A HIPAA breach is unauthorized access to your patient data. This happens all the time. According to The HIPAA Journal there were 519 reported data breach’s in 2019 with over 41 million patient records accessed. We know there is a lot more though because IT companies aren’t properly telling practices to report things lie Ransomware! Oh yeah, by the way, Ransomware is a data breach unless you can show proof that your data wasn’t accessed. But if it was encrypted, it was clearly accessed. See this document from the FBI (Federal Bureau of Investigation) about Ransomware and HIPAA. It is actually crazy how many IT companies will fix the Ransomware issue and then tell you there was no breach.
What can I do to prevent a data breach?
It really starts with your network security and if you haven’t already, check out our article on network security. Once you have a good Firewall in place and a good AV, you will want to use least privileged account. This means that your local users should NOT be a local admin. The techs that specialize in the Dental Industry have a bad habit of making Domain Users local Administrators. This allows the virus or malware to spread across systems rather quickly. Another bad habit with the IT techs in the Dental industry is the use of Role Accounts. Below we will have a whole section on just role accounts and why they are bad. End user training is another very helpful thing. Training on what emails are safe to open and teaching users not to put random CD’s or flash drives in the computer. Encryption of the hard drive will prevent lost/stolen laptops and tablets from becoming a breach. You also should have a Managed Services company monitor your network and catch stuff as they happen.
Role Accounts and why they are bad!
A Role Account is a user account that represents the computer role as a user name. Chair1, Chair2, Consult1, etc… They generally have simple passwords as well and they all match. The problem here is that if you are breached or have unauthorized access, you need to be able to prove which employee accessed the record at what time and if you cant, you get a HUGE fine. Sure, you can say that Suzy was at Chair1 and 11:00 AM but how can you prove it? You can’t. Most computers should let the user login as themselves. Now I get it, Chairs and maybe Consult’s need to be shared for workflow purposes. There is a proper way to do this that is HIPAA compliant. Hospitals get around this by giving each employee a RFID chip or a Employee Badge with a RFID chip in it. They setup the computer to auto login with a role account and use a device such as Imprivata readers to lock/unlock computer for each employee. This will track the current user as well as have a role account so you don’t need to re-open your Practice Management software.
What needs to happen if I get breached?
You should report it to HHS. You need to report the breach to the media and you need to notify the affected patients. This could result in law suits and millions of dollars in fines. Best just to use a IT company who monitors and knows how to protect you!