Guidance on cyber security and data security of Dental Practice digital records

Dental Practice Magazine is aware that a number of UK practices are increasingly worried about the impact that any theft of computer equipment or loss of patient healthcare records stored on these systems might have on their business continuity. In response to this – clarifying the professional and legal obligations for safeguarding patient healthcare data is something that we understand many practice managers would find most helpful.

This article aims to help dental practices understand their legal and statutory obligations in safeguarding patient records – and it also offers guidance on implementing a simple 3-step plan for better management of the associated risks and how to devise a simple IT business continuity plan – should a disaster strike. The risk management technique explained in this article can also be applied to other non-IT operational aspects of business continuity in a dental practice.

DPM’s editor recently discovered that a dental practice – based in South London – suffered an attempted break-in. Luckily the assailants appear to have been spotted by a member of the public whilst the break-in was in progress and they escaped the scene. However – what the criminals left behind was a trail of destruction – the practice’s rear entrance PVC door panel had been melted away using a portable gas cylinder and blow-torch that had been left behind. Thankfully – this incident did not result in any computer equipment theft or any loss of patient healthcare data – however, the practice manage took this as a ‘wake-up call’ and is now putting plans in place to improve their physical security, digital security and IT business continuity.

Following the attempted break-in – a number of questions were raised by the practice management team in connection with digital security and business continuity. All were focused on what might have happened if the criminals had been successful in obtaining confidential patient records. How quickly could the practice IT systems get up and running following a fire or loss of patient management systems? What legal and financial repercussions might the practice have suffered – if PCs or servers had been stolen and confidential patient data had been compromised?

Business Continuity – from an IT perspective

Reflecting on this real-world scenario – one plausible outcome of the attempted break-in could easily have been the theft of a number of desktop PCs and perhaps a server or two. From an operational perspective – unless the practice operates an off-site backup solution or already utilises a cloud-computing based patient records system (e.g. healthcare records stored in an off-site data centre or at a main HQ site) they would have found business continuity adversely affected.

Even when automated or manual off-site backups are in place – the purchase of replacement computers, the installation of correctly licensed software, the setup of networking by an IT provider and the loading of online or tape backup data onto replacement PCs and servers can be a very time-consuming process that stops the practice from digitally managing patient bookings and accessing healthcare records – at least until the systems are fully operational.

Almost any break-in or cyber-attack that results in loss or reduced access to essential computing equipment or patient data will most likely result in patient service disruption and potentially an information governance non-compliance issue. No ‘automated rapid backup and recovery’ solution in the world can help you make up for the lost time and resources required to purchase replacement client computer equipment or re-instate applications and data on your network (accessing either cloud computing or on-premise servers) as your practice attempts to get back into its normal working routine. Unless of course – you have an up-to-date duplicate of every single computing device or data storage system in safe storage – plus all the oral healthcare records that reside on them safely mirrored in a separate geographical location that can be re-instated within minutes. This is technically possible – but not a luxury most can afford or even wish to entertain – when considering the risk:reward ratio investment decision required.

In summary -following a physical or virtual break-in (e.g. hacking via the internet or suffering a malware infection on practice computers) the delivery of patient care and treatments can be immediately delayed or in a worst case scenario; suspended indefinitely. The added complication of losing confidential patient data introduces a potential raft of legislative and care standard non-compliance scenarios – with intervention from the likes of the ICO, CQC and NHS Digital (formerly HSCIC) – possibly resulting in legal action against individual(s) or the organisation and the threat of financial penalties or practice closure.

So, now the scary stuff is out of the way – what can you do to improve practice business continuity and protect patient data from an IT perspective? Here’s our recommended 3-step plan…

(1) Firstly, you need to understand the legal and statutory obligations that your dental practice must comply with when it comes to safeguarding the security and integrity of patient records.

(2) Then you need to assess your potential risks, their likelihood and the impact on the business; from a ‘CIA’ perspective; Confidentiality, Integrity and Access of patient data – all within the context of your professional obligations – confirmed in the first step above. There are lots of freely available charts and colour-coded spreadsheets that can help you discover and articulate these risks. Don’t do this alone – get input from your colleagues and an IT support provider.

(3) Finally – your priorities need to be agreed with a basic plan of action devised to mitigate the higher-impact and most-likely risks as soon as possible – covering these nine generic IT areas…

Files & Databases
Email & DNS (Domain Name Service) Services
Software Applications
Cloud Computing Applications
Desktops, Laptops, Smartphones & Server Computers
Networking (Wired & Wireless)
Firewalls & Routers
Malware Protection
Backup & Recovery Systems

There are usually a number of lower-likelihood risks that you may decide to simply accept without any intervention at all – this is part of the risk management process, as most dental practices do not have the time, resources or ability to mitigate 100% of all IT risks; it’s almost impossible to achieve.

Note: this is not an exhaustive list of IT functions – there are many digital services I’ve excluded (e.g. websites, phone systems, server virtualisation etc.) however what we have above is a good starting point for most practices to begin with.