Data Protection Accountability Checklist

Keeping up with computer security makes good business sense. The modern practice relies heavily on computer systems for daily operation, and downtime equates to lost production. Unless you're on an "all you can eat" IT support plan, downtime also means additional expenses. You need to minimize downtime. You have compliance obligations operating a covered entity subject to HIPAA regulations (there's plenty written on that). Any responsible practice wants to protect its information. Keeping up is a must in the modern practice to prevent downtime, protect data, and meet compliance obligations.

So why are many dental practices still behind when it comes to computer security? For many, the root cause is security fatigue; a weariness or reluctance to deal with computer security. A recent study by the NIST found that most people are reluctant to deal with computer security. You and most of your employees likely have some level of security fatigue. Security fatigue is a threat to users at home and in the office. The study reports causing factors to be decision fatigue, the belief that your data is not important, and the feeling that protecting data is someone else's problem. Security fatigue makes people feel out of control and ultimately leads to poor decision making and taking the easy way out. Do you recognize this in yourself or your employees? Even your IT people are not immune.

The best way to combat security fatigue is to limit the number of decisions that people have to make. Automate everything you can and implement policies and training so decisions are automatic and not burdensome.

In hopes of making things easier for practice managers, I'm providing a basic accountability checklist to use with your IT administrator and/or provider to make sure basic security is in place or in progress. This list is derived from an amalgamation of baseline requirements for cyber-liability insurance and industry best practices. If you have addressed the items below, then your data is well protected. You will likely qualify for a cyber-liability policy, and you will likely show well in the technology portion of your HIPAA risk assessment.

Cover each of the following areas with your current IT resources so you know where your practice stands. Unless indicated with an asterisk (*) you should consider these items required.

Anti-virus is not an option and neither is monitoring it
   - Automatic updates?
   - AV monitoring?

Fast Patching
   - OS (Windows) security patches installed immediately?
   - Patch health monitoring?

Advanced Threat Protection / Business Grade / Next Generation Firewall (terminology is evolving in this category as is device complexity)
   - Does your firewall require an update subscription and is it active? If your firewall doesn't offer an update subscription, it may not be able to mitigate modern threats. Because of the ever-changing threat landscape, serious security vendors update their products regularly to keep up.
   - Are you filtering web-browsing activities? *Can boost productivity as well as increase security

Backups
   - Are backups complete?
   - Are backups encrypted in motion and at rest?
   - Has a test-restore been performed recently?

Encryption
   - Where is encryption in use on your network? *Highly recommended for PHI

Proper Disposal
   - Are all storage devices containing PHI sanitized or destroyed when retired?
   - Is sanitization documented?

Acceptable Use Policy
   - Do you have a policy that is periodically reviewed with your staff? Giving employees clear direction on the dos and don'ts for your network can combat security fatigue. A good AUP is a cornerstone for the culture of security in your practice.

I hope this is useful and gives you a simple high-level way to check in with IT. Ideally, your IT people will produce reports demonstrating they are on top of things. It's important to consider that data protection is not as simple as buying a device. It's an ongoing effort.

Some final thoughts on managing technology for dental practices. It makes the most sense for practices to hire a qualified IT service provider to take care of infrastructure today. A team with many certifications and specialties and a focus on IT for dentistry should provide the best result. In my experience, the 1-2 person operation cannot cover an ever-growing subject matter or afford the tools that make them hyper-efficient. The practice management software providers that add on IT services focus on their product and regularly ignore the broader landscape. The Dental Integrators Association is a good place to start a search for a qualified IT provider.


John Moore, President of Advanced Automation, Inc.

John Moore is a technology, focused entrepreneur with a broad, practical background in technology. He is the president of Advanced Automation, Inc., a managed service provider for private practice healthcare; a partner and CTO for cookswarehouse.com, an online gourmet retailer; co-founder of myts3.com, an online community for the residential construction industry; and a partner in mapwellbeing.com, online tools for personal and team wellbeing. John is also a founding member of the Dental Integrators Association.

John can reached at or call 800-942-4043