By Mark Hollis, CEO and Co-Founder, MacPractice, Inc.
Twitter: @MacPractice
It’s an accepted part of everyday life — people text, shop online, use social media platforms or browse the internet using whatever device they’re carrying or seated in front of, even at work. Many employers shrug off the thought of lost productivity, reasoning that if people weren’t online, they’d be chatting with coworkers or doing something else instead.
But it’s more than a productivity issue; connected devices can pose a significant risk to healthcare organizations. The fact is, many high-profile data breaches are traced back to employee error. Doctors’ offices and other clinical organizations are at risk, especially since many use cloud-based systems that are always connected, which can expose offices to malware infections.
Unfortunately, there’s no end in sight to the danger of hacking and malware such as ransomware. Experts expect the dangers to grow as hackers exploit new endpoints created by devices and sensors that are connected to the Internet of Things (IoT). Distributed Delay of Services (DdoS) attacks are also on the rise, making practices vulnerable to the loss of crucial operating systems.
Clinical organizations are fighting back by training staff to avoid “phishing” attacks and other scams that expose systems to hacking. But employee training alone won’t eliminate the danger; hackers are always working on new angles to gain access to sensitive data. Encryption, platform and cloud security solutions are important in protecting data — and ensuring practice success.
How Encryption Protects Data
Using an algorithm to render data indecipherable without a key, also known as encryption, is a cornerstone of data security. HIPAA requires clinical organizations to use encryption that meets Advanced Encryption Standard (AES), as certified by the National Institute of Standards and Technology (NIST), as well as secure, encrypted email.
Under HIPAA regulations, providers must protect electronic patient health information (ePHI) when it is “at rest” on a server, backup device, etc., as well as when it is “in motion,” e.g., being transmitted within a network located in a provider’s office or to other locations. The protection must be in the form of a unique AES-encrypted password.
However, most practice software doesn’t feature built-in AES encryption with a unique password, and that can be a costly problem for the practices and healthcare organizations that use this type of software. The only solution is to find software that does include the protection or pay for an outside expert to monitor security and ensure compliance with HIPAA regulations.
How Platform Design and Cloud Security Keep Data Safe
While practices that use Windows software without built-in encryption must pay for IT security services to deploy encryption on every device that houses ePHI, Mac users can handle the safety of data at rest by simply turning on FileVault (checking a box) in macOS X preferences. This is a glaring example of the difference operating system platforms make in keeping data safe and controlling the cost to the doctor.
Virtual Private Networks (VPNs) are an option for practices to compensate for practice management and EHR software that does not encrypt data in motion, but VPNs increase costs and complexity and can degrade network responsiveness. And even with a VPN, practices must make sure their software provides a unique, encrypted database password; otherwise, they’re well advised to get software that does.
Hacking is on the rise, and ransomware is a huge problem for practices that operate on Windows. In March 2016 alone, 56,000 Windows users reported attacks. Practices that use native macOS software have not been affected by ransomware. Macs are also less expensive to operate in the long run: IBM gave employees the option to use PCs or Macs and found that each PC required twice as much support and cost IBM $535 more than a Mac during a four-year period.
Cloud software and hosting server farms aren’t the solution: Malware, including ransomware, can infect every device that connects to an infected computer, including offsite cloud servers and backup devices. In April, Greenway Health, an EHR vendor, reported that 400 client organizations using their Intergy cloud hosted software were affected by ransomware, and some were not able to access all their data in the cloud for weeks.
The FBI says the only sure way to recover is to restore data from an uninfected backup that is not connected, followed by reformatting devices.
Keeping Your Organization Safe and Successful
With hacking on the rise, patients are worried about their information being stolen and exploited. Tech-savvy patients look for evidence that their clinicians are keeping their data secure, so providers who use best practices can advertise that fact in their offices and on the Internet to improve their appeal to patients. Data safety is quickly becoming a marketplace issue.
Clinicians who let patients know they use encryption to protect data can reassure those who are concerned about hacking, but the fact is, encryption and other security measures are vital to the health of a clinical practice too. The penalties for data breaches can be severe, and the reputational hit might be even worse. The bottom line is that using best practices like encryption to improve data security helps both clinicians and patients.