During a November webinar hosted by Becker’s Healthcare and sponsored by Rectangle Health, executives from five dental organizations discussed approaches and best practices their teams are taking to address such risks. Panelists were:
- Sandro Blaslov, vice president of engineering and development, Rectangle Health
- Brian Doyle, vice president of enterprise, Rectangle Health
- Michael Irving, COO, Community Dental Partners
- Daniel Mirsky, vice president of information technology, Sage Dental
- Abhinav Rastogi, CEO, SmilePoint
- Bruce Schmidt, CIO, Dental Associates
Four key takeaways:
- Having routines in place for identifying data vulnerabilities is crucial. Those include weekly data loss prevention reviews, active directory audits and secure email protocols for sending revenue cycle management claims. Also important are quarterly risk assessments to review overall infrastructure, where the effectiveness of technology- and process-based controls is weighed against potential risks. Periodically, it is essential to conduct data backups, test restores and aggregation of firewall data “so that we can home in on where our problem areas are and address them quickly,” Mr. Mirsky said.
“One of the principles I emphasize a lot is ‘assume that you’re compromised’ and imagine how the hackers got in and what they are after, then fix that so that it doesn’t actually turn into a real compromise,” Mr. Irving said. He underscored the importance of after-action, or “postmortem,” reviews.
- Common data vulnerabilities often get overlooked. Some data vulnerabilities get overlooked because the contexts in which they occur are so common that cybersecurity staff may neglect them. An example is doing manual sensitive data entry, such as saving customer credit card details in Excel files — an occurrence Mr. Rastogi recalled witnessing at his company, which set off “alarm bells” and led to using a third-party payment platform.
“A lot of times data vulnerabilities are the result of process vulnerabilities,” Mr. Schmidt said. “Making sure you’re protecting your administrator accounts, setting up new employee accounts with multifactor authentication and terminating old employee accounts in a timely manner are ways to avoid having such gaps.”
- Educating employees about cybersecurity threats is a must. Equipping staff with the knowledge to detect instances of malware, ransomware and other risks does not have to be complicated. It may involve showing them short educational videos, highlighting cases of security breaches in the news or reminding them to avoid using open Wi-Fi. “One thing I´ve seen that works is when cybersecurity-related messages are sent from the C-suite, people really pay attention,” Mr. Blaslov said.
- When it comes to identifying vendors, discernment is key. Selecting vendors of information management systems that can reliably protect health and financial patient data requires ensuring they are HIPAA and PCI compliant, mature in terms of having deployed various products and not just coming out of beta testing, forthcoming about their prior cybersecurity compromise history, and capable of acing the same evaluations that dental organizations put their own teams through.
“The big four things that we look at are whether a vendor’s piece of software is built for scale, do they have experience in the specific area, do they have all the certifications that are required and do they want to become a partner at the level of becoming an extension of the organization,” Mr. Doyle said about Rectangle Health’s approach to evaluating potential vendors.
To register for upcoming webinars, click here.