so a third-party provider does not breach it? The laboratory owner's responsibility is to perform the required due diligence on those vendors and not provide access for a hacker to come in through a back door.
In closing, remember that cybersecurity is not simply a technology challenge; it also takes people, processes, and knowledge to protect patients' data and your reputation. Be smart; be cybersmart!
Reference
1.Phishing by Industry 2020 Benchmarking Report. KnowBe4. https://www.knowbe4.com/hubfs/2020PhishingByIndustryBenchmarkingReport.pdf. Published 2020. Accessed May 19, 2021.
About the Author
Brian Busto
CEO/Cybersecurity Expert for Stetson Cybergroup
New York, New York