How to Secure Your Patient Data in Five Easy Steps
In this month’s newsletter, we want to have a frank discussion about protecting one of your practice’s most important assets, your patient data. It seems that every week we can pick up a paper, or turn on the news, to hear about another organization that has been hacked and had their customer or patient data compromised. Most stories on this topic that we typically hear about in the media involve large corporations or organizations. However, the reality is that these situations are occurring on a daily basis all over the country, with most of this unpublicized damage being done to small or medium-sized businesses.
Protecting the security of your building is relatively easy; you install an alarm system and make sure only qualified people have keys and alarm codes to access the property. The alarm company is paid every month to monitor the system, and owners are generally able to let the process handle itself. Protecting your next most critical asset (your data) is not quite as simple. This requires a more hands-on approach involving an intensive management routine when compared to your building’s security. KSB is here to partner with you in navigating this important, but admittedly complex, aspect of your business. Through years of experience, we have developed numerous principles for protecting data from outside intruders. Detailed below are the five most important steps your practice can take to resolve most of the major risks to your data security.
Step One: Make sure the “door” to your data is secure. Twenty years ago when companies were beginning to install internet connections to offices there wasn’t enough knowledge to understand that we were creating a new doorway to the building. Most offices would never install a new front door without adding it to their security system (adding locks and an alarm). But in the late 1990’s and early 2000’s, with regard to our computer security, most of us installed the equivalent of a double-wide garage door in our buildings and not only didn’t put a security system on it, but didn’t even install a lock!
Over the last few years, there have been great advancements in the availability of security devices to protect the internet lines coming into your office. One of the first levels of protection that we recommend is for all customers to install a business-grade firewall on their internet connection. A firewall is, essentially, putting the metaphorical lock and alarm on the “garage door” that was installed when setting up the internet connection to your practice. Furthermore, a business-grade firewall (as compared to a consumer-grade firewall) is more configurable to your practice needs, and allows for more control over whom and what can access your data from the outside. KSB recommends and sells the Watchguard line of firewalls for this exact purpose.
Step Two: Ensure that all workstations and servers in the office are running current operating systems, and that these systems are being updated as needed with the latest security patches. This was a major issue several years ago when Microsoft ended support for the Windows XP and Windows Server 2003 operating systems. It is, in fact, a HIPPA requirement that the operating system on your computers be current and receiving regular security updates. In early 2020, Microsoft will be ending support for Windows 7 and Windows Server 2008. The end of support for these products will require your office to upgrade any workstations, and servers to supported products going forward. At this time we are upgrading systems to Windows 10 Professional and Windows server 2016. With these two newer versions, Microsoft is providing consistent version updates and there is no known “sunset” date for either of these operating systems.
Step Three: Make sure all computers in the office are protected by an anti-virus software. This would seem like a “no-brainer”, but many victims of data hacking have often discovered that the anti-virus software they had selected was either out of date (due to a lack of updates resulting from contract expiration), had configuration issues, or simply wasn’t effective against the more advanced data mining tools hackers use. Not running regular updates on your anti-virus software essentially opens your practice up to every new virus or piece of malware that hackers have created since the last update. KSB recommends and sells Eset anti-virus protection to combat these risks.
Step Four: Back up all of your crucial data daily. The DOX Quick Back that is loaded on at least one computer in your office provides a quick and easy way to back up the DOX database, but you need to also be completing a larger daily backup that includes all of the associated DOX data (charting forms, letters and scanned images) as well as all of your digital imaging data. For those offices using other “third-party” programs such as Dolphin, Quickbooks, etc., please make sure that you are also backing up the database(s) associated with that data.
We recommend that offices do an on-site backup daily, which is then taken off-site each evening. Most practices rotate these backups so that they have one for each day of the week. Should a problem occur, having an onsite backup allows for quicker restoration of your data. For example, we recently had an office that was the victim of a ransomware attack. Because they had a complete and recent on-site backup, we were able to have them up and functioning in at least a limited capacity before the end of the morning, thus avoiding the cancellation of a full day of appointments in the middle of the hectic summer crunch.
Many offices have asked about online backup services. KSB believes that online backups are a great tool for archival purposes, but are often slow and cumbersome when needing to restore data in the event of an emergency. Recently, we experienced a situation with an office that only had an offsite backup available. The process of trying to restore that online backup was going to take so long that we instead had the company download the data onto a hard drive and send it overnight back to the practice. This caused the office to have to cancel patient appointments for a full day and struggle through a second day until their data could be properly restored.
The final (and typically forgotten) step in this process is verifying that the back up is actually complete and usable. It is the office’s responsibility to either check this themselves, or have a qualified party look at the backed up data to verify that it is complete and can be restored. KSB recommends that practices complete a simulated restore to verify this information at least twice per year.
Note: While KSB is ready and able to assist offices in the backup process (including the semi-annual verification of backed up data), it is the office that ultimately has to ensure the backup is actually taking place. As with your physical building security, you can have the alarms installed, but unless they are turned on, the company that monitors your alarm system will never know if someone broke in.
Step Five: YOU must ensure that the previous four steps are being completed. This review process can be done manually or by signing up with a service KSB provides that will monitor steps one, two, and three. Our DOX|Automate™ service provides real-time system monitoring for all workstations and servers in the practice, helping to ensure that both their Windows operating system and anti-virus software are being properly updated. The lack of any monitoring for the previous steps is equivalent to turning the security alarm on, but not sending for help once it sends an alert signal. “With DOX|Automate on the job, offices will notice a marked improvement in the reliability of their software. It’s like having an extra set of eyes constantly monitoring every computer within your practice,” says KSB Dental vice-president, Dan Smith. For more information, please call Dan at 866-410-4500.