The amount of data generated from humans and computers continues to grow each day, and with it, the number of data breaches. This holds true for the healthcare industry, including dental practices, which is why having a solid data security policy in place is important to protect your clients and your clinic.
To put the significance of data security into perspective, here are some staggering statistics and facts on data breaches from the past year:
- 88% of Canadian businesses reported having a data breach in the 12 months prior to October 2019
- 82% of Canadian businesses reported an increase in overall attack volume in the 12 months prior to October 2019
- 32M patient records were breached in the first half of 2019 alone, not including the 12M records breached at LifeLabs
- Cyberattacks cost small businesses an average of $54,000
With an ever-expanding database of confidential patient information at stake, there’s a great urgency for dental offices to improve their data security measures. A vulnerability in security can lead to the theft of sensitive data that can be used for criminal activities such as blackmail, identity theft, and fraud. In addition to potential damage to the patient, a data breach also leads to various consequences to the dental clinic from losing reputation and money to having lawsuits filed against the practice.
Privacy and Data Security Legislations in Canada and Ontario
The most common personal data collected includes: age, name, address, medical history, ID numbers, income, ethnic origin, blood type, etc. Fortunately, to ensure that this information is protected from unauthorized usage, there are two main legislations that govern how personal data is handled: PIPEDA (Personal Information Protection and Electronic Documents Act) and PHIPA (Personal Health Information Protection Act, 2004).
However, “health information custodians” are exempted from the application of PIPEDA as PHIPA is declared substantially similar to PIPEDA. In other words, dentists only need to comply with PHIPA in respect to the collection, use, and disclosure of personal information that occurs within the Province of Ontario.
What is PHIPA?
Ontario’s PHIPA came into effect on November 1, 2004 with five main purposes:
1. To set rules for collecting, using and disclosing personal health information about individuals. This protects the information’s confidentiality and the individual’s privacy, while the information is used to provide effective health care.
2. To provide the right for individuals to access their personal health information (with exceptions).
3. To provide the right for individuals to correct or amend their personal health information (with exceptions).
4. To provide for independent review and resolution of complaints regarding personal health information.
5. To provide effective remedies for contraventions of this Act.
PHIPA is similar to PIPEDA in that they both:
- Incorporate the ten principles in the National Standard of Canada (Model Code for the Protection of Information) with emphasis on principles of consent, access and correction rights.
- Provide for an independent and effective oversight and redress mechanism with powers to investigate.
- Restrict the collection, use and disclosure to appropriate and legitimate purposes only.
PHIPA governs health information custodians and their agents that collect, use and disclose personal health information, whether or not in the course of commercial activities. Dentists and other health care practitioners are considered to be health information custodians, whereas office staff such as receptionists, office managers, dental assistants are considered agents. In some cases, agents may also include accountants, lawyers and record management services.
The Royal College of Dental Surgeons of Ontario’s guide to compliance with Ontario’s PHIPA outlines that custodians must take steps reasonable in the circumstances to protect personal health information they have obtained against theft, loss, unauthorized use, disclosure, copying, modification, or disposal.
Dental offices must also do their best to satisfy the ten principles to protect patient data. The clinic’s failure to comply with these regulations could result in an investigation by the Privacy Commission and strict penalties.
Please note that the above information is intended for reference only and should not replace advice you should be seeking from any formal legal counsel.
How Can You Increase Data Security?
As a dental clinic, there are two ways in which data security can be threatened. Physically, the patient data is vulnerable to theft if there are no safeguards to prevent the computers from being stolen. Digitally, if an office neglects to keep their cybersecurity up to par, it leaves the office’s computer network vulnerable to cyberattacks.
Here are some ways in which you can increase your data security within the office:
Physical Security: Physical theft may not be the first thing to come to mind when you’re thinking of data security, but dental offices do get broken into physically. The thieves often aim for the most valuable equipment they can get, which includes office computers holding all the patient data.
To keep your data physically secure, set up surveillance cameras around the office so that your computers are always in sight. This keeps your staff accountable and prevents them from taking down any patient information for any unauthorized reasons.
At the end of the day, rooms with computers and any paper records should also be locked to deter thieves if the office does get broken into.
Cyber Security
With the increase in cyberattack volume over the years, dental offices can no longer rely on basic security measures. Step up your cybersecurity with these tips:
Keep Systems Updated: Microsoft had announced that they would be ending support for Windows 7 as of January 14, 2020. What this means is that technical support, software updates, and security updates or fixes will no longer be supported.
Keeping your systems updated is the best way to keep your network secure. Since Windows 7 will no longer receive security updates or fixes, this leaves the system vulnerable to new threats (viruses and malware) and allows hackers to easily access your computers.
By upgrading your systems to the latest operating system (Windows 10) you’ll receive all the new security updates to ensure that your computers aren’t vulnerable to cyberattacks.
Encrypted Electronic Records and Backup: If your office is already backing up data regularly, give yourself a pat on the back – this can save you from a lot of stress and money trying to recover data from a system failure or cyberattack. You can further enhance security by encrypting your backup data. This way, even if this backup data ends up in the wrong hands (e.g. stolen hard drive), the data would not be accessible without the correct decryption key.
The software you choose for your practice plays a key role to your data security – such as programs like Paradigm Clinical, which is compliant with the PHIPA, equipped with a security manager and operates a fully encrypted database. Encryption of electronic or digital records is an example of a technical safeguard provided by the Royal College of Dental Surgeons of Ontario’s guide to compliance with PHIPA. This also allows you to create more secure backups, protects a dental office’s electronic records of personal health information and controls access to them.
We also recommend keeping an off-site backup (a backup to the backup!) to ensure that you can recover from any data crisis.
Anti-Ransomware Software: In the last year, a global wave of ransomware attacks has been hitting Canadian organizations, with a Toronto dental clinic being one of the victims. The staff were locked out of the office computers and the hacker demanded a hefty $165,000 ransom to decrypt the files.
This is a prime example of ransomware in action. Fortunately, the office had a good back up system and was able to recover their files without giving in to the demand.
Organizations attacked by ransomware have to stop their business due to the disruption, and many end up closing down if they are not able to resolve the attack. It is worth your dental office to invest in anti-ransomware software that continually monitors your systems. A good software should be effective at protecting your system from real-world ransomware, quarantine any ransomware detected and reverse the encryption on the files. A good software should be able to:
- Effectively protect your system from real-world ransomware
- Detect and quarantine ransomware
- Reverse any encryption done to your files
- Enterprise Level Firewall
A firewall monitors and controls the incoming and outgoing traffic from your network, and is an added layer of security against cyberattacks. They can exist on your computer (host-based) or on your network (network-based). You can set up conditions to prevent your computers from accessing certain websites (e.g. social media) or block untrusted network traffic from reaching your computers.
An enterprise-level firewall will form a strong barrier between your internal network and any untrusted external networks. As such, your dental office should invest in one to further protect your computers and patient data from cyberattacks.
Cybersecurity Awareness Training
The key to effective cybersecurity is employee education, yet only a small percentage get adequate training. If your dental clinic doesn’t already have security training policies in place, now is the time to do so. Even a one-hour session can greatly improve your staff’s ability to recognize potential breaches and disengage with attempted attacks.
The most common form of cybercrime is Phishing, which attempts to coax the target to provide sensitive information over email, text or phone calls. Phishing scams often pose as familiar institutions (e.g. banks, internet service providers, post office, etc.) so that the target lowers their defense. Be extra cautious when being contacted if you are asked to provide personal data such as banking information and passwords. Poorly written emails (bad grammar and spelling) from unknown emails and suspicious links are also a tell-tale sign of a phishing scam.
Expect Data Crisis
Hackers are becoming craftier by the day so have a crisis management protocol in place so that you can act quickly to mitigate damages caused by a data breach. With a strong backup system in place, your dental office is less likely to experience as much down-time in the case of a cyberattack.
Another aspect you should keep in mind is the possibility of system failures. Computer hardware and software don’t have an infinite lifespan and will break down after years of everyday use. Plan to replace hardware and upgrade systems to prevent a sudden breakdown that can cost you a day (or more) to fix. For system upgrades, you can even have your technician come in after the clinic closes to do the necessary backup and updates.
With the rising number of data breaches and costly consequences of cyberattacks, dental offices need to be on their best defense to protect their patient data and ensure that their systems comply with PHIPA requirements. It is important to take action now to put physical and digital safeguards in place, as well as training staff to be aware of attacks. With solid safeguards and protocols in place, you’ll be able to keep the hackers at bay.
About the Author
Sandro Persia is the Sales Director at Logic Tech Corp, a Canadian dental management software company that has been serving the industry for more than three decades. With over 25 years of experience in the dental field, Sandro has worked with over 1000 dental clinics across Canada to streamline their workflow and increase productivity. To contact Sandro and discuss your dental management needs, email sandro@logictechcorp.com
