With all the latest healthcare data breaches made public recently, could a HIPAA audit of your practice be in the cards soon? Well, that may also depend on what orthodontic practice management software you use.
Many orthodontic practice management systems in use today are based on computing and networking infrastructure designed many decades ago, when security wasn’t a top priority for systems developers. Even if subsequent enhancements were made, most of these systems have latent weaknesses that could be exploited by a maleficent party – whether external or internal – triggering the obligation for you to disclose this fact to your patients and to the public, which can have a substantial negative effect on your reputation and credibility within patients and your local community.
The product security exposure reports recently made public in relation to Dentrix and now Eaglesoft could also induce HHA regulators to prioritize your practice for the periodic provider audits that they must make under the 2009 law if your practice still runs on these products.
So what are the top 10 questions you can ask your practice management software vendor to ensure that your patients’ privacy is protected and you can pass an eventual HIPAA audit successfully?
Let’s see.
- Role-based security. Can you define roles with detailed security access rules which to prevent your employees’ access and work with more data than they need for their jobs?
- Encryption of critical data. Are all critical data elements encrypted with a suitable method (like the NSA-sanctioned AES protocol) and made inaccessible to even people with administrative access to your server and data repository?
- Automatic logoffs. Does the software log itself off after a period of inactivity? This is an even more crucial need of cloud-based systems that can be accessed from public places.
- Unique passwords. Does the system enforce the use of unique passwords rather than allow the continuous use of widely known default passwords -- for both the user-facing components and the backend infrastructure components (like servers, databases, etc.)?
- Discourage sharing of passwords. Is there a built-in mechanism that makes the sharing of passwords amongst your employees highly impractical?
- Logging. Does the system capture a log of who, what, and were related to critical data?
- Password complexity. Is there a system-enforced set of rules that mandate a minimum password length and complexity?
- Email control. If your system has built-in emailing capabilities, does it also have rules that block the transmission of PHI (private health information) through this inherently insecure information sharing system? Better yet, does your system have a secure messaging capability for sharing PHI with external entities such as referring physicians, insurance companies, and patients?
- Two-factor authentication for external third parties. Does your system implement a two-factor authentication access scheme for third parties accessing it from the public Internet?
- Minimal and controlled attack surface. Is your system’s central data repository “locked down” allowing access only through the necessary authenticated and encrypted pathways and having all the other access pathways disabled or removed?
Being implemented from the ground up on the most recent and most modern computing and networking technology and designed to function securely over the public Internet with utmost regard for your and your patients’ data security and privacy, Visual Practice is the only orthodontic practice management software product on the market today that has all the essential ingredients to make your practice impenetrable to attackers and help you pass a HIPAA HITECH audit with great ease.
To find out more, please visit us on the Web at www.visualorthodontics.com or call us toll free at (888) 845-7621 for more information on how Visual Practice can help you save more time, increase your patients’ satisfaction, and give you more peace of mind than any other competitive alternatives available at this time.