714.505.9000 cpas@hmwccpa.com

The belief that your IT Provider makes your office bulletproof is a common misconception that has recently haunted over 400 dental providers throughout the US. The IT provider was hacked and had 400 of its clients attacked by ransomware. Ransomware wreaks havoc on any network closing businesses until its repaired but healthcare providers may be liable for up to $1.5 million from compliance fees or more in criminal penalties.

Many healthcare providers, assume an IT provider is able to get a practice running in a few hours at most, but rarely does this occur. If you’re one of the 400 offices that was attacked – you’re waiting for one of the reps to come and fix your network. If you’re lucky, your one of the first offices repaired…Worse case, your last and if the data backup solution was incorrectly setup, your data is gone. During this time, you’ve lost any ability to review any patient files or history or access any files or programs on your computer (Practice Management Software, Documents, Images, X-rays and more).

Many IT providers are great at setting up networks, including a data backup solution, antivirus software, and patch work, but they are not responsible for staff training, documented policies and procedures, cyber insurance policies, or notifying your patients under the breach notification laws. IT providers fulfill one half of your responsibility; You need to be thinking about the half. OfficeSafe™ bridges the gap to fulfill the administrative requirements and works with your IT provider to ensure you and your office are fully protected.

Healthcare providers often assume that meeting with the team once a year and having a conversation about HIPAA fulfills the training requirements, but HIPAA laws are much more specific. Health and Human Services’ and Office of Civil Rights requires custom written policies, proof that your employees are trained and understand their roles in the office, and more. Additionally, the purpose of staff training is to inform your team, but it is also a critical step in protecting you and your practice from penalties when human error is the cause of an incident.

Additionally, we recommends protecting your office with a cyber insurance policy. The civil penalties from Health and Human Services can have a maximum penalty of $1.5 million a year. With user error being a major cause of ransomware, this is a crucial step in protecting your practice. Recently, a client experienced a ransomware attack. Sadly, her data backup was incorrectly setup and she was forced to pay the ransom. The aftermath was $199,484 bill spent on legal, forensic, and ransomware costs. Luckily for the doctor, the cyber insurance policy through OfficeSafeTM financially protected the practice and kept the practice from bankruptcy.

What is considered a data breach? It can be as simple as sending the wrong patient a file or as severe as a ransomware attack. The more important question is in the event of a data breach is your staff trained on the next steps? What would you do first? Will there be civil and criminal penalties? Are you able to access patient files?

These are some of the concerns we want to help you determine the answers to. The first step in reducing possible fines and vulnerabilities is completing the mandatory annual HIPAA Risk Assessment. We’ve partnered with PCIHIPAA to offer you a FREE HIPAA Risk Assessment and 30-minute consultation ($750 value).

Take your FREE HIPAA Risk Assessment today: www.pcihipaa.com/wiederman

Guest Author: Danielle Mckinley, PCIHIPAA



For additional Dental related articles click here.

Follow us on LinkedIn or Facebook