HIPAA Training Reminder: Include Email Security for Cyberattack Prevention

It seems like almost every other day, the national media reports on a new data breach. From large corporations to mom-and-pop local businesses, hackers do not discriminate on their targets. Small and mid-sized businesses like dental practices are often targeted because they are less likely to have full protections in place and devoted information technology (IT) personnel to prevent such attacks. Therefore, as cyberattacks become more sophisticated, it is even more important for dental offices to ensure that dental healthcare personnel (DHCP) are properly informed and trained on how to secure protected health information (PHI) and business data. And since cyberattacks are often triggered due to operator error from email mismanagement, it is critical that DHCP training include email security.

What is a Cyberattack?

A cyberattack is any type of offensive maneuver that targets computer information systems, infrastructures, networks, data servers, or personal computer devices, including cell phones. Cyberattacks use malicious code to alter computer code, logic or data, resulting in disruptive consequences that can compromise data and lead to cybercrimes, such as information and identity theft. Examples include malicious programs such as malware, phishing, spyware, viruses, and ransomware.

What Should DHCP Training Include?

All DHCP should be trained on and do the following:

• Follow IT personnel guidance for all computer and IT activity in the office.
• Use standard user accounts instead of accounts with administrative privileges whenever possible.
• Avoid using personal applications and websites, such as email, chat, and social media, on work computers.
• Avoid opening files, clicking on links, etc. from unknown sources without first checking them for suspicious content. For example, you can run an antivirus scan on a file, and inspect links carefully.
• Use antivirus software at all times — and make sure it’s set up to automatically scan your emails and removable media (e.g., flash drives) for ransomware and other malware.
• Do not download any unknown software or click on unknown links.
• Layer data protection with, at a minimum, strong passwords and multifactor authentication.
• Protect sensitive data on business and personal computers using full-disk encryption software.
• Back up data regularly, and keep an encrypted copy offsite.
• Monitor online accounts regularly, and report any suspicious activity.

HIPAA Security Risk Analysis

Under HIPAA’s Security Rule, covered entities, including healthcare providers, are required to adopt adequate means for safeguarding the confidentiality, integrity, and availability of PHI. This includes conducting a security risk assessment regularly to assess security vulnerabilities and the mechanisms currently in place to mitigate them, and then to determine what additional controls, if any, should be implemented to prevent threats to PHI, including cyberattacks.

For our OSHA Review Subscribers… A checklist to help dental offices conduct a HIPAA security risk assessment is available from OSHA Review’s website, in the clients-only section under OSHA Review/Professional Documents.

OSHA Review, Inc. a registered continuing education provider in the State of California, specializing in Dental Practice Act, infection control, and Cal/OSHA training. OSHA Review subscribers in California receive updated regulatory compliance and infection control training thorough our bi-monthly newsletter.