Sabina Mirza, Practice Management Consultant, British Dental Association, advises that dental practices should carry out annual risk assessments to identify any issues with security measures and protect the practice from data breaches.

figure 1

©adamkaz/E+/Getty Images Plus

Dental practices handle a substantial amount of personal data relating to their staff and patients. This includes names, date of birth, contact details (such as addresses, telephone numbers, emails), bank accounts, financial data and dental records. Medical records in particular are classified as sensitive personal data as they contain information about the patient's health, treatment plans and medical history. Ensuring appropriate security measures is paramount for guarding against the risk of loss or theft from unauthorised access resulting in identity theft or fraud. The Data Protection Act 2018 and General Data Protection Regulation (GDPR) requires you to protect the personal data you hold, by ensuring you have the appropriate security measures in place. This is known as the security principle or the integrity and confidentiality principle of the GDPR. Any breach of personal data is likely to result in serious consequences for your practice including distress, loss of trust and confidence of the persons concerned, breach of your confidentiality obligations, increased insurance premiums and a possible investigation by the Information Commissioners Officer (ICO).

The GDPR requires you to implement 'technical and organisational measures to ensure a level of security appropriate to the risk'. You therefore need to undertake risk assessments so that you know what your risks are and how severe the threat is. We recommend that you carry out regular risk analysis at least annually to identify any issues with your security measures and take appropriate action to protect your dental practice from any data breaches before they can arise. You should assess the risk to all of your practice processes which collect, store, use and dispose of patient data including both manual and electronic records, dental equipment eg images from dental X-rays and video footage from CCTV.

Below are some suggestions which you should consider as part of your risk assessment.

Control access to information

  • Restrict access to personal data to only those staff who need the information to undertake their duties. This can be achieved by setting up file access permissions to designated staff only. It will prevent unauthorised access to a patient record for personal curiosity. Ensure staff have their own individual usernames and strong passwords; making it difficult for an unauthorised person to decipher

  • Implement automated password changes on a regular basis, use of screen lock or logging off when computers are left unattended

  • Forbid any sharing of passwords

  • Limit the number of failed log-on attempts

  • Cancel passwords when a staff member leaves the dental practice. Staff members stealing patient information is one of the leading causes of security breaches

  • Ensure computer systems have secure audit trails to allow for safety checks.

Malware protection, firewalls and online security

  • Encrypt data held on disks and computer files and password protect documents. This is very important, because in the event of a security breach, the encryption will prevent the disclosure of patient identities

  • Have up to date anti-virus and anti-malware products that regularly scan your network to prevent or detect any spyware and/or viruses affecting your computerised system. Some products can provide automatic software updates

    Ensure you have contingency procedures in place should a security breach occur. Your plan should include who will be on the response team, what actions they will take to address the immediate breach, and to prevent a similar breach in future.

  • Train your staff to spot phishing scams and suspicious links in emails

  • Ensure your staff know not to conduct dental business over public Wi-Fi or to access websites or online services on work computers and that use of these sites present a threat

  • Implement a policy on the use of social media including risks involved in posting and sharing information about patients or which could identify a patient or someone close to them

  • Be clear in your policy, that staff must not use social media to discuss individual patients or their care, with them or anyone else.

Physical security of paper files, digital data and equipment storing data

  • Secure all paper files in locked cabinets and/or in a locked room. Control access to/from the secured area by having designated keyholders

  • Ensure mobile devices containing personal data are transported securely by staff when off-site as many data breaches arise from theft or loss of a device (eg laptop, mobile phone or USB drive) during transit to/from the practice

  • Install a remote disable or wipe facility on your electronic devices so if they are stolen you can send a signal to the device to locate it and, if necessary, securely delete all practice data.

CCTV recording

  • Place your surveillance cameras in places such as the reception and/or external windows and doors to deter any break-in and/or thefts

  • Bear in mind that if you are operating a CCTV system you must comply with strict controls on the capture, use, storage and disclosure of footage.

Minimising your data

  • Information that is no longer needed should be securely deleted in line with GDPR requirements and your record retention policy. Move data retained for archive purposes to a more secure location off site

  • Discard paper records containing personal or confidential information securely by shredding.

Have a plan

Ensure you have contingency procedures in place should a security breach occur. Your plan should include who will be on the response team, what actions they will take to address the immediate breach, and to prevent a similar breach in future. Ensure the practice has a regularly updated digital data backup system, so that all the data is correctly captured and the back-up data can be quickly accessed off-site. Make sure the plan is documented and all employees are trained on what they need to do. A good policy will enable you to make sure you address the risks in a quick and consistent manner.

This article appeared in BDJ In Practice in April 2022.