As anyone who runs a dental office knows, there’s been a paradigm shift in our focus during the past 10 years. While maintaining business systems such as insurance and new-patient acquisition are still very important, in my opinion, the focus is now on the patient data that resides in the practice.
We’ve shifted away from paper records and most patient data is now in electronic formats. Protecting and securing that data is the highest priority, and there are numerous federal guidelines, especially HIPAA, that further complicate this process.
I’ll evaluate the top seven things you must do to protect your patient information and avoid major HIPAA violations. Future articles will take a deep dive into each one of these.
1. Risk assessment and management plan
Most dentists will not treat a patient until they have diagnosed them and created a treatment plan. The approach to securing your data and becoming more HIPAA compliant should follow the same course. How can you know where the practice is at risk unless you take the time to thoroughly evaluate your IT systems for that risk?
This is normally a long process that takes many hours. I caution practices about some of these online evaluations that can be completed in less than 15 minutes as they are not specific to your practice and won’t generate a plan for risk remediation, which is a critical part of this process. Risk assessment should be completed on an annual basis and any new risks should be addressed as quickly as possible.
2. A business-class firewall
Firewalls are typically a first line of defense against viruses and ransomware and should be installed in every dental office. While almost every cable modem has a firewall included, these are usually very rudimentary. Business class firewalls allow for more customization, and many of them allow you to include an antimalware subscription that can be updated regularly. Firewalls control outbound data flows and prevent malware from getting into the office.
3. Antivirus and anti-ransomware software
Ransomware is the most well-known malware that dental offices need to protect against. These viruses lock and/or steal your patient data, and require you to pay a fee, or ransom, to unlock the patient files. I highly recommend you have systems in place so that you never pay the ransom (more on this below). Even in the best-case scenarios, it’s very rare to recover 100% of your data; the national average is below 70%.
4. Firewalls and anti-ransomware concerns
The concern with firewalls and anti-ransomware software is that many of the new viruses are what’s known as zero-day—they are so new that your firewall and antivirus software won’t recognize them as malware and won’t be able to deal with them.
A newer approach to ransomware has emerged called application whitelisting. The principle behind this is that you create a list of all the approved software on your network, and these programs are allowed to run normally. If a program that isn’t on this approved list tries to run, it’s stopped in its tracks and cannot run unless you manually approve it. All viruses and ransomware are just tiny programs, a series of instructions that tells it what to do. I have yet to see a dental practice that runs application whitelisting be hit with any type of ransomware virus.
5. Backup and disaster recovery system
If you talk to five IT providers, you’ll get five different suggestions on how to back up your data. I believe you must take a two-pronged approach. Ninety-nine percent of all data restores are from the local backup, so recovery speed should be the priority. The best method is to create an “image” of your server—an exact copy of the server including the programs and network settings—so that you can quickly create a virtual copy of the server should the main server go down.
However, that local backup won’t help you if there’s a fire, flood, or theft. In those cases, you must have an off-site copy of the data. The easiest way to do this is with a cloud backup, which automatically creates backups in secure locations online. A backup is your last line of defense against ransomware as you can restore that data to avoid paying the ransom.
6. Patch management
It’s critical that you keep your software and systems current. While you can try to do this manually, it’s incredibly time consuming and expensive. Most IT providers offer managed services, which is a fancy way of saying automation, where software can be patched and updated on a predesigned schedule. Many of these managed services software systems perform other functions, such as alerting you to major risks and housekeeping chores such as cleaning out temporary internet files.
7. Encryption
The worst thing that can happen to a dental practice from a HIPAA standpoint is a breach notification, where you have to send letters to every patient of record to notify them of a breach, such as a lost laptop or external drive. There is one get-out-of-jail-free card, and that’s encryption; if you encrypt your data and have evidence of that, you are exempt from having to declare a breach. The other good news is that all versions of Windows from 10 on and Windows Server from 2012 on have a free built-in encryption software called Bitlocker. Encryption also applies to email; there’s no reason not to use an encrypted email system when communicating with patients and referring offices.
Running a dental practice has become significantly more challenging in the digital era. There’s nothing more valuable to a practice than patient data, and it’s critical that you follow best practices to secure and protect that data to the best of your ability.
Editor's note: This article appeared in the April 2025 print edition of Dental Economics magazine. Dentists in North America are eligible for a complimentary print subscription. Sign up here.
