Typically, when one thinks of the value of a business – dental practice or otherwise – one tends to think of the physical assets such as equipment, furniture and office supplies. Yet, with the growing reliance on technology and the Internet, intangible assets must also be considered. Intangible assets, assets that are not physical in nature, are generally calculated during the sale of a practice. Yet, there are other times when knowing the value of your intangible assets is critical.
Given industry trends and governmental mandates, the use of electronic patient records continues to accelerate. Your patient database is one of the most significant intangible assets you own. How much is this data worth? Is it adequately protected? How much are you willing to spend to protect the data relative to its worth?
Last month, Steve White published a thought-provoking blog post titled, “Are you managing your data?” Ineffective data management can result in a data breach, and there are distinct, calculable costs when breaches occur. These costs are validated by organizations such as the Ponemon Institute and the PGP Corporation, global leaders in data protection and privacy management research.
In their fifth annual U.S. Cost of Data Breach Study the Ponemon Institute and the PGP Corporation found a significant spike in legal defense spending. According to the study, breaches involving third-party organizations remained the most costly. Dentistry is not exempt. A third-party vendor disposed of dental records in a church dumpster, which cost one Indiana dentist $12,000 in fines.
When a breach occurs, it is already too late to think about the value of your data. (Remember the old adage about closing the barn door after the horse has escaped.) Just as we preach prevention to our patients, we must implement sound security policies and procedures to minimize and ideally prevent impermissible use or disclosure of patient information. The HIPAA Security Rule requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity and security of electronic protected health information. The Security Rule requires covered entities to conduct an accurate and thorough assessment of the risks and vulnerabilities of protected health information [§164.308(a)(1)(ii)(A) and (B)]. Two of the implementation specifications are risk analysis and risk management.
Below is a framework for a risk analysis and risk management plan adapted from the Centers for Medicare and Medicaid Services (CMS) HIPAA Security Series. Follow these steps to evaluate your current processes or use them as a framework to conduct your analysis and risk management plan:
- Gather information. Where is all your data located? Do you have outdated back-up tapes at home? Who has access to your data – remotely and on-site?
- Identify and document potential threats and vulnerabilities such as environmental, human, natural or technological.
- Determine the likelihood of those threats and vulnerabilities occurring.
- Determine their potential impact and level of risk (high, medium or low).
- Assess your current security measures. Your IT vendor is an important member of your virtual team. Review their scope of services and how well they understand HIPAA.
- Based upon the information gathered in steps 1-5, develop and implement a risk management plan to prevent or reduce the likelihood of those threats and vulnerabilities occurring.
- Implement security measures.
- Evaluate, update and maintain security measures on an ongoing basis.
Protecting patient data is more important than ever. A breach not only impacts your patients through potential identity theft; it impacts your good reputation – another valuable intangible asset. Set aside time and resources in order to ensure valuable patient data is well protected.