Such is the commonplace use of computers in the 21st century, that many people take IT security for granted, and even in business, there are sometimes circumstances where the approach is a little too ‘laissez-faire’. It is the norm, even in a domestic environment, to have anti-virus software and sometimes a firewall, but unless you are employing third party support, it can be all too easy to forget just how many different facets there are to IT security.
However, all areas of IT need to be taken seriously as the impact of a failure can be catastrophic for a business. Aside from legal obligations with regard to the protection of patient data, the potential disruption and financial implications can be substantial.
Safeguarding patient data
All these issues need to be addressed as businesses these days, regardless of size, need to have protocols in place that safeguard the use and circulation of patient data. Implementing policies and procedures can be overwhelming for a small business owner, but making such preparations will limit the impact on your business, should the worst happen. I would suggest that having a disaster recovery plan is ‘best practice’.
The best preparation starts with identifying and assessing the risks to which your business is potentially exposed and these can be classified into five principal areas:
- Strategic – competitors
Clearly not all of these areas are directly linked to IT security, but considering each of these groups in order will help you take a logical and organised approach to risk management, ensuring that no area is forgotten.
Once you have identified the risks within these main categories, you can then consider the following questions: How likely is it that such an event will happen? How will you respond? And what can you do to mitigate or eliminate the risk?
To measure the risk in each circumstance requires an assessment of both the probability and the consequence. An event such as a complete failure of your practice management system may be rare or highly unlikely, but would have significant consequences should it occur. Other more likely events, such as a power surge or power cut, may mean you lose data for that day, but could be remedied with comparatively little effort.
Risk can be managed in four main ways:
- Do nothing and accept the risk
- Share or transfer the risk, by insuring against it
- Reduce the risk by taking action ie training
- Eliminate it – change what you do to remove the risk altogether.
Each of these approaches has a cost implication, which will be part of your decision-making process in choosing a risk management strategy. Your full risk assessment should include what the risk is, how you plan to manage it and what you need to do in order to deal with it. All risk assessments should be reviewed on a regular basis, not only to ensure protocols are still relevant and in place, but also to review your exposure to new risks and existing risks, which may change over time.
The protection of patient data is one of the most important aspects of IT security. Historically, data protection was more concerned with the physical security of data, generally held as paper records. With advances in technology, electronic data has now become a key focus, but the physical security of paper records should not be forgotten.
The Data Protection Act 1998 governs the use of personal information and all practices should be registered with the information commissioner and have a nominated data manager. You and your staff must comply with the data protection principles, but this is not overly complicated and most practices should be meeting these requirements already. Your business must have appropriate security measures in place to protect personal information against unlawful or unauthorised use or disclosure and this includes having clear security levels established for different members of staff.
As well as general data protection legislation, dental-specific guidelines now exist in the form of the GDC’s Standards for the Dental Team, in which a whole section is devoted to the security of patient information. Section 4.5 requires dentists to: ‘Keep patients’ information secure at all times, whether your records are held on paper or electronically.’ In addition, section 4.5.2 states that: ‘If you are sending confidential information, you should use a secure method. If you are sending or storing confidential information electronically, you should ensure that it is encrypted.’ and section 4.5.3 alludes to the need for a risk management policy: ‘If clinical records are computerised, you should make back-up copies of clinical records, radiographs and other images.’
As well as protecting your business against risk internally, you should also consider how to ensure that your key suppliers have sufficient protocols in place to protect their businesses, therefore minimising any impact should they suffer a failure of their own.
This is a particularly important consideration in regard to matters that affect your financial position, so it makes sense to ensure that you are confident that any external companies providing your practice with any type of financial service have robust risk management plans in place. Working with a credible organisation with a reputable track record will engender confidence and having the support of an external company to advise you can be extremely valuable.
Dental plan administration is the core of what we do at DPAS and we have extremely robust systems in place, which have been developed over the last 18 years. As we’re regulated by the Financial Conduct Authority (FCA), we’re able to guide practices through all forms of patient communication, including brochures, letters and online content. Furthermore, our disaster recovery protocols are absolutely comprehensive and we have every confidence that even if the worst was to happen, we would be back up and running in a matter of hours, with very minimal disruption to our customers.
Dealing with a disaster is likely to be required at some point during your business life and can manifest itself in all shapes and sizes. A process of due diligence will help you investigate your own systems and those of your suppliers to ensure that you each have processes that are strong enough to withstand a catastrophic event. While predicting such events is very difficult, preparing for them is not.
For more information please visit www.dpas.co.uk.