Justin N. Joy is an attorney at Lewis Thomason who has represented OMSNIC (leading provider of malpractice insurance for oral & maxillofacial surgeons) members in data breach cases and specializes in data breaches and compliance.
Covered entities are required to completely and accurately assess the potential risks and vulnerabilities to the security of ePHI held by the practice. In order to meet its obligations for thorough and accurate assessments, a dental practice needs to engage a company with the requisite expertise and capabilities in information security.
IT firms and managed service providers are good at keeping your practice's network, desktops, and applications running on a day-to-day basis. In most instances, however these firms lack the expertise to assess and identify vulnerabilities resulting in risk to your practice's data. It is simply not their area of focus. Additionally, from an audit perspective, if your IT firm engineered and setup your network environment, an independent party is necessary to examine the work and provide feedback to you, the client, as to the security posture and vulnerabilities within the environment.
The U.S. Department of Health and Human Services Office for Civil Rights (OCR), which enforces HIPAA, requires that the assessment of your practice's risk and vulnerabilities be documented. If you are relying on a company that does not have expertise in information security to identify and assess technical vulnerabilities, not only are you potentially exposing your practice to considerable security risk, you are also likely not meeting the HIPAA Security Rule requirement for identifying and assessing all vulnerabilities to your ePHI.
The requirement of a proper security risk analysis has been a focus of recent resolution agreements between OCR and covered entities found to be in violation of the HIPAA regulations. Specifically, a common refrain in these resolution agreements which settle--in many cases for millions of dollars--potential enforcement actions for HIPAA violations is the covered entity's lack of a risk analysis taking into account all aspects of an organization's ePHI environment. Companies conducting independent cybersecurity audits will work with your practice's IT vendor to understand your group's network environment but then take an exacting view of vulnerabilities within your system that may result in significant risk to your patients' ePHI.
Groups must also be mindful of their requirement to analyze their risk and vulnerabilities on an on-going basis. Here again, an audit by an independent firm is not only valuable but, in many cases necessary, to reduce risk to your practice's data and meet regulatory requirements. The Security Rule requires that assessment documentation must be updated any time there is an environmental or operational change potentially affecting the security of your group's ePHI. Given the never-ending proliferation of cyber threats, these environmental changes are on-going and the assessment of the risk to your group's the PHI as a result of any vulnerabilities in the face of these threats must be on-going as well.
Finally, a result of the audit process is a document that can be used to manage your practice's risk and vulnerabilities. In addition to the requirement of analyzing risk to your ePHI, dental practices are also required to implement reasonable security measures to manage and reduce vulnerabilities. The obvious question is how can a group put any reasonable security measures in place if they do not know what the vulnerabilities are that require the security measures. As with risk analysis, this is also an on-going process. Specifically under the HIPAA Security Rule, covered entities are required to review and modify their technical controls in order to continue the provision of reasonable protection of ePHI and update the documentation of such efforts.