To improve their operations and provide better patient experience, many dental practices in New York have leveraged IT solutions like appointment management apps, oral imaging, and automated billing systems. While such IT solutions offer plenty of benefits, they also introduce new cybersecurity concerns that dental practices must take seriously for the following reasons:
Patient records are protected under HIPAA
The Health Insurance Portability and Accountability Act (HIPAA) of 1996 safeguards a patient’s protected health information (PHI) from being disclosed without the patient’s knowledge or consent. PHI is any past, present, or future healthcare data that can be used to identify a person, including, but not limited to:
- Physical health or condition of a person
- Healthcare treatments undergone by a person
- Payments a person has made for the healthcare services they have received
Under HIPAA, all dental practitioners must secure PHI by implementing these safeguards:
- Administrative – Policies and procedures that help protect against a breach (e.g., cybersecurity training, security incident protocols)
- Physical – Measures that ensure PHI is secure in your premises (e.g., facility access controls, facility maintenance records)
- Technical – Technology and tech-related protocols that safeguard PHI from unauthorized access (e.g., user authentication, NIST encryption standards)
Failure to meet HIPAA requirements, even if it does not involve or lead to a data breach, can lead to penalties, with the amount depending on the level of negligence:
- Violation due to ignorance: $100–$50,000 per incident
- Violation that happened despite reasonable vigilance: $1,000–$50,000 per incident
- Violation resulting from willful neglect that is rectified within 30 days: $10,000–$50,000 per incident
- Violation caused by willful neglect that is not rectified within 30 days: $50,000 per incident
If you suffer a data breach, the size of the penalty will also depend on the number of patient records potentially exposed by the breach and how great the risk of unauthorized PHI disclosure is.
An example of a violation due to ignorance happened in 2019 when a dental practice responded to a patient's Yelp! review, they included patients' PHI, such as patients' last names and health conditions. They ended up paying $10,000 in HIPAA settlements.
Cybercriminals go after patient records
Patient records are highly sought after by cybercriminals, as these can sell for as much as $1,000 each on the dark web. In comparison, credit card numbers only go for $5 each, while Social Security numbers fetch $1 each. Medical records are much more valuable since they contain unalterable information (e.g., patient’s demographics and health history), unlike credit card numbers that can easily be canceled.
Patient records can also be used to commit identity theft and insurance or medical fraud. For example, cybercriminals can use a patient’s identity to file bogus medical claims or obtain prescription medications.
Falling victim to a cyberattack is disruptive and costly
A cyberattack can cripple or even completely halt the operations of any organization. For example, when Universal Health Services (UHS) suffered a ransomware attack in 2020, all 400 of its US-based hospitals and healthcare facilities could not access electronic health record systems. Lab test results were delayed and some UHS facilities even had to divert some ambulance traffic and elective/scheduled procedures to other facilities. As a result, UHS lost $67 million in operating income due to decreased medical services rendered.
In 2019, Alabama-based Sarrell Dental was also hit by ransomware, which led to a data breach. They had to close down all affected clinics for two weeks while systems were being restored and the investigations were ongoing. Sarrell Dental had to send out notification letters to all individuals whose records were exposed, offering them free credit and identity monitoring for a period of time.
Healthcare organizations are increasingly attacked
The number of cyberattacks against healthcare organizations has been rising over the years, skyrocketing to a 45% increase in 2020 — more than twice the average increase observed across other industries. In the same year, there were 642 large healthcare data breaches (i.e., involving 500 or more records) reported — a 25% jump from 2019, which was another record-breaking year.
Build your cyber defenses now with the help of Healthy IT’s IT security specialists. With our help, you can effectively secure patient records and stay HIPAA-compliant. Schedule your FREE consultation today.