Security First Steps

Let's talk about first steps in security. First and foremost, everyone in your office has to buy in. This isn't something you can just assign to the office manager or an IT person. A top down approach is needed. One thing also, let's talk about a little bit about security terminology, just to give you a basic understanding of what's what. Specifically threats, vulnerabilities, and risks, which are... A threat is something that has the potential to cause harm and a vulnerability is the potential opening that a threat can use or "exploit," as it's called, to cause harm. For example, a vulnerability may be an open window. The threat could be a burglar. Now the risk essentially, how likely is this burglar able to use the open window, might depend on something like where is the window? Is it on the first floor or is it on the 51st floor?


Now controls, also referred to as countermeasures or safeguards depending on how they're used, are what are used to secure something against the threats; effectively blocking off the vulnerabilities so that threats can't take advantage of them. Now they're broken into three basic categories. There's physical, administrative and technical. Physical, stuff like gates, door locks, guards; administrative is in effect paperwork, but it's actually very valuable stuff. That's written policies, written procedures, which are actually very useful because they give sort of a baseline for "when this happens, this is how you respond to it," that sort of thing. And then technical protection is stuff like antivirus software, firewalls, intrusion detection systems, and a whole bunch of other things with really complicated sounding names. So next thing you want to do, we mentioned administrative security controls. You want to create relevant policies. Now organizations will create policies to suit their needs and a few common ones might be something like an information security policy, an Internet access policy, an acceptable use policy and a number of security and privacy vendors offer HIPAA compliant policy templates online.


A lot of them are free. The only thing is as you're, as you're taking them down, you do have to fill them in so that they're going to have a lot of blanks. You've got to make sure it fits your office's needs and uses for data. Also, business associate agreements are key. These are done with anyone who's basically handling any PHI for you, consultants, vendors, etc. You've got to make sure you've got this because this lays out how the data is handled, who's responsible for what, etc. Next thing you want to look at is risk management and the first step is a security risk assessment, which is required under HIPAA's Security Rule. HHS has guidance on this. I'll put a few links to this in the notes. Next you want to look at something called data classification. Data classification is really critical because you're holding onto a lot of information in your network and data classification let's you know what's important and what's maybe not as big a deal. In effect, is this patient information or is this the time for the office picnic? Big difference in terms of what needs to be protected to what extent. Another thing you may wish to look into is cyber liability insurance, which covers you in case there is a security event. Now, one thing to realize is that what are called commercial general liability or CGL policies have had an exclusion for cyber events since May of 2014. So don't just assume that policy is going to cover you because, chances are, it won't. Next you want to look at what to do if something actually happens and that requires what are called business continuity and disaster recovery plans. We're going to cover that in some detail a bit later in this program. But also one thing you want to look at is something called an incident response plan or procedure, which is effectively what people have to do in response to an issue.


Obviously it's very good to have this ready well before anything happens. And next you want to look at frameworks and standards. Probably the most relevant one here is what's called the NIST Cybersecurity Framework. Now, what is NIST? That is the National Institutes of Standards and Technology. They're based in Maryland. Good folks. The Cybersecurity Framework is a relatively plain English breakdown of how you deal with different incidents and it's very customizable for different types of businesses. The original version came out a few years back. Version 1.1 came out in April of 2018. Also PCI-DSS is another thing to pay attention to as they have various requirements under that standard. Now the Health Information Trust Alliance or HITRUST came out with a Common Security Framework and they did one specifically related to the NIST Cybersecurity Framework in May of 2018 specifically adapting the NIST framework for healthcare.


That's one thing to look at. It's not the only option by any means, but just one thing to look at. Obviously you may be listening to this thinking, wow, Scott, that sounds kind of complicated. No worries. Don't hesitate to bring in a security consultant to help set these up. Obviously there are a lot of them who specialize not just in healthcare, but specifically in dental healthcare. Now, the end goal is a robust security program. What I mean by that is consistent policies and repeatable procedures. Effectively, if something goes wrong, you literally know how your office is going to react because you've got something in place that makes sure this situation is dealt with this way and it's the same way every time. That may sound like a minor thing, but that's actually super, super helpful. Also, it's a big deal if they come in with say, a HIPAA audit, if you can point to something written down and say, "yes, this is what we do." In effect, the idea here is that it should prevent, detect, and respond to threats, which unfortunately are constantly evolving.

Security can’t just be assigned to the Office Manager or IT person – everyone in the office has to buy-in.

Risk Management

  • Start with a Risk Assessment (required under HIPAA’s Security Rule)
  • All data in the office network should be classified according to the level of risk associated with its potential exposure (how sensitive is it, is it PHI, etc.)

Cyber Liability Insurance

  • Cyber Liability Insurance can be helpful in mitigating potential costs from a security incident, though it’s important to know what a given policy actually covers.
    • Commercial General Liability policies have excluded cyber coverage since May 1, 2014

Business Continuity and Disaster Recovery Plans

  • Create an Incident Response Procedure/Plan and practice it

Security Policies and Standards

  • Create relevant policies, using a known security framework, such as:
    • NIST Cybersecurity Framework (CSF) version 1.1 was released in April 2018, PCI-DSS
    • Health Information Trust Alliance (HITRUST) CSF came out in May 2018 – adapts the NIST CSF for healthcare
  • A number of security and privacy vendors offer HIPAA compliant policy templates online

Data Protection

  • Use Business Associate Agreements (BAA) with any vendors, consultants and subcontractors that have the potential to access any of the data in your office.

The end goal is a robust security program with consistent policies and repeatable procedures.