Guest post by Mark Hollis, CEO and co-founder of MacPractice, Inc.
Some people jokingly say they’re “addicted” to their smartphones or to browsing online. They use their devices to visit social media platforms and websites and send texts throughout the day. But the vulnerability created by these activities for employers is no joke, and the risks extend to every industry, including healthcare, since most data breaches are caused by human error.
In doctor’s offices and other clinical operations, the risk is especially acute for providers who use cloud-based systems that require constant connection to the internet. The always-connected nature of these solutions exposes offices to ransomware and malware designed specifically for Windows, which can exploit the internet connection to steal sensitive patient information.
While many high-profile hacking and ransomware incidents have occurred over the past several years, security experts project that 2017 will be even worse as cybercriminals exploit new vulnerabilities introduced by the Internet of Things (IoT) and hackers increasingly turn to Distributed Delay of Services (DDoS) attacks. These are techniques for data theft that are only used to compromise remote data centers with shared servers, commonly called ‘the cloud’.
Practice leaders can respond with training, instructing staff on how to avoid “phishing” scams, fake web sites, fake links, and other temptations and traps, but stopping hackers will take a concerted and comprehensive effort. Encryption, platform and common sense security measures can all play a key role in protecting patient data.
Encryption’s Role in Data Protection
Encryption — the use of an algorithm to make data indecipherable to criminals without an encryption ‘key’ — is an essential component of data security. To comply with HIPAA standards, practices should use software and/or hardware that utilizes Advanced Encryption Standard (AES), the only standard that can be called encryption according to the National Institute of Standards and Technology (NIST).
HIPAA requires that providers use secure, encrypted email. HIPAA also states that providers have a duty to encrypt electronic patient health information (ePHI) that is ‘at rest’ (i.e., on a server, terminal, backup device, etc.) and ‘in motion’(i.e., traveling through an office network or to and from remote connections, etc.) and that their database be further protected with a unique, encrypted password.
Unfortunately, most practice software does not have built-in AES encryption and some do not even have a unique password. Practices with software that does not have built-in encryption who use Windows will have to purchase outside expertise to implements and monitor security and make to help them be HIPAA compliant with regard to encryption.
Platform and Security’s Role in Keeping Data Safe
Practices that use Windows software without built-in encryption must pay for IT security services to deploy encryption on every device that houses ePHI. Mac users can handle the safety of data at rest by turning on FileVault in preferences. This is a glaring example of the difference platforms make in keeping data safe and the cost to the doctor.
Virtual private networks (VPNs) are an option for practices to compensate for practice management and EHR software that does not encrypt data in motion, but VPNs increase costs and complexity and can degrade network responsiveness. But even with a VPN, practices must make sure their software provides a unique, encrypted database password; otherwise, they’re well advised to get software that does.
Hacking is on the rise, and ransomware is a huge problem for practices that operate on Windows. In March 2016 alone, 56,000 Windows users reported attacks. Practices that use native Mac software have not been affected by ransomware. Macs are also less expensive to operate in the long run: IBM gave employees the option to use PCs or Macs and found that each PC required twice as much support and cost IBM $535 more than a Mac during a four-year period.
Cloud software and hosting server farms aren’t the solution: Malware, including ransomware, can infect every device that connects to an infected computer, including offsite cloud servers and backup devices. The FBI says the only sure way to recover is to restore data from an uninfected backup that is not connected, followed by reformatting devices.
Note about “the cloud”: You have heard from cloud vendors that “everyone is going to the cloud.” What you may not have heard is that 40 percent of organizations that migrated their data and applications to the cloud are now bringing all or some of them back because of security and cost concerns. Also a recent survey of dentists indicated that of the top dental software perhaps no more than 3 percent of dentists are using cloud software, although it has been available to them for eight years.