Decrypting the Buzz Around Email Cybersecurity

By: Robert McDermott, President and CEO, iCoreConnect

Do you feel like you’re hearing a lot about ransomware, phishing and hacking these days? You’re not imagining an increase in these buzzwords. They’re popping everywhere: news media, compliance reports, technology and trade journals, and the list goes on. It’s important to recognize that these words are more than just the latest media buzz. They’re real threats.

Cybercrimes remain a problem for dental and medical professionals with little sign of going away anytime soon. The primary ways your practice can be compromised are through your IT infrastructure and your email. The weakest link in the chain, however, is people.

Criminals have become quite effective at using malicious email to exploit human vulnerability and gain access to protected health information (PHI). When an email comes in posing as a trusted source like a bank, an online payment site or even a social networking site, your staff needs to know what to do … and what not to do. Every day, cybercriminals successfully steal everything from patient and insurance records to passwords, social security numbers, credit card information and account numbers. These kinds of attacks are called “phishing.” They are designed to get you to click a link, call a number or respond with personal information.

Educate your staff on what to look for in a phishing attack. The Federal Trade Commission’s Consumer Division explains that phishing emails and text messages often tell a story to trick you into clicking on a link or opening an attachment. These emails may:

  • say they’ve noticed some suspicious activity or login attempts.
  • claim there’s a problem with your account or your payment information.
  • say you must confirm some personal information.
  • include a fake invoice.
  • want you to click on a link to make a payment.
  • say you’re eligible to register for a government refund.
  • offer a coupon for free stuff.

As a dental health provider, confirm that every email with any connection to PHI, payments, passwords or other sensitive information is being sent through a secure, HIPAA-compliant email service.

Not sure how to know? Check to make sure your secure email service uses its own private network to transmit messages, not the public internet. You also will know if your email is fully secure and compliant based on the way email communication is initiated. If your practice must initiate the first message in an email conversation, then your system is highly secure. The security key is that no one can randomly email you or your staff if you haven’t sent a secure email to them first. That eliminates phishing and hacking because cybercriminals can’t reach you. Once you have that first email interaction with another doctor, pharmacy, patient, etc., your workflow is the same as any other email.

If you are sending PHI via Google, verify you are using the paid version, Google Workspace Gmail. Even if you have some security steps in place on a non-paid Gmail address, you are most likely neither HIPAA compliant nor protecting your patient’s records. You may want to consider using Gmail, and other similar services, for sending everything that isn’t PHI or sensitive information. Secure and non-secure emails often can be accessed in the same email interface requiring only one login to access all your email accounts.

So, what happens if your email isn’t secure and someone in your office clicks a link? Well, you’ve just left the back door unlocked and let a cybercriminal sneak into your business. Once a cybercriminal gets into your system, usually without detection, they have one goal: wreak havoc to get money. They can lock up your entire records system and hold it for ransom, usually requiring payment in bitcoin. Thousands of attacks are launched every day with good success. It’s a scenario you don’t want to deal with. Fortunately, it’s also preventable.

Teach your staff or bring in an IT managed services provider (MSP) to talk with your office about the best practices to prevent phishing scams. Learn to identify a suspicious email and report it to your IT or MSP team. Most importantly, never click on buttons/links, call the listed phone number or respond to the message, especially with personal information.

Replace your current moderately secure email service with a truly secure, HIPAA-compliant email and you’ll significantly decrease the risk of your data being accessed through email.

Cybersecurity, phishing and ransomware are more than buzzwords. They represent identity theft, credit card and bank account access, and the loss of patient trust. Prevent access. Use secure email. Stay off the radar of those looking to profit off your practice. These simple steps can save you headaches and heartbreaks from having PHI stolen or captured and then paying a high ransom to get your practice up and running again.


FDA Services endorses iCoreExchange HIPAA-compliant email. iCoreExchange not only meets or exceeds every compliance and security requirement, but it also allows you to attach as many large files as you want to any single email. Speed up your workflow, protect patients and your practice. Check out this convenient and compliant service or call 888.810.7706. FDA members receive a substantial discount on iCoreExchange.

Storm Proof: 2019 Practice Readiness Guide

Hurricane season begins tomorrow and every Floridian knows it’s time to hope for the best, but prepare for the worst. This year’s updated issue will help you Storm Proof your practice with guides, resources and tools for any of your storm prep and post-storm problems.

Check it out at bit.ly/stormproof2019.

 

Storm Proof 2019 Post.png

 

Closing a Dental Practice: Patient Safety Considerations

By David O. Hester, FASHRM, CPHRM, Director, Department of Patient Safety and Risk Management, The Doctors Company

Dental practices undergo closure for many reasons, including dentist illness, death, relocation, or the dentist’s decision to sell, practice solo, join another group or retire. As a service to our members, the Department of Patient Safety and Risk Management of The Doctors Company provides this information to make the transition easier.

What should be done in an emergent situation?
During any change in practice, the continuity of patient care to ensure that no patient is neglected is of paramount concern. If the change is abrupt — as in the circumstance of a death — the safety measures below will assist in ensuring patient safety and continuity of care.

Review all previously scheduled appointments to determine the appropriate action. Immediately contact a dentist of the same specialty to arrange patient care or provide patients with a list of dentists of the same specialty within the area. You also should take the following steps:

  • Ensure the availability and accessibility of dental records as needed for the continuity of patient care.
  • Post a notice of closure in the office and in the local newspaper. (Contact your patient safety risk manager for a sample notice.)
  • Call all dentists who customarily refer patients to the practice and all contracted managed-care organizations, and the medical malpractice carrier.

Who should be notified if it is a non-emergent closure?
If the practice closure is non-emergent, notify the following individuals and entities:

  • all patients and legal representatives in the “active” caseload; this includes any patient seen in the past six months to three years or others the dentist considers “active,” and any patient in an acute phase of treatment
  • all peer dentists within the community
  • local dental societies
  • all third-party payers (including Medicare and Medicaid) and managed-care organizations
  • the DEA (if you are retiring or if you are moving to another state)
  • the state licensing board
  • professional associations in which you hold membership
  • your CPA or financial adviser
  • your employees
  • landlords, lenders and creditors
  • insurers that cover the practice, the employees and the physical facility

How should the notice be communicated?
Draft a letter to each patient that contains all the necessary details. The same letter can be used for everyone listed above. (Contact your patient safety risk manager for a sample letter.) It’s recommended that letters be sent with return receipt requested and that a copy of the letter and return receipt be kept. If a patient is considered high risk, send the letter certified with return receipt requested. Post a notice in a local newspaper to inform inactive patients or those who have moved away. Include directions for obtaining acute, critical or emergency care if a new dentist has not been selected by the time the practice closes.

Is there a time limit for sending the closure notice?
Yes. In a non-emergent situation, send the notice at least 60 days prior to the anticipated closure. This gives patients an opportunity to locate a new dentist and to obtain copies of their dental records without undue stress.

What other responsibilities should be undertaken by the practice that is closing?

  • Provide patients with easy access to their dental records by enclosing an authorization document in the notification letter you send to them. (Contact your patient safety risk manager for samples.) When the signed authorization is returned, you can provide copies and apply appropriate charges.
  • Provide information on where the dental records will be stored in the future, the length of time (in years) that the records will be retained, and a permanent mailing address or post office box number for all future record requests. Arrange a secure storage place for the original dental records that is safe from theft, fire, flood or other weather-related disasters.
  • Maintain the dental records in accordance with The Doctors Company’s recommendations: 10 years after the last adult visit and 28 years from birth for pediatric patients. The records should be easily accessible and retrievable.
  • DO NOT give original records to patients. The easiest method is to find another dentist to take over the practice and turn the records over to that provider or turn the records over to another dentist of the same specialty.
  • Stress the importance of continuing care for all patients. Provide information about where they can find another dentist, such as the Yellow Pages and the local or state dental society.
  • Make provisions for the completion of all dental records.
  • Place a notice of closure in your waiting room and in the local newspaper for at least one month, giving pertinent details of the closure.
  • Consult with your personal or practice attorney and the state licensing agency to ensure that you have met all regulations.
  • Destroy remaining prescription pads.
  • Keep the narcotics ledger for a minimum of two years.
  • Dispose of any drugs.

 

Contributed by The Doctors Company. For more patient safety articles and practice tips, visit www.thedoctors.com/patientsafety.

The guidelines suggested here are not rules, do not constitute legal advice, and do not ensure a successful outcome. The ultimate decision regarding the appropriateness of any treatment must be made by each health care provider in light of all circumstances prevailing in the individual situation and in accordance with the laws of the jurisdiction in which the care is rendered.

Management of Treatment Complications

By Sue Wilson, MBA, CPHRM, Patient Safety Risk Manager, The Doctors Company

Even when a patient is provided with care that meets the standard of care, complications may arise during, or as a result of, the treatment provided. It often is helpful to review this type of case to determine not only the root causes, but also how the complication was managed.

Case Study
A patient presented to a dentist for evaluation of tooth extraction and fitting of dentures. During the extraction, the patient complained of extreme pain and allegedly stated it felt as if the jaw had been broken.

The patient was discharged home and returned the following day complaining of pain, and presented with a swollen and bruised jaw.

A dental X-ray revealed a compound fracture of the left mandible. The dentist referred the patient to an oral surgeon, with a letter outlining the X-ray results and information about when the fracture may have occurred. The oral surgeon diagnosed a left displaced mandible fracture and admitted the patient to the hospital for surgical repair. The following day an open reduction internal fixation (ORIF) was performed and the patient was discharged a day later.

Subsequently, the patient developed complications and required several additional surgical procedures. The patient alleged the dentist was negligent in failing to properly document the extraction procedure, failed to maintain proper medical records, failed to take adequate pre-extraction X-rays, applied excessive force during the extraction that resulted in the fracture and failed to adequately assess the patient’s complaint by immediately obtaining an X-ray. The plaintiff’s expert dentist affidavit opined the dental care was below the standard of care and directly caused the subsequent injury and complications. Medical records from subsequent treating professionals revealed the patient continued to have pain, loss of jaw function and became anorexic as a result of inability to chew properly. The case was settled.

Documentation
It’s widely understood that health care records should contain a complete assessment of prior dental, medical, surgical and pharmaceutical history. However, there often is confusion about how to document complications or complaints. It’s important to objectively describe any complaint or complication arising during or following a procedure, as well as the assessment and actions taken in response to the complaint or complication. In this case, when the patient complained of pain, the dentist did not stop to determine the source or severity of pain and did not obtain an X-ray post treatment. Although the dentist stated in a letter to the oral surgeon he suspected the fracture occurred following extraction of a specific tooth that was ankylosed, he did not document the same in the patient’s record, nor did he document discussions with the patient following the procedure.

Recordkeeping
When a request is received for records and X-rays, a complete copy should be made and the originals retained in the office. In this situation, all original X-rays and medical records were given to the patient without keeping a copy, making it difficult to determine what was documented by the dentist and staff. When referring to another care provider, provide a copy of the medical records and X-ray films, but the original records and films should be kept and it should be documented that a copy was sent to the treating provider or given directly to the patient.

Communication
Maintaining communication with the patient and other treatment providers is essential. In a study of plaintiffs who were asked why they chose litigation against their health care provider, most responded they were seeking an apology and an explanation. It’s important to provide both to a patient who is potentially or actually injured. However, in many cases the cause of injury or complication is not known right away; therefore, it’s equally important not to assume blame, or to point to others as the cause of complication or injury.

Consult with Your Insurance Provider
When an adverse outcome resulting in potential or actual harm occurs, it should be discussed with your insurance company representative as soon as possible. In this case, the event was not reported until the patient requested her medical records and retained an attorney. At The Doctors Company, there are claim specialists and patient safety risk managers who can assist with communication, documentation, legal and regulatory questions and, if appropriate, compensation to the patient. Seek guidance from a patient safety risk manager or claim specialist before financial arrangements and agreements take place in connection with an undesired outcome, complication or injury.

Although zero injury is the goal, when an undesired outcome, actual injury or serious complication does occur, it often is how it is handled that determines the outcome for both the patient and the health care provider.

The guidelines suggested here are not rules, do not constitute legal advice, and do not ensure a successful outcome. The ultimate decision regarding the appropriateness of any treatment must be made by each healthcare provider in light of all circumstances prevailing in the individual situation and in accordance with the laws of the jurisdiction in which the care is rendered.

Reprinted with permission. ©2018 The Doctors Company. For more patient safety articles and practice tips, visit www.thedoctors.com/patientsafety.