It’s not just a failure to provide care that can result in a malpractice suit. In fact, over the last few years, the handling of ePHI and EHRs, or failure to do so with care and concern for privacy, is leading to the courts. Learning to protect your patient data is learning to protect your practice. It is, above all, seeing that you are, first, doing no harm.
Quick Links
Nearly 13% of dentists will face a malpractice claim over the course of their career and yet 35% find that dental school and training left them ill-prepared for this reality of the business. While the total number of cases has decreased over time, the average cost of these suits is increasing. The settlement amount depends largely on the extent of the malpractice, but typical dental malpractice payouts range anywhere from $20-200k, with some reaching into the million dollar range.
For most small practices, a malpractice lawsuit, and subsequent financial toll and damage to your reputation, could be catastrophic. While a majority of dental malpractice claims are settled out of court, 80% are won by the patient. So, if and when a malpractice claim is made against your practice, the odds are not in your favor. That means the best strategy is prevention.
As one can imagine, what leads to most dental malpractice lawsuits is an injury to a patient, whether from an unnecessary or incorrect treatment or one that’s performed incorrectly or poorly resulting in injury to the patient. However, there are other concerns here.
First, let’s look at the four criteria required for a claim to be made in the first place:
1. Standard of care: There is a level of care dental professionals owe their patient and a duty to provide that standard.
2. Breach of care: At some point, during care, the dental professional strayed from the established standard of care.
3. Damages: As a result of the breach of care, there was injury to the patient, resulting in emotional, physical, mental, or financial suffering.
4. Causation: The patient is able to demonstrate that the dental professionals action or lack of caused the suffering.
It’s clear to see from those descriptions that most malpractice suits are likely the result of procedures or treatments performed while the patient is in the chair. Further, there are plenty of sites out there to list for you the most common risks, from failing to diagnose oral cancer and nerve injuries to failing to consider existing conditions or allergies and failing to explain treatment or gain consent.
However, one emerging risk that doesn’t get nearly enough attention, one that doesn’t require the patient to be in the chair, or even the office, is the risk of a cyberattack or malware which can impact your access to vital patient data and, as a result, impact the standard of care you are able to provide. In fact, hospitals and medical providers started seeing malpractice suits related to cybersecurity around the same time law firms and financial institutions felt the impact, and they’re on the rise.
For many dental practices, cybersecurity efforts focus on achieving HIPAA compliance. While that’s a big part of keeping your data safe and secure, avoiding HIPAA violations is not the only reason to put the effort forward. Weak cybersecurity is a risk to your practice and your patients, and can open you up to the kinds of attacks that can lead to a dental malpractice lawsuit. This is where your servers and networks, like your practice management system, enter the conversation.
Of the security risks that open you up for a dental malpractice suit, leaving your networks or servers open to hackers, or unwittingly allowing them access to your system through stolen or hacked credentials, is among the most dangerous. Once in there, not only do these individuals have access to ePHI but they also, often, have the ability to limit or control your access to that same information–information that is vital to the decisions you make regarding everything from prescriptions to treatment and procedures.
For context, in one of the first medical malpractice suits involving a cyberattack, the Kidd family alleged that, had a malware attack not crippled the hospital's systems, the life of their baby might have been saved. The ransomware denied healthcare providers access to essential health records, lab results, and fetal heart rate monitoring. As a result, they couldn’t, and didn’t, perform a life-saving C-section. It’s also important to note that this cyberattack occurred more than a week prior to the baby’s arrival.
When the data contained within your practice management system or servers has vital, potentially life saving information and access to that is restricted, held for ransom, or data is compromised, it can similarly endanger your patients. And, in this particular case, the security vulnerability was preventable. In fact, the Apache foundation quickly issued a patch for the problem but the hospital failed to install it.
Imagine, in the case of your dental practice, data or access is compromised impacting your ability to offer a correct diagnosis, prescribe the right medication, or even perform the right procedure. Suddenly, cybersecurity vulnerabilities are not just jeopardizing data, but instead they threaten your patients health and safety as well as your entire practice.
As we mentioned above, and as lawyers would likely agree, the best defense against a dental malpractice lawsuit is to not have one. When it comes to preventing one that stems from a cybersecurity attack, the best thing you can do for your practice is mitigate your risks.
Because of the ever-evolving nature of those attacks, dental practices need to prioritize not just data security but a multi-layered approach that addresses everything from physical security to staff training. While we’re noting both physical and logical data security below, we’ll also focus on some of the overlooked security measures that can leave your practice vulnerable.
1. Physical security
HIPAA compliance requires you to employ security measures related to physical access to both servers and workstations that have access to private data. That means not just physical barriers like locked doors, but larger practices or healthcare organizations will want to monitor door access with keycards or RFID (microchip) technology.
2. Logical security
Again, HIPAA requires that access to your data and patient data is restricted to only those who need it. So what is logical security? Simply put, it’s how you validate someone’s identity and authorization to access a computer network, database or workstation, as examples. You’ve probably encountered logical security if you use a personal identification number (PIN), card, or biometric. If you electronically prescribe controlled substances, you may use a token for identity validation with your ePrescribing software. Using logical security, different access privileges can be assigned to different people depending on their roles and responsibilities in an organization.
When it comes to a physical barrier, that’s something you can see. Logical security on the other hand, can be a bit more porous. There are multiple ways in and so there are far more considerations your team needs to be making, and taking, to keep your practice safe from cyber threats.
3. Keeping hardware, software, and patches up to date
When we have outdated hardware at home, we find workarounds and we, often, don’t worry about how that will impact our network. However, when it comes to your practice, outdated hardware can be a major problem as it doesn’t always allow you to run or install the latest security software or patch existing software. Security software, firewalls, and more need to be regularly updated because cybercriminals are regularly changing up and improving their attack methods. Your software needs to be responsive to existing and coming threats. A failure to keep them updated, especially because your hardware can’t handle it, is a major vulnerability. And, as referenced in the medical case above, creates a major vulnerability in patient protection and for malpractice lawsuits
4. Secure communicationsHIPAA compliance requires that you encrypt data, end-to-end, when emailing ePHI. But–and we can’t say this enough–encryption is just one piece of HIPAA compliance for electronic transmission. We still see many practices using internet-based email providers like Gmail, Yahoo, AOL, Hotmail and more. These may claim they’re secure, but you need to take the steps to see if you can bring the version you’re using into full HIPAA compliance, if full compliance is even possible with your email provider’s capabilities.
Unsecure email can be like having an open window to your data security vault. Both phishing and spear phishing attacks can slide right into your every day mail and they’ve become pretty sophisticated. Without a truly HIPAA secure email solution, unsuspecting or busy staff can easily click dangerous links, unwittingly giving access to your system.
Are you reusing passwords? Is your staff? Unfortunately, many of us are. And more unfortunately, hackers are pretty much relying on us to do so. Why is this such a risk?
Credential stuffing and brute force attacks both take advantage of our laziness when it comes to creating passwords. Credential stuffing takes those reused passwords, and using other data available on the internet (including where we work), tries those passwords in other secure locations in an effort to gain access to other systems and networks. In contrast, brute force attacks simply attempt to gain access using easy or common passwords as well as variations thereof to gain access.
Password security isn’t always something we pay attention to, but we should as it can be a major point of vulnerability.
6. Staff training
Even with the most robust and multi-tiered security system in place, it’s only as good as the training you provide your staff. It’s a bit like putting a lock on the door of your house but never using it. Without ongoing threat and security training, without creating a culture of security around vital practice data and the technology that supports it, you’re still at risk.
In short, you should be updating your team as often as you’re updating your software and hardware. They’re a vital part of the security plan and should be kept in the loop. This goes not only for protecting your data but also for how you respond to a security incident.
As a health professional, you don’t take standards or quality of care lightly. While you may not be an IT professional, taking your practice and patient security seriously is equally important. Thankfully, in the same way that you receive assistance from an amazing staff, there’s a growing arsenal of software and professional tools to help you fight against cyber attacks that could lead to malpractice suits.
iCoreConnect has built a network of solutions designed to help you not only improve your efficiency and workflow but also to elevate your security standards to help keep you, your patients and your practice safe. From HIPAA compliant email software and a HIPAA risk assessment to managed services, we can help ensure your security stance can withstand evolving threats.
If you need help and are interested in exploring potential solutions, book a demo today.