Of the major threats that we see our customers presently facing, the most damaging of them is a breach of patient records. Unlike the cyber attacks that we read about regularly that center on elaborate, well-planned attacks perpetrated by a team of cyber criminals with an elite set of skills, what we are talking about is a common criminal breaking and entering your office, snatching the office server filled with your patients’ records and exiting long before the authorities arrive.
In fact, theft is the leading cause for major data breaches in the U.S. If you add together all the major data breaches caused by hacking, loss, unauthorized access/disclosure and improper disposal, it will not equal the number of major breaches caused by theft. Understand that theft is defined as theft of a piece of hardware.
When we were first made aware of these thefts, early this year, I assumed that the motivation was due solely to the value of the health records … I was wrong. The identity thieves seem more interested in valid Social Security numbers and corresponding date of birth as was reported on a “60 Minutes” segment first aired on September 21, 2014, and then again on June 28, 2015. To better understand the level of this issue I do recommend that you Google the “60 Minutes tax refund scam.” What we learned from this report was that dental is being called out as the low hanging fruit for identity thieves seeking to feed the very large and rapidly growing demand for valid Social Security numbers and corresponding date of birth.
The lack of data management in regards to data security in the average dental office combined with the thousands of valid Social Security numbers and date of birth on file has made dental offices a prime target by identity thieves.
As serious as a break-in at an office is, the real issue is the breach of protected health information (PHI) by removal from your office without being properly protected. This theft then falls under the HIPAA Breach Notification Rule and if more than 500 individuals’ records are impacted then it is a major breach. The rules governing a major breach and the actions required are clearly laid out on the hhs.gov website. I strongly suggest that if you have not already done so, you visit this site and fully familiarize yourself with the rules and your responsibility.
HIPAA Breach Notification Rule (hhs.gov)
The good news is that there are a number of easy and affordable steps that can be taken to greatly reduce the risk of having your data physically stolen. In addition, steps can be taken technologically so that should there be a theft the data will be properly secured, making it a non-reportable event under present HIPAA rules.
To answer the opening question, yes, your office is a target for a data breach. To better understand your risks and the options available to reduce them, it is strongly suggested that you have a Data Security Assessment (a $199.99 value) done on your system. For Patterson Dental customers this assessment is being offered at no charge.
For more information or to schedule a Data Security Assessment, please write to assessment@ddsrescue.com or phone 800.998.9048, ext. 102.