The Dirty Loophole That Lets Insurance Companies Refuse to Cover a Cybercrime Theft in Your Practice
As hacking hit the headlines in the last few years — most recently the global hack in May that targeted companies both large and small — insurance policies to protect businesses against damage and lawsuits have become a very lucrative business indeed. Your company may already have cyber insurance, and that’s a good thing. But that doesn’t mean that you don’t have a job to do — or that the insurance will cover you no matter what.
When you buy a car, you get the warranty. But in order to keep that warranty valid, you have to perform regular maintenance at regularly scheduled times. If you neglect the car, and something fails, the warranty won’t cover it. You didn’t do your job, and the warranty only covers cars that have been taken care of.
Cyber insurance works the same way. If your company’s IT team isn’t keeping systems patched and up to date, taking active measures to prevent ransomware and other cybercrime attacks, and backing everything up in duplicate, it’s a lot like neglecting to maintain that car. And when something bad happens, like a cyber attack, the cyber insurance policy won’t be able to help you, just as a warranty policy won’t cover a neglected car.
Check out this real life policy exclusion we recently uncovered, which doesn’t cover damages “arising out of or resulting from the failure to, within a reasonable period of time, install customary software product updates and releases, or apply customary security-related software patches, to computers and other components of computer systems.” If your cyber insurance policy has a clause like that — and we guarantee that it does — then you’re only going to be able to collect if you take reasonable steps to prevent the crime in the first place.
That doesn’t just mean you will have to pay a ransom out of pocket, by the way. If your security breach leaves client and partner data vulnerable, you could be sued for failing to protect that data. When your cyber insurance policy is voided because of IT security negligence, you won’t be covered against legal damages, either. This is not the kind of position you want to be in.
All of this is not to say that you shouldn’t have cyber insurance, or that it’s not going to pay out in the case of an unfortunate cyber event. It’s just a reminder that your job doesn’t end when you sign that insurance policy. You still have to make a reasonable effort to keep your systems secure — an effort you should be making anyway.
Emails, texts, and HIPAA:
7 rules every dentist needs to know
While you may think your dental practice is following all HIPAA rules, is it really? Check these seven rules from an attorney who has represented dental practices who have missed something regarding HIPAA, and paid for it.
If you’re a dentist, you know about HIPAA. You know that HIPAA creates rules and restrictions on the way you keep, use, and disclose patient information. However, many dentists don’t realize that HIPAA also restricts the way they and their staff can use email and text messages to communicate with patients and other providers about patients.
HIPAA applies to emails and text messages sent to a patient, such as for scheduling or appointment reminders. HIPAA also applies to emails and texts sent to another provider about a referral, with diagnostic images, or to discuss treatment. Here’s the kicker—HIPAA applies when a dentist emails patient records or information from a work email account to a personal email account, even if the dentist is doing so simply to finish up work from home later that evening.
HIPAA doesn’t completely prohibit using emails and texts to communicate with patients or other providers about patients. But HIPAA does require dentists to use security measures when doing so, such as encryption or secure messaging platforms. Alternatively, dentists need to obtain consent from patients to send protected information via unsecured email or text. Sending protected information over unsecured emails or texts without a patient’s consent can violate HIPAA.
Why should dentists care about this?
Failing to comply with HIPAA can have severe consequences. If protected health information is used or disclosed in a way that does not comply with HIPAA, a dentist may need to give notice of the impermissible use to the affected individuals, the federal government, and, if more than 500 individuals are affected, the media. The federal government has stepped up HIPAA enforcement, conducting more compliance audits and seeking more financial penalties from HIPAA violators.
What does this mean?
Dentists and their staff need to know and follow the rules with emails and texts to remain HIPAA compliant. Before getting to the rules, here’s some terminology:
First, HIPAA applies to the storage, use, and disclosure of a patient’s individually identifiable health information, which HIPAA calls protected health information (PHI). PHI is generally defined as any information about a patient,—name, demographic information, past, present, or future physical or mental health condition, treatment, x-rays, pictures, and payment information—that can reasonably be linked to a specific, identifiable individual.
Second, “password protected” is not the same as “secure” or “encrypted.” To understand the difference, think of a padlock and a code. A padlock (like a password) protects against unauthorized access. But once a person unlocks the padlock (gets past the password), the person can see and make sense of everything inside. Encryption, on the other hand, is like a code. The information gets jumbled so it cannot be used or understood by a person who sees unless that person has the “key” to decode the jumble (the “encryption key”).
What are the rules for emails and texts?
1. Emails to others inside the same practice—Most practices have a secure server and network, and emails between people inside the same practice, even if located in different offices, are sent over the secure server and network. If an email is sent to another person inside the same practice over a secure server and network, the email can include a patient’s PHI and does not need to be encrypted. However, if the in-practice email is not being sent over a secure server (e.g., if the practice uses Gmail or another web-based email service), the email should not include information about a patient that can be linked to a specific, identifiable individual.
2. Emails to persons outside the practice (other than the patient)—Emails to people outside the practice other than the patient should not include a patient’s PHI unless the email is encrypted or sent via a secure messaging system. This generally means that dentists should not use emails to communicate with other providers about an identifiable patient unless special security measures are taken.
3. Emails to personal email accounts—Emails from a work email account to a personal email account should not include PHI or attach patient records or other documents with PHI. If work needs to get done from home, consider using a secure remote connection (such as GoToMyPC) to connect from home, or take the minimal amount of needed information home on an encrypted flash drive.
4. Text messages to persons other than the patient—Unless a provider or practice has a secure text messaging platform, text messages are not secure or encrypted. They are easily intercepted, often sent to an incorrect number, and usually stored indefinitely on third-party devices, such as the wireless carrier’s servers. Thus, text messages should not include a patient’s PHI. This is true even for texts to staff or other providers inside the same practice; these should not include identifiable patient information.
5. Emails and texts to patients—More patients want their dentists to communicate with them by email or text. Dentists who want to do so must do one of two things. Option one is to use an email or text messaging system that encrypts messages or requires patient login, such as a patient portal. If a secure messaging system is used, messages sent to a patient can include PHI.
Option two is to obtain the patient’s consent for using unencrypted email or text messages to communicate with the patient. This is after advising the patient of the risks of doing so, including the risk that the message could be read by a third-party. A good way to do this is by giving the patient a well-written consent form as part of his or her new patient paperwork, or to existing patients at their next visit. If a patient consents to the use of unsecured emails and texts after being properly warned, a dentist may communicate protected PHI to the patient in that way.
6. Emails and texts from patients—The above rules do not apply to emails or texts sent by a patient. HIPAA applies to health-care providers (and other “covered entities”), not patients. Patients can use unencrypted emails and texts to communicate with providers.
If a patient initiates an unsecure email or text and sends it to his or her health-care provider, the Health and Human Services Office of Civil Rights (OCR), which enforces HIPAA, explains that the provider may assume that using unsecure emails or texts are acceptable to the patient, unless the patient has explicitly stated otherwise. However, OCR has also advised that if the provider believes the patient might not understand the risks of using unencrypted email or texts or if the provider has concerns about potential liability, the provider may want to alert the patient of those risks and let him or her decide whether to continue with unencrypted email and text communications. So, if a dentist doesn’t have a signed consent and preference form from the patient, the dentist may want to get one before replying via unsecured email or text.
7. Email confidentiality notices and disclaimers—There’s a myth that including a confidentiality notice or disclaimer in an email makes the email compliant with HIPAA and allows a dentist to send PHI via unencrypted or unsecure email. The myth is false. Even the best-worded notice or disclaimer will not make an unencrypted email comply with HIPAA. The rules here still apply.
Best practice: Get consent and preference forms from all patients
All dental offices, even those that use encryption or secure messaging systems, should consider having all patients complete an email and text message consent and preference form that confirms their preferences about emails and texts. Doing so would allow dentists to communicate with their patients consistent with their desires. It would also give patients a chance to consent to the use of unencrypted emails or texts.
Consent forms would also help dentists with another significant hazard that comes with calling or texting a patient’s cell phone—the Telephone Consumer Protection Act (TCPA). TCPA is the federal law that protects consumers from unwanted telephone calls and faxes. TCPA prohibits making auto-dialed and pre-recorded calls and texts to cell phones (e.g., auto-generated appointment reminders) without the prior express consent of the called or texted party. Sanctions for violating the TCPA can be huge—$500 per violation (per call or text message).
For all of these reasons, having every patient review and sign a well-written consent and preference form, and then following the patient’s preferences, is a good idea that will keep your dental practice HIPAA compliant. - www.dentistryiq.com, Robert Kethcart, June 29, 2017
Do You Have a Business or a Job?
How to Succeed as an Entrepreneur
Turning Your Job Into a Business By Andy Bailey
To put it simply, if you can’t take a month off to travel to Italy (or to write the great American novel or do some other time-intensive activity), you’ve got a job.
When I started my first company, I thought I was out of the grind of a job. Sure, my company was successful, but after nine years, I realized that I still had a job, not a business. My stress level was still high, and I hadn’t made myself any happier than if I had a regular job. So, I made some changes.
Do you want to make the shift from job to business and realize your dreams of independence? Here are five steps to help get you there:
1. Make a plan. It’s best if you can define your priorities by breaking them down into daily, weekly, monthly, and quarterly activities. Figure out where you are as a company right now, where you want to go, and how you want to get there.
2. Surround yourself with the best. If you think you can do it alone and not end up having a job, you’re mistaken. You’ve got to be intentional about surrounding yourself with great people.
3. Once you have the best, leave them alone. Relax. Resist the temptation to micromanage your team. Warren Buffet said it best: “Hire well. Manage little.” If you’ve succeeded with steps one and two, you’ve already set your team up for success. So, let them do what they do best without hovering.
4. Make your business independent of you. As I said earlier, if you can’t take a month long vacation, you’ve still got a job. Develop processes that allow your business to run without you. Instead of holding onto knowledge, share what you’ve got and teach your employees to be problem solvers, rather than come to you for answers.
5. Walk your talk. Be fair and reasonable with your employees and your clients. Make sure to show up on time and do what you say you’re going to do. You’ll reap the rewards through inspired loyalty and customer referrals.
Odds are, you’re going to have to start with a job to turn your company into a business. It won’t happen overnight. But, little by little — if you do it right — things will come together. In musical terms, think of yourself as a conductor. You’re not sitting first chair in the orchestra, and you’re not playing an instrument. Your job is to get the best players, decide who’s going to play what and how, and then let them perform the symphony. Pretty soon, you can put down the baton, listen to the music, and take that much-needed long vacation.
As the founder of Petra Coach, Andy Bailey can cut through organizational BS faster than a hot knife through butter, showing organizations the logjams thwarting their success, and coaching them past the excuses we all use to avoid doing what needs to be done. Andy learned how to build great organizations by building a great business, which he started in college. It then grew into an Inc. 500 multimillion-dollar national company that he successfully sold and exited.
Shiny New Gadget Of The Month:
Alexa, Who’s Winning the Virtual Assistant War?
There are multiple companies trying to break into the “smart home hub” market, but Amazon’s Echo (and its sultry Alexa) are holding on to 70 percent of the market share, and it doesn’t look like that’s changing any time soon. That’s a clear sign of victory for Amazon - and a wake-up call for its competitors.
The voice-activated home assistant market is growing, with almost a third of millennials likely to use a home assistant this year. While it might take a decade or more for the devices to find their way into the homes of older demographics (a situation Saturday Night Live has already mined for comedy), it seems that smart hubs will only increase in popularity from here on out, and that Alexa is poised to rule them all.
You’ve Been HACKED! What’s the First Thing You Should Do? There’s always a chance that IT security will be breached, and one way to make a bad situation worse is not knowing the standard operating procedure when it happens. First, contact your IT personnel. The faster they can address the hack and figure out its extent, the better served you’ll be. Next, understand that there are legal ramifications to being hacked; if valuable data has been compromised, you’ll have to notify the individuals in question as well as the FBI. Remember, the faster you act, the better it will be.
Leave Your Life Jacket On The Shore And Swim Safely With This Inflatable Collar. Despite their utility, orange life jackets are the opposite of cool. And when you factor in the human invincibility complex, you get a bad situation: people out on the water without adequate flotation devices. According to DigitalTrends, water safety company Ploota wants to change that with their inflatable necklace. Sleek and slim, the device is worn around the neck and doesn’t get in the way of active water sports. But, if needed, it automatically inflates, potentially saving the life of the swimmer or boater. DigitalTrends.com - May 8, 2017
Hopefully This Will Make Uberpool Way Safer And Less Stressful. Speaking of safety, UberPOOL is getting safer and smarter by asking passengers to get out at better destinations — even if that means walking a few more feet to their destination — rather than in high-traffic zones. We’re talking about distances of less than half a block, but it can cut major time off everyone else’s commute and ensure passengers aren’t stepping out into dangerous traffic. Of course, riders can always opt out, but getting dropped off at a high-traffic destination will take longer and cost more. Mashable.com – May 4, 2017
Get a Refund If Your Child Made Accidental In-App Purchases From Amazon.
Some game apps allow you to buy stars, donuts, coins, or other tokens you can use to play the game. The tokens are imaginary, but the purchase is real. It’s easy for kids to buy stuff within these apps without realizing they’re spending money—your money. Last year, the FTC found Amazon liable for billing parents for these types of purchases, and the online retailer has now settled with the FTC, agreeing to refund these purchases. If your kid has purchased stuff without your permission via an app purchased on Kindle or the Amazon Android app store, you might be eligible for a refund. As Consumerist reports, you should get an email directly from Amazon, but you can also visit the Message Center in your Amazon account and find information under “Important Messages.” Lifehacker.com – June 1, 2017
8 Ridiculous Things That Annoy All Dentists
1. “I hate the dentist”
When you hear this, you probably say to yourself, “Yeah, well the dentist hates you back, but thanks for reminding me how unpopular I am.” This is the most common utterance from patients, who are remarkably oblivious to the fact that they’re being rude.
2. Repeatedly no-showing or being late
Just like any other doctor, dentists have busy patient schedules. So, when a patient flakes out or is tardy for not one, not two, but pretty much every appointment, the aggravation can be enough to want to banish that person from your practice.
3. Chatting during procedures
Ironically enough, both dentists and patients complain about this one. Can’t everyone just agree to be quiet?
4. Complaining about and comparing costs
Oh, the dentist on the other side of town only charged you mother-in-law X dollars for the same procedure? Go see them, then.
5. Waiting until it’s an emergency
No one likes a patient who forgoes seeing a dentist for a decade and then shows up at a practice’s doorstep to get a rotting tooth yanked out. To prevent agonizing pain, patients should schedule regular dental checkups and take care of their teeth.
6. Melodramatics
The patient is screaming, but you haven’t even touched them yet. Should be a fun appointment.
7. Smartphone addicts
Seriously, does a patient really need to be texting the entire time the dentists’ hand is in their mouth?
8. Not listening
Yes, you really do need to brush and floss every day, avoid foods that cause tooth decay, and come in for routine visits. If a patient does not follow these simple tips for a healthy mouth and then complains about the consequences, it is hard to have sympathy.
Sagester Associates Group provides dental practices with the latest, most advanced
technology solutions for dentists in Indiana, Kentucky and the Midwest area.
For over 15 years, we have earned a reputation as the preferred supplier of computer
technology solutions for dentists who are serious about their practice.
Sagester Associates Group is focused exclusively on the dental industry.
Dental technology solutions are all we do. We are experts at it, and no one knows more.
Our superior service and dental practice knowledge is our core attribute and the real
distinction that separates us from typical computer system providers.
Need help? Just have a question?
Call us at 812-314-6724 or email at info@sagester.com.
