You've heard the horror stories before: A backup system goes wrong or is nonexistent to begin with, and a business loses most, if not all, of its customer data.
Practice management consultant Jan Keller.As bad as that is, the real tragedy comes after. In a dental practice, this includes potential HIPAA fines, loss of patient trust, and a long and expensive recovery process that is labor-intensive, time-consuming, and -- not to mention -- embarrassing.
Many business owners, dentists included, do not pay adequate attention to their backup system until it is too late or something near-catastrophic happens to focus their attention. Often they trust that the old-fashioned backup system they've had in place for 10 years will continue to work, or they think that their practice management software is somehow taking care of this for them. They could not be more wrong.
If you're unsure how well your backup system is working, here are some initial questions to ask:
- What is the backup protocol in my office?
- Is it written down so everyone knows what it is and how it works?
- Is it HIPAA-compliant?
- Is it up to date?
- When was it last tested?
- Have we had our IT people reinstall from a backup to make sure the process is actually working?
I can't remember the number of times over the 20-plus years I've worked in dentistry that I hear horror stories about practices that have lost data, had their server crash, suffered weather or fire disasters, been burglarized or embezzled, and other incidents, resulting in the loss of weeks, months, or even years of patient data. This is true more now than ever because of the increasing digitization of data, supported by the internet and the "cloud." Don't let this happen to you.
Case study
Recently, a former client of mine lost 18 months of data when his software support team moved the practice's patient files from one drive to another. No one thought to tell the IT people, who were responsible for backing up the data, about the move and something happened to their computer.
The IT group wanted to reinstall the data on the drive and found that the information was 18 months old. The doctor had to recreate 18 months' worth of dental records. This brings up many other concerns, of course, like why the IT team had not tested the backed up for more than a year. But the point is, things like this can and do happen.
Best practices
Lost patient data cause a huge headache for the doctor and the team, as well as patients. Some practices are "lucky" in that they have saved day sheets, schedules, audit trails, and other information, and they are able to eventually recreate the majority of the information. But this is a painstaking, time-intensive, expensive, and unnecessary endeavor.
And what about offices that are paperless or chartless? My recommendation, whether you are paperless or chartless, is for the entire team to meet on a regular basis and discuss or review disaster recovery protocols. Include your IT people in the discussion. Ask what precautions need to be taken so that if anything does go wrong it is an inconvenience and not a catastrophe.
Remember, new threats present themselves on a regular basis, so you must proactively review your protocols on a regular basis as well.
The best practice backup systems include the following:
- A written protocol for paper and digital data
- Partnership with, and monitoring by, a trustworthy IT group
- Regular communication between the IT group and the practice
- HIPAA compliance (This is not optional. Disaster recovery plans are a requirement of HIPAA.)
- An offsite component (If your only backup is onsite and your building is breached -- fire, theft, weather -- all your hard work will be for nothing.)
- Regular tests to ensure the backup system is working
- Communication and conversations with your software carrier
Ask the questions when working with software support, especially when it comes to your data and how changes the software company makes might affect your backup. My personal recommendation is that the trusted person on the team responsible for handling software and IT issues work in conjunction with both the software support team and the IT group for any type of upgrade or update of the software.
Mark Pontius, president of Compass Network Group, expands on this important topic:
"A robust backup strategy is not only required by HIPAA but is a critical business function as well," he said. "Losing patient data can not only potentially expose a practice to significant fines under the Omnibus rule but can devastate your practice as a business. A backup strategy needs to be encrypted, redundant, monitored daily, and contain an offsite component."
Reduce your risk of ransomware
"One of the greatest threats currently to a practice's data is ransomware," Pontius noted. "[Ransomware is] a type of malware that encrypts the data on your network and then demands a ransom for the decryption key."
You can take a number of steps to reduce the risk of ransomware, according to Pontius. These are listed below:
- Upgrade your antivirus program and firewall.
- Implement antiencryption policies using server policies.
- Don't open attachments or click on links in emails from unknown senders.
- Understand that your best protection is a good backup.
For high-production practices, potential data loss between your last backup and when you are infected can be reduced by systems that take "snapshots" of your data hourly rather than the more common nightly backup.
Bottom line
Complacency kills. Don't wait for a catastrophe before you say, "Why didn't we ... ?" Contact a reputable and vetted service provider to make sure you are adequately protected today.
Jan Keller has more than 25 years of experience in dentistry as an office manager and a software trainer. She is a member of the Speaking Consulting Network and the Academy of Dental Management Consultants. Contact her at [email protected].
The comments and observations expressed herein do not necessarily reflect the opinions of DrBicuspid.com, nor should they be construed as an endorsement or admonishment of any particular idea, vendor, or organization.
