CYBERSECURITY EXPERT GARY SALMAN OUTLINES THE LEGAL RESPONSIBILITIES AND CONTRACTUAL SAFEGUARDS ORTHODONTISTS NEED TO PROTECT PATIENT DATA FROM VENDOR DISPUTES, DATA BREACHES, AND RANSOMWARE ATTACKS.
BY JANE KOLLMER
Since the Health Insurance Portability and Accountability Act (HIPAA) was signed into law in 1996, the landscape of patient data has transformed. Today’s orthodontic practices rely on a complex ecosystem of cloud-based software for scans, imaging, and treatment planning, entrusting sensitive patient information to third-party vendors. While this technology drives efficiency, it also introduces significant risk. Under HIPAA, the orthodontic practice remains the legal custodian of patient records, responsible for their protection, access, and availability, regardless of where the data is hosted.
According to Gary Salman, CEO of Black Talon Security, this puts the onus squarely on practices to understand who has access to their data and what measures are in place to protect it. With over 32 years of cybersecurity experience, Salman has seen firsthand where practices are most vulnerable and provides a roadmap for mitigating risk in an increasingly digital environment.
THE FOUNDATION: BUSINESS ASSOCIATE’S AGREEMENTS
The first line of defense for any practice is the business associate’s agreement (BAA). This legally required contract between a healthcare provider (the “Covered Entity”) and a vendor (the “Business Associate”) ensures that any third party handling protected health information (PHI) is also bound by HIPAA to safeguard that data. This applies to IT companies, imaging centers, practice management software providers, and, increasingly, AI companies.
“The BAA is one of the most important things that the government looks at in the event that the practice is put under investigation,” Salman says. “I’d be willing to bet a lot of these orthodontic practices that are using AI in their practices don’t have a business associate’s agreement in place, and they’re sharing confidential patient data with these AI technologies.”
Salman recommends that a practice have an attorney specializing in data privacy review every BAA before it is signed. While some vendors provide their own templates, expert legal counsel can identify potential liabilities and ensure the practice’s interests are protected. These signed documents should be kept readily accessible in case of a data breach or investigation.
BEYOND THE BAA: NAVIGATING VENDOR CONTRACTS
A well-crafted contract should proactively address potential conflicts and transitions. Salman has seen IT companies attempt to hold practice data hostage over contract disputes, a move he stresses is illegal under federal law.
“That is a clear violation of HIPAA. They can’t use a lack of payment or contractual dispute to shut the practice out of their practice management data,” he says. To prevent this scenario, contracts should explicitly state that the vendor will never lock the practice out of its devices and will always provide administrative usernames and passwords, regardless of any dispute.
Practices should also retain control over their own core credentials. “I would also always recommend at least one doctor in the practice has the username and password to the server, the workstations, the firewall, and the back-up,” Salman adds.
This is not only a safeguard against disputes but also a critical asset during a cyber attack. Since almost every IT company servicing the U.S. dental market operates on a Monday through Friday, 8:00 AM to 5:00 PM schedule, an attack occurring on a Friday night or weekend can leave a practice without support for 48 hours or longer, giving hackers significant “dwell” time to inflict damage.
Other key contractual clauses involve data migration and retention. When switching providers, the contract should clearly define how long it will take to receive the data and in what format, ensuring compatibility with the new system. For example, a spreadsheet with data may not be compatible when converting to the new system—a challenge Salman says is especially common with the orthodontist’s notes section. Equally important is a data destruction policy.
“What I always say is every place your data exists increases your risk,” Salman said. “Practices really need to understand where their data resides and what the data retention and data destruction policies are for those organizations.” The contract must stipulate that the vendor will destroy all patient data after a specified time, once all federal and state retention requirements are met.
DEBUNKING THE “HIPAA COMPLIANT” BUZZWORD
Many practices are lulled into a false sense of security by cloud-based technology vendors who market their technology as “HIPAA compliant.” Salman warns that this label does not guarantee immunity from a breach. Cloud-based systems are frequent targets for hackers, and several dental cloud technologies have suffered ransomware attacks that brought down their servers for days.
To verify a vendor’s security posture, Salman advises practices to perform their own risk assessment. This can include penetration testing, where an ethical hacker attempts to breach the system to identify vulnerabilities. Practices should also confirm that vendor employees with access to PHI have undergone both HIPAA and cybersecurity awareness training.
Beyond these federal mandates related to HIPAA, orthodontic practices must also navigate state-specific data privacy and breach notification laws. These regulations often impose stricter timelines, broader definitions of personal data, and additional reporting requirements that can exceed HIPAA’s baseline.
THE ANATOMY OF A DATA BREACH
The financial and operational damage from a ransomware attack can be catastrophic, with recovery costs often starting at $250,000. “I think a lot of doctors don’t understand the severity of these events,” Salman said. “You are dealing with hardened criminals. They steal, they extort, and they cause as much pain as possible to basically guarantee that you’re going to pay them hundreds of thousands or millions of dollars.”
The moment a cyber event is suspected, the practice must execute a “hard pause,” assuming the entire network has been compromised. The next call should be to their cyber insurance carrier to open a claim. The carrier will then engage a law firm specializing in data privacy, which in turn brings in an incident response company like Black Talon Security to conduct a forensic investigation. This team determines if records were accessed or stolen and whether a ransom payment is necessary to prevent the data from being sold on the dark web or used to threaten patients directly.
If a breach is confirmed, the practice must report it to the State Attorney General and the Department of Health and Human Services Office for Civil Rights. At this point, Salman says, practices should prepare for multiple class-action lawsuits, as predatory law firms monitor public breach disclosures to recruit affected patients as plaintiffs.
BUILDING A PROACTIVE DEFENSE
Preventing an attack is far better than responding to one. Salman recommends several key defensive measures. First, employees should receive regular cybersecurity training on best practices, such as using password managers and always logging out of software.
Second, practices should use vulnerability scanning tools that identify and automatically fix misconfigurations and unpatched software—common entry points for hackers. Third, every practice needs industry-standard, AI-based antivirus software like Sentinel One or CrowdStrike, configured by security engineers and monitored 24/7 by U.S.-based security specialists.
Finally, Salman advocates for a crucial separation of duties. “You have to have checks and balances within your network. You can’t have your IT company auditing their own network for security,” he says. “Let IT do IT, and let cybersecurity companies identify and address your cyber risk.” OP
Photo: ID 19472032 © Cammeraydave | Dreamstime.com
Jane Kollmer is a contributing writer for Orthodontic Products.
