Dentist loses three months of data and stomach lining.

Posted on March 19, 2023

by William Hiltz

Tips for Dentists

A false sense of security created the problem.

Many years years ago, I asked a dentist to send me a copy of the data from his practice management software for examination purposes.

I offered him these options to get the data to me:

I could connect remotely to his computer and upload the data to my server.
He could upload the data to my server.
He could copy the data to a USB flash drive and send it to me by restricted certified mail.

The dentist chose option #3.

When the package arrived a few days later, it was the size of shoebox and felt heavy. (I was expecting a USB flash drive in bubble wrap envelope.)

2002 Western Digital external hard drive with a 120GB of storage.

Inside the box was an old, large, heavy external hard drive with a chunky power adaptor.

I wondered why the dentist decided to send me this old hard drive, knowing that it cost more for him to ship the drive to me, than it would to buy a new USB flash drive.

In any case, I set the package aside in a locked cabinet for safe keeping until I could examine it.

That Friday I powered up the hard drive, and plugged it into my computer to take a look at the files.

**There were NO FILES on the hard drive!**

The hard drive was empty.

I scanned to look for deleted or hidden files – nothing.

No biggie, I thought at the time, the dentist just made a mistake and didn’t copy any data files to the hard drive.

I made a note to call him on Monday and make arrangements to try again.

Monday morning, and before I called, the dentist phones my office.

He was upset.

He said his ‘main computer‘ hard drive crashed over the weekend and he needed to get his hard drive back ASAP.

Me to Dentist: “Don’t you have a backup?”

Dentist: “I have a backup and it’s on the hard drive I sent you.”

Me: “The hard drive you sent is empty. It arrived with no files saved on it.“

long pause…

Dentist: “What!! ?”

I explained what happened and it took a while before he realized his predicament.

The dentist sent me his ONLY backup.

He said the back-up drive was plugged into his ‘main computer’ for at least 4 years and he thought it was automatically backing up every night.

No one ever checked the hard drive to see if the backup was working.

I offered faint hope and told the dentist to search every computer in his office to look for a data backup. (sometimes, a tech will copy data before they do any work on the computer, just in case they need revert and “roll back”)

The dentist was very lucky and found a 3 month old backup, which he used to get back up and running – sort of…

The cost: 3 months of data lost.

Future and past appointments all gone. Missing accounts receivable, clinical notes, new patient information, and more.

Don’t let a false sense of security cause you to lose your data and stomach lining.

The events in this (true) story could have been avoided if the dentist followed this simple advice.

Hire an IT pro – data backup is not a “Do-It-Yourself” project.

Do-it-yourself backups may be OK for your personal data, but not your your practice data.

There are MANY reasons why a DIY backup for a dental practice is a bad idea. Here are a few that come to mind.

DIY backups will fail basic HIPAA guidelines.

The basic HIPAA guidelines in a nutshell are:

Keep backups offsite.
Have written procedures.
Have a written recovery plan.
Regularly test the recovery plan.
Non-compliance penalties are severe

When compliance is at stake, don’t DIY.

Hire an IT pro with a track record of working with professionals that store PHI, confidential and sensitive data.

DIY backups won’t qualify for cyber-insurance.

All cyber-insurers are tightening their underwriting requirements. If you do not hire a pro with a track record of working with sensitive information to document and perform the work, you will may not be eligible for cyber-insurance coverage (or your policy will be restricted with exclusions).

DIY backups are unlikely to follow 3-2-1 rule.

The “3-2-1 golden rule” for data backup.

Keep 3 copies of your data
Use 2 different media to store the data
Keep 1 copy offsite (not in the cloud)

Keep in mind, there are variations of the 3-2-1 rule with names such as the 3-2-2-1 rule, or the 3-2-1-1-0 rule.

Whichever backup method your IT pro chooses, the 3-2-1 rule is the minimum required for your practice data.

Data backup is not Data Retention.

If you need archival records then DIY backups are going to be a problem.

Data backup vs Data archive.

Data or archiving is the process maintaining a time-series of data backups on separate storage devices for long-term retention.

Archive data consists of older data that remains important to the practice; retained for future reference or for regulatory compliance. Data archives can have index and have search capabilities, so files can be located and retrieved.

Data archives can help determine what changed, who changed it, and when.

Example:

As a made up illustration; imagine that you keep weekly archives and are now challenged by a court to demonstrate when patient JOHN GREEN was changed to patient JOHN BROWN.

Your archives show that patient JOHN GREEN was saved in Archive 1. (during week 1)

Then the name JOHN GREEN was changed to JOHN BROWN and saved in Archive 2. (during week 2)

The name JOHN BROWN remained unchanged and was saved in Archives 3, 4 and 5.

From this, it can be concluded that JOHN GREEN was changed to JOHN BROWN in week 2.

In the real-world of civil litigation; small details matter.

who sent that email and when?
which IP address logged on and when?
who deleted (concealed) files?
which files were copied (stolen)? Who copied them?
who created the document and when?
which websites were visited?
…and many more

The ability to produce backups created by proper archival and data retention policies can significantly alter the course of a legal or regulatory challenge.