The very first step (and this is required under HIPAA) is
to have a risk assessment. Every company, regardless of size,
needs to understand its risks. Only once we understand what
our potential threats are can we properly defend against
them. If you do only one thing this year that’s related to
information security it should be a risk assessment.
The risk assessment can be done internally or by a qualified
professional, and serves as a road map of what you
should do. Below is a short list of items a risk assessment
It’s important to note that each risk assessment is unique.
What one company needs will be different from another.
Once the risk assessment is completed, you will know what
your most likely risks are and how much money it will cost
to mitigate against that risk. In some instances it’s a wise
choice to accept the risk, as mitigation would cost more.
- Business Mission Review
- Critical System Identification
- Asset Map
- Threat Identification
- Expected Controls
- Administrative Review
- Technical Review
- Security Testing
- Determine Risk
- Risk Mitigation
- Safeguard Selection
For example, if the risk assessment shows that once a year
you will lose a smartphone, and the cost of the loss would be
$40,000. However, to mitigate it would cost $60,000. In
this example, it is recommended that you accept the risk, as
mitigation would cost more.
Create Defense in Depth
Now that you have a risk assessment, you can work on
creating defense in depth. Think of security as an onion,
and each control you have in place as a layer to that onion.
In this example, our onion might look something like this:
As we continue down the layers we begin to see that if one
control fails, there are still a number of controls in place. It is
important to remember that any control can fail, and sometimes
even multiple controls can fail at the same time. Your
organizations’ security posture should not rely on just a firewall
or anti-virus only. It needs to have a layered approach to
security. The risk assessment will show you which control you
need to have in place, and how quickly you should install it.
Every organization should have a firewall and anti-virus, and
today most firewalls come with Unified Threat Management
(UTM). This means they do more than just filter traffic; they
can do things like e-mail filtering, intrusion detection, even
- Intrusion Prevention
- E-mail Filter
- Event Management
- Device Encryption
- Vulnerability Scanning
- Disaster Recovery
Create Strong Policies
Policies are the driving force to ensure data is properly protected.
The dental practice owner needs to create the necessary
policies, and ensure that enforcement comes from the top. It is important for employees to understand that policies are
mandatory, and that as an employee they do not have the option
of not following it. Some policy examples are Acceptable Use,
Data Destruction, Business Continuity, System/Network
Security Monitoring and Mobile Devices.
All policies are composed of these basic components:
Keep in mind that policies are high level, and should not
dive into specifics. They should be easy for all to understand and
read. Once policies are established, then guidelines and procedures
further detail specific processes to ensure compliance of
the policies. Appropriate controls should be put in place for
management and auditors to observe compliance of policies.
- Purpose – describes the need for the policy
- Scope – identifies what is covered (people, systems,
- Responsibilities – lays out who is responsible for what
- Compliance – defines what happens if a policy is violated,
and how to measure the effectiveness of the policy
Proper Employee Education
From a security prospective, employees are often the weakest
link in the chain. Specific attacks referred to as social engineering
actively target employees in an attempt to entice them
to disclose information or conduct an action (such as clicking
on a link in an e-mail or opening a file).
The policies you have in place are the first line of education;
however this needs to be followed up with proper
training. Additionally, your other security controls (such as
encryption) need to be user-friendly. Telling employees to
encrypt e-mails or data will not have the right effect if
they’re not properly trained on how to carry out that action.
There are multiple online training classes employees can
attend, as well as general literature, which should be given
to employees. Organizations should have a formal training
policy. Your employee manuals should include your security
Understand the Risk Management Process
Compliance and business continuity is all about managing
risk. Whether large or small, you need to understand your
overall IT environment and associate risks. Risk management
is an ongoing process, not something you just do once a year.
The basic steps involve:
There are four basic ways to manage risk:
- List all your business functions
- List all your IT assets
- Determine which assets are required to support each
- Categorize each function as low, medium or high with
respect to the organization being able to function
- List threats than can affect the asset
- Determine the likelihood of each threat actually
- Evaluate alternatives to manage exposure
- Avoid risk – don’t implement a product or solution that
causes undue exposure
- Share risk – purchase insurance to cover your liability in
the event of exposure
- Mitigate risk – implement processes to minimize the
chance of exposure
- Accept risk – after evaluating alternatives to manage risk,
the cost of the solution might outweigh the negative
results due to an exposure (cost benefit analysis)
Once you’ve chosen your risk management strategy, it is
important to have a system to manage the implementation of
the solutions (controls). These do not have to be elaborate, but
they must be in place to assure the owner/manager/board/
auditor that the risk management solution is being implemented.
An example of a control for document destruction
could be a log sheet indicating what was destroyed and who
destroyed it. Then, on a monthly or quarterly basis, that log
sheet is reviewed and appropriately filed.
Have Disaster Recovery/Incident
Full system backups backup the entire system including
the operating system and files, allowing you to fully recover a
failed system, including the data and applications. There are
many different full system backup solutions on the market
offering various options and some of them include off-site
Additionally, the time it will take you to recover from a
backup is important. Will it take a matter of hours, days, weeks
or longer? Regularly testing your backups (both partial and
complete) is recommended. This will not only give you an idea
of how long it will take to restore, but also if your backups are correctly backing up your data. Remember, every day you’re
spending trying to restore data and get back to an operational
status is money you’re losing.
Within the last few years, there have been many new
technologies brought to market for the small and medium
size dental practices that were only affordable to large corporations.
If you are still running a tape back-up solution or any
solution that is not an imaging back-up solution (full backup
solution), you should contact your IT service provider to
look at these technologies.
These topics are a brief introduction to some of the
major things an organization can do to help reduce its risk.
In the event of a breach that involves personally identifiable
information (PII) or protected health information (PHI), it
will be important that you’re able to demonstrate due care
in protecting PHI and PII. You will be in a far better legal
position if you’re able to show due care and due diligence.
For more information or to speak with an information security
professional please visit www.quanexus.com. Consider
working closely with your practice management consultant
to develop a checklist to protect your practice. For more
information on dental practice management consulting,
please visit www.theparagonprogram.com.