When replacing these devices, it becomes imperative that you not only have a solid Business Associate Agreement with that vendor to ensure they take financial responsibility in the event they breach that data, but you should also perform Media Sanitization and/or disposal of the data before removing it from your facility.

Case in point — we had a client that allowed us to perform Media Sanitization on a vendor provided computer before it was removed from the building a few months ago.  To test whether or not the vendor would wipe the computer before selling it to another dentist, we left a monitoring agent installed.  Last week that computer checked in with it’s new IP address and location.  NOTHING HAD BEEN DONE TO RESET THE COMPUTER BEFORE SELLING IT TO ANOTHER DOCTOR!

Sadly, this is the current state of security in dental.  It is up to you and your IT Provider to ensure that ALL devices are scrubbed before you let them out of your sight.

The FBI recently sent out a Public Service Announcement discussing IoT devices (“smart” devices) as the following:

• Home automation devices (e.g., devices which control lighting, heating and cooling, electricity, sprinklers, locks);
• Security systems (e.g., alarm systems, surveillance cameras);
• Medical devices (e.g., wireless heart monitors, insulin dispensers);
• Wearables (e.g., fitness trackers, clothing, watches);
• Smart appliances (e.g., refrigerators, vacuums, stoves);
• Office equipment (e.g., wireless printers, computer mouse, outlets, interactive whiteboards);
• Entertainment devices (e.g., DVRs, TVs, gaming systems, music players, toys); and  Hubs (devices that control other IoT devices through a single app).

They suggest never keeping devices default settings and isolating devices on their own networks, utilizing firewalls and keeping updates current for the best possible protection.

It also helps to ask your IT guy before letting anything in or out of your practice too….