Dentists have been moving toward using the cloud to store patient data, making files more easily accessible, saving money over other storage methods, and giving patients expanded access to data. But the cloud also comes with its own set of security risks -- ones that dentists have to be aware of so they can protect themselves against a data breach.
One reason why cloud data are prone to hacking is because patient information is valuable on the black market. It's up to practices to ensure that patient data are safe.
"When we talk about cloud storage and dental, we're really talking about complying with certain regulations like HIPPA and protecting patient health records and storing things like x-rays and insurance information," Ali Oromchian, JD, founding attorney of Dental Medical Counsel, said. "Historically, most dental practices have had to create these complex, arcane technology solutions. The benefits of going to the cloud are pretty obvious."
A history of safeguarding data
Dental practices have been seeking effective ways to store records for a long time, according to Arthur Curley, JD, a lawyer at Bradley, Curley, Barrabee & Kowalski, which specializes in defending oral surgeons and dentists.
"For years, you were responsible to safeguard your records, and many states require a digital backup of your office records and off-site storage," he said.
That desire for effective storage led to many dentists storing a backup of files on a drive that would be taken home at the end of the day or put into a safety deposit box. But owing to some factors, such as climate change and poor weather, some dentists lost their backups. As a result, dentists are increasingly seeing storing records on the cloud as a better option, which leads to new risks.
"Now cloud storage becomes more of a problem," Curley said. "You have a strong legal obligation to prevent unauthorized access to those records."
The biggest issue for dental practices looking to store information online is ensuring the data are kept secure, Oromchian said.
"When it comes to cloud storage, there's a lot of misconceptions in dentistry in regards to what --and if there's anything at all -- they need to do to protect their data," Oromchian said. "A lot of times people aren't focusing on it and are assuming the vendors they are using are doing what they need to do for compliance."
Curley added that in addition to making sure information is secure online, it also has to be ADA compliant. The biggest difficulty for practices is making sure the information is secure, or they risk large fines and compliance issues.
"People who don't do that, then they get to talk to me," Curley said.
Common security mishaps
While no one wants security breaches and patient data leaks, these events do happen. Just this year, the ADA was hit by a cyberattack that paralyzed its operations for weeks.
"The risk of going to the cloud really falls into a couple of categories," Oromchian said. "One is the company that is storing the patient information. Are they following the normal privacy and security rules? A lot of them don't -- or they say they do, and maybe they do, maybe they don't."
Curley called "inadequate maintenance and update of passwords" the most common security threat and that not requiring strong passwords is a "big deal."
He added that the current work environment with high staff shortages and turnover is further causing security issues. Curley has seen current and former employees go into office systems to write off a bill and leave the system open.
"Having staff leave and being able to remotely access records, and they don't change the password when staff leave, [is an issue]," Curley said. "Especially with COVID, we have a lot of remote work going on, which is fine until the staffer leaves."
The most common issue Oromchian has seen is the result of dentists or their staffers clicking on phishing emails. With a phishing scam, a cyberattacker sends a fake message with the goal of getting the receiver to reveal information or click on something that allows the phisher to install malicious software on the receiver's computer.
"That is probably the No. 1 culprit right now [of security leaks]," Oromchian said. "It opens a back door for folks to get into the computer system and pull the data. And doctors don't know that the patient data have been compromised."
Some phishers ask for ransoms, Oromchian added, while others sell the data on the black market.
"I tell my clients if that has happened to you, you have to assume that all of your data have been compromised," Oromchian said.
Not just cyberthreats
Physical breaches still happen as well, where people break into offices and steal something like a server or documents where passwords are stored that allow them to access patient data.
Oromchian said that before the pandemic, he saw a lot of online hacks, while now he is "seeing a lot more physical attacks, where people are breaking into offices."
Curley called medical records "the single most valuable record you can sell on the black market," adding that these records contain Social Security numbers, background on patients, and lots of personal identifying information.
"That's why it has to be protected," he added.
When lawyers get involved
When data are compromised, lawyers get involved. Every patient who has had their data compromised has to be notified, and forensic experts are called in to determine the scope of the breach. The federal government must also be notified.
"All you need is a breach or two and someone makes litigation," Curley said. He added that in states like California, there is a minimum of a $4,000 fine if someone can prove that their privacy was violated plus real damages and attorney fees.
Many practices end up paying much more than $4,000. Oromchian said he represented a pharmacist who got a "slap on the wrist" over a first-time breach but had to pay more than $400,000 over a second breach.
He added that many practices must also pay for a year of free credit monitoring for patients in addition to fines. And many lose patients who do not want to continue using a dentist who did not appropriately safeguard their data.
"For most of our clients, they are their company. What they pay out of their practice comes out of their own pocket," Oromchian said. "What makes me sad a lot of times is once the patients are notified, there's a really big lack of trust that develops, and as a result, we see a lot of times that patients just change providers. So in addition to paying big, big penalties, they are losing patients and business."
Prepare today to prevent catastrophe tomorrow
The experts agree that the best way to protect yourself is to have a secure system.
"Make sure your IT people have insurance," Curley advised. "It's not your 16-year-old son who screwed it up. You need bonded, licensed IT people."
He added that passwords should be 10 digits long and changed every month. And hints should not make the password easy to guess.
Curley added that the biggest problem is that people "get lazy" and don't take security seriously, don't regularly change passwords, or check that their IT team is handling things.
"I get involved when people don't follow standard protocols," he said.
Oromchian said offices need to conduct risk assessments to better understand the issues. He added that practices could also consider buying cybersecurity insurance, which is "relatively inexpensive and a good thing to have" to protect themselves.