5 Ways to Protect Your Patient Data

How are you protecting against ransomware in your dental office? Courtesy of Practice Mechanic Rick Garofolo, here are several ways to keep your patient data safe.

As I am sure you already know, a large number of dental offices were recently hit with a ransomware attack. This attack was through a company offering back up services to dentists directly. That company has a good reputation (before the attack) and did almost everything right. They knew what they were doing, had safeguards in place, and in most cases were able to respond with the right answers. If a technology company that knows the safeguards and actually has them in place can get hit, what does that say about the dental offices out there that don’t have the right safeguards in place?

I recently read an article published by a trusted security compliance specialist that stated an estimated 85% of dental offices have had a breach in their network but don't know about it. Why? Because they lacked the required monitoring systems that would catch it. Remember, security is like an onion or Shrek: it's about layers. Nothing is 100% guaranteed when it comes to network security. However, the more layers you have, the better your chance at preventing a virus, ransomware attack, or breach.

Ways to Prevent Ransomware Attacks

Policies and Procedures

Have policies and procedures for using your network. This is required by HIPAA, but so few offices do it correctly. And to be clear: going to take a HIPAA course at the state association meeting is NOT compliant training. Your training has to be on your office’s site-specific policies. If you don’t have those policies in place, you can't train your team on them. And they can’t follow the rules if they don’t know them!

Email Policies

Make sure your email policies have you covered. Use a professional email system, including encryption. Free Gmail, Yahoo, and AOL accounts are NOT compliant. They store your patients’ PHI on their servers and its your job to NOT allow that. Get a complaint email system like Office 365.Also, make sure your team knows they CANNOT check their personal email from your computer network. Many of the personal emails we get each day are phishing emails, designed to get your info, get you to click on a link to install a virus, download a pic that is actually ransomware, etc. Just remember that these are work computers and should NEVER be used for personal activities.

Endpoint Protection

Ensure that you have endpoint protection. This will act not only as a beefed up antivirus, but also detects abnormal network activity. Monitoring your network is a requirement under the Security Rule, and this is one of the easy ways to do it.

Security Patches

Make sure your systems are up to date with security patches. This is why I pay my IT company every month. They ensure that all updates are done not only for Microsoft and any practice management software, but for all devices, drivers, and firmware as well, AS REQUIRED BY HIPAA. This is why Windows 7 is falling out of compliance at the end of the year: there are no more security patches or updates.

Think of your network like a hallway with 1000 doors. Some are open, most are closed. As companies release the patches and updates, they are closing doors that people can get in to. If you don’t do the update, you leave that door open even after someone told you to close it.


Frequently back up your system! Use a system that backs up to the cloud and local copies. Save more than a day’s worth of backups, as some viruses can lay dormant for days, weeks, or months even before being “activated." You want good, solid backups and you want to test them regularly. A backup is no good if it is corrupt, unreadable, or otherwise unusable. Test them OFTEN, at least monthly and be sure to document the results of the tests.

With just a few changes to your everyday practices you can drastically reduce the chances of having a breach event. Remember: nothing is 100%. Even the Secret Service has said that if someone is willing to trade their life for another's, no amount of training can stop it. We just need to create layers of security to make it tougher on the hackers, and easier for us to recover from if it does happen.

Learn more about how RevenueWell improves case acceptance and creates more close-knit relationships between dentists and their patients.