Learn more about the Florida Dental Association here.

Beyond the Bite

The Official Blog of the Florida Dental Association

Tag: HIPAA-compliance

Decrypting the Buzz Around Email Cybersecurity

by Leave a comment

By: Robert McDermott, President and CEO, iCoreConnect

Do you feel like you’re hearing a lot about ransomware, phishing and hacking these days? You’re not imagining an increase in these buzzwords. They’re popping everywhere: news media, compliance reports, technology and trade journals, and the list goes on. It’s important to recognize that these words are more than just the latest media buzz. They’re real threats.

Cybercrimes remain a problem for dental and medical professionals with little sign of going away anytime soon. The primary ways your practice can be compromised are through your IT infrastructure and your email. The weakest link in the chain, however, is people.

Criminals have become quite effective at using malicious email to exploit human vulnerability and gain access to protected health information (PHI). When an email comes in posing as a trusted source like a bank, an online payment site or even a social networking site, your staff needs to know what to do … and what not to do. Every day, cybercriminals successfully steal everything from patient and insurance records to passwords, social security numbers, credit card information and account numbers. These kinds of attacks are called “phishing.” They are designed to get you to click a link, call a number or respond with personal information.

Educate your staff on what to look for in a phishing attack. The Federal Trade Commission’s Consumer Division explains that phishing emails and text messages often tell a story to trick you into clicking on a link or opening an attachment. These emails may:

  • say they’ve noticed some suspicious activity or login attempts.
  • claim there’s a problem with your account or your payment information.
  • say you must confirm some personal information.
  • include a fake invoice.
  • want you to click on a link to make a payment.
  • say you’re eligible to register for a government refund.
  • offer a coupon for free stuff.

As a dental health provider, confirm that every email with any connection to PHI, payments, passwords or other sensitive information is being sent through a secure, HIPAA-compliant email service.

Not sure how to know? Check to make sure your secure email service uses its own private network to transmit messages, not the public internet. You also will know if your email is fully secure and compliant based on the way email communication is initiated. If your practice must initiate the first message in an email conversation, then your system is highly secure. The security key is that no one can randomly email you or your staff if you haven’t sent a secure email to them first. That eliminates phishing and hacking because cybercriminals can’t reach you. Once you have that first email interaction with another doctor, pharmacy, patient, etc., your workflow is the same as any other email.

If you are sending PHI via Google, verify you are using the paid version, Google Workspace Gmail. Even if you have some security steps in place on a non-paid Gmail address, you are most likely neither HIPAA compliant nor protecting your patient’s records. You may want to consider using Gmail, and other similar services, for sending everything that isn’t PHI or sensitive information. Secure and non-secure emails often can be accessed in the same email interface requiring only one login to access all your email accounts.

So, what happens if your email isn’t secure and someone in your office clicks a link? Well, you’ve just left the back door unlocked and let a cybercriminal sneak into your business. Once a cybercriminal gets into your system, usually without detection, they have one goal: wreak havoc to get money. They can lock up your entire records system and hold it for ransom, usually requiring payment in bitcoin. Thousands of attacks are launched every day with good success. It’s a scenario you don’t want to deal with. Fortunately, it’s also preventable.

Teach your staff or bring in an IT managed services provider (MSP) to talk with your office about the best practices to prevent phishing scams. Learn to identify a suspicious email and report it to your IT or MSP team. Most importantly, never click on buttons/links, call the listed phone number or respond to the message, especially with personal information.

Replace your current moderately secure email service with a truly secure, HIPAA-compliant email and you’ll significantly decrease the risk of your data being accessed through email.

Cybersecurity, phishing and ransomware are more than buzzwords. They represent identity theft, credit card and bank account access, and the loss of patient trust. Prevent access. Use secure email. Stay off the radar of those looking to profit off your practice. These simple steps can save you headaches and heartbreaks from having PHI stolen or captured and then paying a high ransom to get your practice up and running again.

FDA Services endorses iCoreExchange HIPAA-compliant email. iCoreExchange not only meets or exceeds every compliance and security requirement, but it also allows you to attach as many large files as you want to any single email. Speed up your workflow, protect patients and your practice. Check out this convenient and compliant service or call 888.810.7706. FDA members receive a substantial discount on iCoreExchange.

HIPAA-compliance Solution Provides Much-needed Peace of Mind

by 1 Comment

By

How Abyde’s simplified solution gave Comprehensive Dental Care “one less thing to worry about” and much-needed “peace of mind” in their complete HIPAA-compliance program.

“Solved a Problem We Didn’t Even Know We Had”

For many practice owners and managers, it’s common for HIPAA compliance to become a “secondary thought” when added to the quite extensive list of other roles and responsibilities.While many independent providers find it often infeasible to dedicate a full-time position solely focused on HIPAA privacy and security, the recent rise in data breaches and government enforcement has made prioritizing compliance a must. So when it came to finding much needed “peace of mind” for practice owner and manager of Comprehensive Dental Care, Florida Dental Association (FDA) member Dr. Oscar Menendez and Denise Mendendez, Abyde “solved the problem they didn’t even know they had” with a simplified approach to achieving HIPAA compliance.

As a successful practice in the dental industry for more than 35 years, Comprehensive Dental had always assumed that completing their annual HIPAA-training courses and maintaining a culture of compliance within their organization was enough to avoid the so-called “HIPAA police.” They maintained a strong focus on patient care and protecting sensitive health data, but just lacked the documentation to prove their efforts in meeting these important HIPAA standards. However, with the many legislative changes, HIPAA violations and cyber attacks that have seemed to take the health care industry by storm over the past year, they saw the increasing importance of filling in some of those small gaps that might have previously been missing.

Easy-to-Manage Compliance, Easy-to-Use Software

As most practice managers could probably attest to, Denise simply “didn’t want to manage another thing” and was looking for a solution that not only made HIPAA easy but was easy to use itself. As a member of the FDA, she was familiar with the FDA’s preferred HIPAA-compliance vendor, Abyde, and “after seeing the presentation and learning a few statistics on HIPAA laws/lawsuits,” she became “very interested in the product.” Immediately after signing up, Denise was “pleasantly surprised that Abyde did everything that they said they would do in the initial contact with the sales representative” and she was “extremely impressed with the program itself and its ease of use” and happy to find that the “setup process wasn’t very hard or time consuming” to work into her already busy schedule.

Beyond the onboarding process, Denise has found that the maintenance involved with using Abyde was a no-brainer. As new laws and patient needs continue to evolve, “practice managers get busy and don’t necessarily have the time to manage the complexities of HIPAA.” And while years ago having a lock on the cabinet that held patient records might’ve seemed like enough to keep data protected, technology and social media have “blurred the lines” between patient confidentiality and HIPAA best practices. So for Denise, “receiving emails and notifications has made keeping up with any necessary updates simple and provides assurance that nothing is being missed.”  

“One Less Thing to Worry About”

In addition to taking some of the HIPAA weight off of Denise’s shoulders, Abyde also gave practice owner, Dr. Oscar Menendez, “one less thing to worry about.” With industry-leading features including automated and engaging HIPAA training videos, he was provided confidence that each of his staff members were given the necessary education to handle patient information properly. As there is no telling when your organization may come face-to-face with a HIPAA incident, whether due to the rising risk of health care data breaches or increase in patient complaint numbers, Dr. Menendez notes that “if you do experience some type of incident, having documented proof of compliance and knowing how to address it is essential.”

While Denise emphasizes that the Abyde software solution itself is one of the “easiest I’ve ever seen or worked with,” there’s even more value beyond the uniquely better interface, including a support team of HIPAA experts that Dr. Menendez is thankful are always available ”to guide us through” any questions. Between the automated notifications, comprehensive Security Risk Analysis, HIPAA training videos and other industry leading features, Abyde provides endless benefits for health care organizations all across the country.

When looking at the time and resources that’s required to manage a complete HIPAA program in-house, having a solution that “for a small fee, keeps us up to date, compliant and more aware” has been a huge help for Comprehensive Dental Care. And the peace of mind that comes with knowing that your practice is not only compliant, but also has the documentation to prove compliance efforts is truly priceless. So, no matter if you’re a small independent dental provider or a large multi-location organization, in Dr. Menendez’s words himself, “Every provider should have Abyde — they’re crazy not to!”

Abyde is an FDA Crown Savings Endorsed Partner and the Abyde software solution is the easiest way for any sized dental practice to implement and sustain comprehensive HIPAA compliance programs. FDA members save 20% on Abyde services that help their practices meet government-mandated HIPAA standards that protect patient health information by identifying and correcting key security safeguards. For more information, visit fdaservices.com/abyde or call 800.594.0883.

Cyberattacks: Prevention May be the Cure from Ransomware

by 2 Comments

By Robert McDermott, President/CEO, iCoreConnect

Just as you wash your hands regularly so you don’t get sick, it’s critical to adopt good habits of “digital hygiene” to prevent cyberattacks on your practice. The “illness” threatening your practice is called malware. Malware is an umbrella term for any malicious software criminals use to steal your or your patients’ data.

Ransomware, a particularly sinister malware, burrows into your system and begins encrypting all your data so you can’t access it. Then a cybercriminal holds your data for ransom, demanding you pay a hefty sum of money for them to give you access to your own files.

Just like a human virus sometimes can be undetected, malware can be in your computer system long before you realize it. By the time you see symptoms, it’s too late. Cybercriminals are continually developing sophisticated methods for infecting computers and servers without you catching on. There are two primary ways malware gets into your system and holds your practice ransom.

HACKING

Hackers secretly tap into your data by exploiting weaknesses in your IT security. Outdated, unmaintained systems often make smaller, older practices particularly easy targets. Working with a proactive team of IT experts, known as managed IT services providers (MSP), is an important layer of defense against attacks. These folks can save you money, time and headaches over the long run. They detect threats early to eliminate or reduce damage well before it gets out of hand.

A particular vulnerability is how you are using email. Only use Gmail, Hotmail, Yahoo, etc. for personal or non-patient specific messages. For anything beyond that, set up a fully HIPAA-compliant, cloud-based email system that protects your information whether it’s sitting in your inbox or sending to another doctor’s inbox. There are big differences between an encryption-only email for general security and a truly HIPAA-compliant email fulfilling every HIPAA security requirement. These requirements range from verifying recipient identity to making sure no email is altered.

PHISHING

Phishing occurs when a criminal tricks any employee into thinking something is a trustworthy source, then convinces them to click a corrupt link or provide sensitive information directly (like a credit card number). The attacker is preying on a lack of awareness on the part of you or a staff member. You must educate your whole team to recognize suspicious messages, links and questions to avoid falling victim. If the sender is unknown or claims to be your IT person, MSP or someone in your office yet asks you to click an unusual link, verify the email first with the actual person on your team.

No one is inherently immune from cyberattacks. Take action now by working with a qualified dental IT services provider to assess, boost and maintain your IT immune system. Work directly with your staff to understand what to look for and how to prevent these types of criminals from getting in the door. Healing from an attack is much more difficult and costly than preventing it in the first place.

iCoreConnect, an FDA Crown Savings merchant, specializes in comprehensive software that speeds up workflow for dentists. The FDA endorses these products from iCoreConnect: iCoreExchange HIPAA-compliant email and iCoreDental cloud-based practice management. FDA members receive substantial discounts on both products. Book a demo at icoreconnect.com/fda or call 888.810.7706.

Could Your Practice’s Website Reveal Your HIPAA Non-compliance?

by Leave a comment

By Dr. Danika Brinda, CEO, Planet HIPAA

Did you know that your practice’s website can reveal to the world that you are out of compliance with HIPAA?

A quick look around your website could reveal to a HIPAA auditor that your practice is struggling with HIPAA compliance. Wondering what I am referring to? It’s the Notice of Privacy Practices! The regulations state that your practice must ensure that the most current version of your Notice of Privacy Practices is posted on the practice’s website (if one exists). Here is the specific language from the regulations:

CFR 164.520(c)(3)(i) – A covered entity that maintains a website that provides information about the covered entity’s customer services or benefits must prominently post its notice (of privacy practices) on their website and make the notice available electronically through their website.

Go ahead, give it a try. Head on out to your website (or another practice’s). Try and find the Notice of Privacy Practices. Were you successful or did you find something that is called Privacy Policy? If you look through the Privacy Policy, most of the time the language is something specific to the privacy policy of the website and not the Notice of Privacy Practices. Keep searching for the Notice of Privacy Practices. If you are unsuccessful at finding it, the basic elements of the regulations are not met. If you found the Notice of Privacy Practices – great work! You are compliant, right? NOT NECESSARILY!

Even with your Notice of Privacy Practices posted on your website, you must make sure that the document is your most current version and matches the one available in your office. You also must make sure it meets all the requirements that were defined in the 2013 HIPAA Privacy Regulations and the 2013 HIPAA Omnibus Rule. If any of the following three statements are true, your website revealed that you are out of compliance with HIPAA:

  1. Your Notice of Privacy Practices was not posted on your website.
  2. Your Notice of Privacy Practices was dated prior to Sept. 23, 2013.
  3. The Notice of Privacy Practices on your website isn’t the most up-to-date copy.

If you think the auditors will not be looking on your website to make sure your Notice of Privacy Practices is posted, think again. In the OCR 2016 HIPAA Desk Audit Guidance on Selected Protocol Elements, it states the covered entity must “upload the URL for the entity’s website and the URL for the posting of the entity’s notice.” In fact, the instructions for the HIPAA auditors state that they must:

“Determine whether the entity maintains a website. If so, observe the website to determine if the Notice of Privacy Practices is prominently displayed and available. An example of prominent posting of the notice would include a direct link from homepage with a clear description that the link is to the HIPAA Notice of Privacy Practices.”

Not only does it have to be posted on your website, but it must be in a location that is easy to find with an easy description!

The Notice of Privacy Practice is not a difficult area to comply with for the HIPAA regulations; however, it is a common area of non-compliance. To be compliant with this regulation, the following four items should be established:

  • Notice of Privacy Practices
  • Notice of Privacy Practices Policy and Procedure
  • Acknowledge Form of the Notice of Privacy Practices
  • Making the notice available on the practice’s website

The specific elements that need to be defined in the Notice of Privacy Practices are specifically defined in the regulations. More information can be found here.

 

Dr. Danika Brinda is the CEO of Planet HIPAA and has more than 12 years of experience in health care privacy and security practices. She also is a nationally recognized speaker on a variety of health care privacy and security topics, and specializes in helping dental organizations implement a HIPAA-compliance program.

This article was first published on Planet HIPAA on Sept. 5, 2016.