(This article was published in the Oral Hygiene magazine, November 2015. URL: http://issuu.com/glaciermedia/docs/ohynov2015de)
For the past year, we have been talking to many dental offices in Ontario. We noticed that many offices are unaware of technology loopholes that affect their compliance with privacy regulations. Regulations such as Personal Information Protection and Electronic Documents Act (PIPEDA) and Personal Health Information Protection Act (PHIPA) both include how your practice should deal with patient information from a technical perspective. Dental journals like Oral Health frequently discuss proper procedures to implement for better PIPEDA and PHIPA compliance. However, rarely do these discussions focus on how computer systems in the office can expose or jeopardize patient privacy. Here are four questions to help you evaluate how compliant your office computer systems are.
Does your dental software encrypt data properly?
Encryption is the process of encoding messages or information in such a way that only authorized parties can read it. Encryption denies the message content to the interceptor that attempts to steal the information. Sensitive data should be encrypted to prevent unwanted exposure. Under PIPEDA (Office of the Privacy Commissioner of Canada, 2015), the following is considered sensitive or Personally Identifiable Information (PII):
• Age, name, ID numbers, income, ethnic origin, or blood type
• Opinions, evaluations, comments, social status, or disciplinary actions
• Employee files, credit records, loan records, medical records, existence of a dispute between a consumer and a merchant, intentions (for example, to acquire goods or services, or change jobs)
This means the moment your receptionist types a new patient’s information into the computer, or you make a digital record of your patient’s treatment, you have the legal responsibility to keep the data safe. If you are using a desktop dental software your data will most likely be stored locally on your machine. If the data was unencrypted then the information will be directly exposed if your laptop or desktop is stolen. It is also possible that your local server uses databases such as MySQL that does not encrypt data. So when you purchase your dental software, it is wise to check with your vendor what the encryption process will be like.
Is your office using a secure operating system?
Many dental offices fear malicious hackers but fail to implement effective measures against them. If you are using an old operating system such as Windows XP like many offices do, you computers are more vulnerable to hackers. According to Mike Reavey, Microsoft’s Trustworthy Computing general manager, Windows XP is 6 times more susceptible to hackers than Windows 8 (RSA Conference, 2013). You are also responsible under PHIPA to install virus protection software (Service Ontario, 2015).
Are your data backups compliant with privacy laws?
Our research shows that many offices using desktop-based dental software back up data manually on a flash drive or even multiple USBs. But this hardly guarantees data security. Most of those mobile storage devices do not encrypt data as required. As a result, when the USB stick is lost, unencrypted patient data will be much easier to read and thus more susceptible to illegal use.
The consequences of a seemingly small mistake like using an insecure USB can be detrimental. In an article titled “Protecting Patient Information”, the Canadian Dental Association cites some data loss incidences due to improper storage and backups (Canadian Dental Association, 2014). In one incident, 25,000 client files went lost when an employee at an Ottawa hospital loaded the information on an unencrypted USB stick, resulting in a $25 million lawsuit. In another incident, some of the lost data was found up for sale on an online auction site.
Does your dental software functionally protect patient data?
Your dental software should be equipped with a couple of functions that will help you protect data. PHIPA requires that your office staff use unique user identification to access electronic records and periodically change passwords to protect documents and records (Service Ontario, 2015). Your dental software should be able to verify user ID and password and deny suspicious login attempts.
Another function your dental software should have according to RCDSO’s Guidelines for Electronic Records Management is ‘audit trail’, which allows you to track who has accessed or changed what information, when, and using what IP address (Royal College of Dental Surgeons on Ontario, 2012). This reduces the risk of liability disputes.
The Guidelines also require an ‘auto shut off’ function when your computer is idle (Royal College of Dental Surgeons on Ontario, 2012). This means you will be automatically logged out after a period of inactivity to prevent information leaks.
Your office’s hardware and software are vital to the smooth operation of your office. With the data they contain, those systems are also vital for proper compliance with privacy laws. Using proper technologies to protect your patient data will go a long way towards building a trusting relationship with your patients and protecting the well being of your office.
We would like to thank Dr. Waleed Akkila, DDS. for his continuous support and his valuable feedback on this article.
About the Author
Feda Bashbishi is the CEO and co-founder of iKlyk Inc., a Canadian dental software provider dedicated to raising the bar of quality in dental practice management software, patient privacy, and data security. Feda Bashbishi holds an MBA from Wilfrid Laurier University as well as a Master of Science in Software Development from San Jose State University in California. Prior to establishing iKlyk, for years, Feda has worked on enterprise level cloud-based applications. You can connect with Feda through https://goo.gl/ZLJiRV or email at email@example.com.
- Canadian Dental Association. (2014, August 30). Protecting Patient Information. Retrieved from eReferral Service: http://www.ereferralservice.com/protecting-patient-information/
- Office of the Privacy Commissioner of Canada. (2015, June 23). The Personal Information Protection and Electronic Documents Act (PIPEDA). Retrieved from https://www.priv.gc.ca/leg_c/r_o_p_e.asp
- Royal College of Dental Surgeons on Ontario. (2012). Guidelines – Electronic Records Management. Retrieved August 17, 2015, from http://www.rcdso.org/save.aspx?id=e2ef89ce-52e6-40c4-81a1-a74abe4a0049
- RSA Conference. (2013, November 19). A New Era of Operational Security in Online Services. Retrieved from InformationWeek: https://www.youtube.com/watch?v=s_g1hDIQDIY
- Service Ontario. (2015, July 1). Personal Health Information Protection Act, 2004. Retrieved from http://www.ontario.ca/laws/statute/04p03