Do you need the penetration test?
Don’t worry, I’m not about to delve into the wet fingers stuff – this is a different penetration test (no smirking at the back). The idea came to me after hearing a radio programme about cyber crime. They interviewed someone who had been employed as a Penetration Tester. A penetration test (a.k.a. pentest, intrusion detection and red teaming) is, it seems, a well-known and recognised process in the worlds of cyber security and IT governance. Essentially, it is an evaluation of the security of IT systems by trying to exploit vulnerabilities before hackers and criminals can. It goes beyond looking at operating systems and software to include improper configurations and risky operator or end-user actions.
My idea is that dental practices should evaluate their governance vulnerabilities by what I’m calling a ‘dentest’. In other words, before CQC inspectors mark you down, the GDC writes a disapproving letter or a patient uses your complaints procedure you should check whether your systems or staff can be faulted. There might be several ways to do this. In the wider world reformed hackers and fraudsters are often employed for such tasks. However, I don’t recommend scouring the GDC’s list of erased dentists. Much more sensible to keep it in-practice.
This is where that irritating team member who is always finding fault and asking endless questions comes into their own. Divide activities in the practice into manageable chunks and set them the task of ‘penetrating’ them one at a time. In theory, they need expertise in an area to be able to exploit any vulnerabilities. Otherwise, how will they know whether, for example, decontamination procedures are being followed correctly?
A journalistic trick
Fortunately, such in-depth knowledge is not required. How do you think Jeremy Paxman managed to get politicians to squirm night after night? How does the team on Channel Four News report on a variety of different topics with apparent authority? The answer lies in what journalists and reporters learn on their first day at university – the ‘5 W’s’ – Who? What? When? Where? Why? and How? (yes, I know there’s also an ‘H’). Ask these questions persistently enough and you’re bound to get the answers (or not) on virtually every topic.
Take decontamination procedures. Your ‘dentester’ needs to be given half an hour during which they ask the 5 W (and 1 H) questions of, initially, virtually anyone in the practice. Anyone? Yes, because they might start by asking the practice manager: “Who is responsible for decontamination?” With that answer, they could ask the person or persons named: “What is the decontamination procedure?” Then follow up with: “Where is it done? Why? How?”
Any “I don’t know”, “I’m not sure”, “I’d have to ask”, “I can’t remember”, replies suggest a vulnerability.
If they began with a receptionist, they might get the answer: “I don’t know”, which they can follow up by asking: “Who will know?”. If the receptionist says the practice manager, the dentester is off and running. If the receptionist doesn’t know, that suggests a vulnerability – each member of the team should know what roles and responsibilities other members, especially senior staff, have.
Now the dentester, or another member of staff with an equally enquiring mind, could play at being a patient. They could ask any team member: “How do I make an appointment?”, “How do I make a complaint?”, “When is the hygienist available?”, “Where is the nearest car park”, “How much do implants cost?” Depending on whether they questioned the part-time Associate or a receptionist, they should be given either the name of the person who will know or the actual answer. The dentester proceeds to ask more questions, as before.
The learning points
The dentester’s work is, of course, wasted unless you ensure the vulnerabilities he or she uncovers are shared with the team and corrections discussed and implemented. Also, a dentest is neither a one-off exercise or a standalone one. With new compliance requirements coming on stream all the time, new systems being introduced and new staff joining the team, vulnerabilities may surface again – so regular dentesting is required.
Also, you may wish to enlist a ‘secret shopper’ to check for vulnerabilities. Obviously it needs to be a person your can trust and who will respect confidentiality. Perhaps someone from your plan provider or the dental lab you use or, better still, your favourite dental business management consultant…
© Nicki Rowland, GDPUK Ltd 2016