Data security and privacy seem to be in the news almost daily. From hacks into various government sites to the latest credit card leaks with major retailers, we are reminded that understanding the risks of data ownership is imperative in today’s digital age. Oral Surgery practices must make sure that their data, especially patient data, is secure by implementing a proper security plan.
Since the Health Insurance Portability and Accountability Act of 1996 (HIPAA), requirements to fortify against the improper use and access of patient health information have called for entities to improve protection strategies and tactics. These requirements have only been reinforced with the HITECH Act (Health Information Technology for Economic and Clinical Health) of 2009 and the Omnibus Final Rule of 2013.
When implementing a security plan, you should consider multiple safeguards for data access and data use. It is also important to note, as you develop and implement plans to fortify against potential threats, that “security is not a one-time project, but rather an ongoing, dynamic process that will create new challenges as covered entities’ organizations and technologies change.” (Security 101 for Covered Entities (CMS, November 2004))
Henry Schein strongly encourages practices to work with both computer and security policy experts to help create and implement a comprehensive security plan. We offer assistance in implementing appropriate network security through TechCentral, our office technology and security experts. For more information about TechCentral and its Protected Practice solutions and services, visit www.hstechcentral.com/ProtectYourPractice. To speak with a Henry Schein TechCentral expert today, call 877.483.0382.
At Henry Schein, we are working to help providers know and understand the rules and requirements for data security. Under the law, there are three main components to the Security Standards for the Protection of ePHI
: physical, administrative and technical. As a dentist, you should review the ADA Complete HIPAA Compliance Kit
for in-depth information about how to comply with HIPAA regulations, notification requirements for a breach, types of encryption and what types of information need protection.
HIPAA involves much more than just hardware and software. Offices should review all information provided by HIPAA to ensure that they are in compliance.
As mentioned in the answer to “What are the HIPAA Security Rules”, Technical security is only one of 3 components to the security rules under HIPAA. While EndoVision provides tools to help facilitate compliance for certain technical safeguards (e.g. Passwords for Access Controls), the covered entity must implement those features in accordance with their overall risk assessment and in accordance with the required standards set forth in the law (see “Do I need to perform a Security Risk Assessment” for more information).
There seems to be a lot of confusion about who is responsible for encryption and what to do if there is a security breach. Perhaps some of the confusion stems from some of the ambiguous language in HIPAA that refers to encryption as “addressable.” Some providers have taken this language to mean that it is not mandatory to achieve encryption. In “Security 101 for Covered Entities,” released by the Centers for Medicare and Medicaid Services (CMS), they note that “addressable does not mean optional.” While the language is somewhat difficult, HIPAA is clear that oral surgeons are responsible to ensure that their data is protected and that encryption plays a critical role in that.
Any version prior to EndoVision 14, encryption was optional and left up to the practice to choose. Once upgraded to Sybase 16 and subsequentially to EndoVision 14, we will begin automatically encrypting all databases of each customer as they upgrade.
We recommend full disk encryption utilizing Microsoft Bitlocker. Please note that full disk encryption is only one of the many policies, procedures, and technical safeguards you should implement in a complete security plan. In its “Guide to Storage Encryption Technologies for End User Devices,” the National Institute of Standards and Technology (NIST) states that full disk encryption does not “mitigate OS and application layer threats (such as malware and insider threats).” As such, there should be other precautions taken to ensure these gaps are also addressed (see “Do I need to perform a Security Risk Assessment” for methods to identify and remediate security gaps).
Yes. According to HealthITSecurity.com, “Without a risk analysis, it is much more difficult for healthcare organizations to know where they are in terms of security. This can be detrimental not only for HIPAA audits, but also in maintaining comprehensive data security. Periodic reviews will help facilities continue to work toward maintaining HIPAA compliance and keeping sensitive data as secure as possible.” (http://healthitsecurity.com/news/what-happens-in-hipaa-audits-breaking-down-hipaa-rules
) We offer a service through our partner ClearDATA for security risk assessments (SRAs) and would love to help you through this process. To learn more about this solution, please visit us at www.hstechcentral.com/ProtectYourPractice
or call us at 877.483.0382.
We recommend installing an all-in-one unified threat management (UTM) network security solution in your practice. UTM solutions integrate complete protection, such as HTTPS inspection, antivirus, anti-malware, web filtering, anti-spam, application control, intrusion prevention services (IPS) and data loss prevention (DLP), all in one device. If you are unsure whether your firewall or router are properly configured for complete protection, our office technology and security experts at TechCentral can assess your network and discuss the commercial grade firewall options your practice needs. To speak with a Henry Schein TechCentral expert today, call 877.483.0382.