When patients come into your practice, your business team has them fill out a lot of paperwork, whether manually or digitally. The data provided generally includes some sensitive, private information known as Protected Health Information (PHI), or electronic Protected Health Information (ePHI) if stored digitally. It’s not only important that you capture and store this information securely; it’s required by HIPAA law. If patients’ PHI gets into the wrong hands, you could face severe consequences. That’s why data security should be a top priority for your practice.
If a cyber criminal breaks into your system, the financial costs add up quickly. You could potentially experience a total shutdown of your business operations, along with your practice data being held for ransom. Additionally, a breach where PHI is involved is penalized by fines and other requirements based on HIPAA law. After dealing with the business interruption, ransom and fines, you face the additional costs of securing your network and data so you can get back to business.
Finally, consider the impact of a data breach on your relationship with your patients, as well as your reputation overall. Many patients may lose trust and may not return. Similarly, potential new patients may opt for a practice without a record of data insecurity. Being proactive and prioritizing data security before there’s data breach is the best route to take.
Quick Links
Protected Health Information is the term used by the federal government and healthcare industries in regard to any kind of personally-identifiable patient information. This may include
full face photographs, patient names, birth date, dental record numbers, treatment plans, dental and health histories, and referral letters including contact information. It may also include payment or other sensitive information.
The U.S. Department of Health and Human Services (HHS) published the HIPAA Privacy Rule and the HIPAA Security Rule which lay out the technology requirements for protecting your patient’s sensitive data. There are specific rules addressed for technical safeguards, including “measures for protecting the integrity, confidentiality, and availability of ePHI that is held or transmitted by covered entities” according to HHS.
Data security includes the policies, procedures, and technological mechanisms by which the sensitive data and PHI you’ve been entrusted with are protected. The ultimate goal is to keep your data and the network that stores that data safe from unauthorized access or data leakages during data transfers or sharing.
For this reason, most medical and dental practices utilize multiple layers of security to protect electronic health records (EHR) which contain high-value PHI. These layers include a thoroughly-developed data governance policy, staff training, and software and hardware security measures such as up-to-date firewalls and virus protection applications.
To be frank, the simple and straightforward answer is that ignoring data security is too costly for you, your patients, and your organization, be it a single practice or a dental support organization (DSO).
The value of data and data security is often overlooked, but the impact of a data breach cannot be. There are financial, reputational, and legal consequences to a data breach that are not just costly and time consuming but also long lasting.
The financial impact is often the most consequential. For healthcare organizations, the average cost of a data breach is $9.5 million. Further estimates suggest that the cost is roughly $211 per compromised record.
According to HIPAA rules and regulations, you can be fined for every individual patient record violated, even if you were unaware of the breach, and not found negligent. Each violation of a single patient’s record can cost between $100 and $50,000.
Additional financials consequences may include:
One of the notable financial consequences may be legal fines and fees, both federal and state. If your organization is large enough, legal complications may include class action lawsuits brought by the individuals who had PHI and other financial or sensitive information leaked. In fact, healthcare data breach lawsuits are on the rise.
In addition to lawsuits, other legal complications include:
In short, the legal consequences can be significant, especially when your team is already handling other significant challenges.
Often the legal and financial costs are felt immediately, but that doesn’t mean the costs are resolved once the breach is identified, reported, and the security lapse resolved. In fact, even more financial damage can be caused by the longer term reputational impact of a data breach.
One unexpected consequence is that your organization becomes a data breach example, impacting how media, industry organizations and the federal government can keep your name in the headlines as a “cautionary tale.” Information on the breach may land at the top of search engine results for your organization for some time. If the breach affects 500 people or more, you’ll find your practice added to the HIPAA “Wall of Shame” by the HHS Office of Civil Rights (OCR). All of these headlines can significantly impact your reputation and ability to acquire new patients.
Finally, nearly 65% of customers and clients impacted by the breach lose trust for the organization, with nearly 80% of them ceasing their business relationship with that organization. But, it doesn’t stop there. 85% of those individuals will share their experiences with friends and family via a variety of methods including social media (35%) and directly on your organization’s website (20%).
While there are ways to rebuild trust and minimize reputational impact, those efforts take time, money, and resources. As a result, other aspects of your medical or dental practice can suffer.
In short, learning how to and prioritizing the protection of your data, especially when sharing it with other organizations is vital to protecting your customers, your business and its longevity.
Data security requires, as mentioned, multiple layers of security. It starts with your policies and adherence to those policies, staff training, and then extends into your actual logical and physical technology security.
It’s hard to protect your data if you don’t know where your vulnerabilities may be. In addition to a standard risk analysis, one should be completed with a specific focus on HIPAA compliance.
On an average day, your staff will handle a good number of patient files with PHI and have access to countless other pieces of sensitive data or personally-identifiable information. They are, essentially, the front line for handling your data and, for some, discretion, privacy, and security may not be second nature, so outlining policies and procedures regarding the accessing and handling of data should be paramount.
95% of data breaches are caused by human error. That’s a stunning statistic because, essentially, it means most data breaches are preventable, and likely proactively preventable. Training your staff is one of your best methods of defense. They must understand how to handle data and how to be smart about their own email and application usage.
First, having the necessary security tools installed is priority number one. Beyond that, from your firewall to your anti-virus software, keeping tools up-to-date with the latest version and any required patches is essential. Software companies, particularly those in the security space, regularly release patches and updates to combat known vulnerabilities or identified weaknesses. Unfortunately, unpatched software is a significant risk to your own data security.
If disaster strikes, you want to be certain it won’t impact the data vital to your dental practice and patient care. Utilizing an off-site cloud backup means your PHI and business financial data are safe and secure. Without a reliable back up, what starts as a small inconvenience can become a major disruption. Cloud backups mean you can save significant time restoring your system to its pre-disaster state.
At a minimum, if utilizing an onsite server, your data should be encrypted in storage so if leaked, it’s not leaked as clear text. Encryption is a great starting point for data security. But encrypting your data during storage isn’t enough. Part of the patient care you provide involves communication with other care providers. Data is incredibly vulnerable to interception during transmission and so ensuring you’re using a HIPAA-compliant encrypted email is equally important.
Security needs to be a top priority, but IT security takes expertise. Staying on top of constantly evolving threats and managing your network vulnerabilities can be a full time job, and it’s likely not what you signed up for when you got your degrees. Evolving cyberthreats and the cybersecurity needed to mitigate those risks really is a full-time job that requires expertise and an understanding of the IT security space.
Managed IT services can take the stress off your team and provide the security expertise and support you need to help keep your data safe.
In a digital world, there are few people who don’t understand the risk of sharing their data with businesses. In fact, among consumers, 87% won’t do business with an organization that doesn't prioritize data security. And, among businesses and organizations, healthcare and financial services, fall short, but not as short as other industries. Healthcare came with a trust rating of nearly 50%.
Building trust with your clients is a great way to ensure patient loyalty, but it’s also just smart business. Data and data sharing help you provide better care for your patients, but it also presents a risk. If you’re ready to talk about mitigating that risk with a team that prioritizes data security in the healthcare space, book a demo with the iCoreConnect team today.