Most of the regulatory guidance we provide to our customers includes a reference to “always…
The National Cyber Security Alliance (NCSA) is promoting October as National Cybersecurity Awareness Month! According to NCSA, we all must take responsibility, individuals and businesses alike, to take action to make sure that our online lives are kept safe and secure from cyberattacks.
A cyberattack is any type of offensive maneuver that targets computer information systems, infrastructures, networks, or personal computer devices, including cell phones. Cyberattacks use malicious code to alter computer code, logic or data, resulting in disruptive consequences that can compromise data and lead to cybercrimes, such as information and identity theft. Examples include malicious programs such as malware, phishing, spyware, viruses, and ransomware; stolen hardware; unauthorized internet access; and fake websites.
Individual dental offices are particularly vulnerable to cyberattacks because as small businesses, they are less likely to have full protections in place and devoted information technology (IT) personnel to prevent such attacks. Dental offices face major problems if their patients’ protected health information (PHI) is stolen, misused, or rendered unavailable because much of the information they have is critical to their business and vital to the care of their patients.
In the event of a cyberattack that involves a potential breach of unencrypted PHI, a dental office must follow the HIPAA breach notification procedures under the Breach Notification Rule, must conduct a security risk analysis to identify and fix any technical or other problems to stop the incident, and must take steps to mitigate any impermissible disclosures or uses of PHI. Depending on the nature of the cyberattack, the dental office should also report the crime to law enforcement agencies, which may include state or local law enforcement and the Federal Bureau of Investigation.
Under HIPAA’s Security Rule, covered entities are required to adopt adequate means for safeguarding the confidentiality, integrity, and availability of PHI. Additionally, dental offices are expected to conduct a security risk assessment regularly to assess security vulnerabilities and the mechanisms currently in place to mitigate them, and then to determine what additional controls, if any, should be implemented.
For our OSHA Review Subscribers… A checklist to help dental offices conduct a HIPAA risk assessment is available from OSHA Review’s website, in the clients-only section under OSHA Review/Professional Documents.
Since 1992, OSHA Review, Inc. has provided dental professionals with comprehensive programs to support regulatory compliance and infection control. We are a registered continuing education provider in the state of California, specializing in Dental Practice Act, infection control, and OSHA training.