If I were to ask you if your orthodontic practice was PCI-DSS compliant, you would likely respond by asking me what the heck PCI-DSS compliance is. PCI-DSS stands for payment card industry data security standards and it is now mandatory for all merchants who accept credit cards. While PCI-DSS compliance is important to the average merchant, it is absolutely critical for dentists and orthodontists regardless of whether they accept payment cards or not.
In the dental and orthodontic market, the protection of patient data is absolutely critical. A data breach could cause irreparable damage to your brand, a loss in patient trust, and will most likely result in HIPAA violations. In the dental and orthodontic market, a data breach will come with significant financial costs: a decreased revenue and the direct cost in HIPAA violation fines. Fines for a data breach at your practice could range from $100 to $50,000 per violation/record!
Unfortunately, this terrible nightmare has impacted orthodontic practices in the past. In 2011, an orthodontic practice, Rape & Brooks Orthodontics of Birmingham Alabama, experienced this exact type of breach. A hacker was able to exploit a non-compliant server on their network. This exploit resulted in the theft of 20,744 patient records collected over the 30 years the practice had been in business. Rape & Brooks Orthodontics is not alone. Since 2011, over 21,000,000 health records have been compromised. Dental and orthodontic practices are well-known targets for hackers because of lax security practices that leave networks easy to exploit.
If you don’t have a good PCI-DSS compliance plan in place, your practice is likely at risk for a breach. This type of infiltration could occur in many different areas within your practice and it is important that all possible entry points are secured. In the average practice, a breach could originate with a hacker gaining access to your office network, exploiting your website, or even through your orthodontic practice management software. Regardless of the source, your practice is liable. The trickiest part of PCI-DSS compliance is that even if you are compliant today, you may not be tomorrow. To remain PCI-DSS compliant, you need to constantly monitor your network, website, and practice management software to ensure that it remains up-to-date and all security patches are applied and tested in a timely fashion.
So how do I keep my practice secure and PCI-DSS compliant?
Remaining PCI-DSS compliant is not easy and it is best left to security experts. When selecting an IT vendor, it is important to find a vendor who understands the intricacies of PCI-DSS compliance as well as the requirements to remain HIPAA compliant. If you are already working with an IT vendor, you can reach out to that vendor to inquire about their capabilities in this area. If they are unfamiliar with these terms or have limited experience in the medical space, it may be a good idea to seek an IT vendor with more medical security experience. It is important to know that all IT management companies are NOT created equal and it is important to invest in one that has the skills and experience to keep your practice safe and secure.
Clients of Visual Practice benefit from our in-house team of skilled medical IT experts. Our security experts work to keep our clients completely compliant. If you are an orthodontic practice that is not yet a client of Visual Practice, you are welcome to reach out to our team. We can assess your network and software to see if you are currently compliant. If not, our team can advise your practice on how to best become PCI-DSS compliant given your technology context.