Recent events have made it imperative for practices to take note of cybersecurity weaknesses in their current practice software. If not, doctors and office managers put their patients at risk, are liable for steep legal consequences, and jeopardize the future of their careers. Here’s what every doctor and office manager absolutely need to know about securing electronic protected health information (ePHI).
Unless you’re a hacker, a spy or have worked for the government, data encryption is not on the top of your mind. Unfortunately, as the world becomes more digital each day, it is virtually impossible not to have your personal information spread around the World Wide Web in some way. Think about it, your credit card company, your bank, and your doctor have enough of your valuable personal information sitting on their computers or traveling over the Internet for your identity to be stolen by a hacker.
As a doctor or office manager, complying with HIPAA to protect patient health information, including x-rays and photos, is your responsibility. Ignorance is not a defensible excuse for not understanding the rules and doing everything you can to protect yourself and your patients. It’s important to understand the principles of data encryption and secure email, and you need to know how it can affect your practice and your patients.
Here I will present the five “need-to-know" items for every doctor and office manager when it comes to data encryption.
1. What is data encryption?
Data encryption makes patient data collected and maintained by you, “electronic protected health information" (ePHI) as defined by HIPAA, indecipherable by hackers without your unique encryption key.
2. Data at rest vs. data in motion: know the difference
Data written to your disks is called "data at rest." Your practice management and imaging database(s) should be protected by a strong password that is unique and also encrypted. Recently, the most prevalent practice management software on the market was found to have the same, easily discoverable, hard-coded database password for every practice. Unbelievable, but true. If you're a user of this software, you need to know the details.
Data passed back and forth on your network between your server and terminals in your office, or from outside (including remote secondary offices), is called "data in motion." Data in motion also includes e-mails, text messages, and any other electronic communication you have with patients, as well as other practitioners and insurance carriers.
3. How does HIPAA apply?
HIPAA requires that doctors protect patients’ personal identity and health information at rest and in motion using AES encryption at a minimum.
2016 is expected to be the year for auditing practices for HIPAA compliance. Fines can reach $1,500,000. Your patients expect you to protect the personal identity and health information they have entrusted to you. Patients expect you to comply with HIPAA privacy and security rules.
4. Make sure your software secures your patient’s information
Without question, you should be using software that utilizes industry-standard AES data encryption and integrates secure messaging to protect your patient’s information and communications. Recently, the largest dental software company was fined $250,000 to settle Federal Trade Commission charges it falsely advertised the level of encryption it provided to protect patient data. Up until February 4, you can comment on the FTC proposed settlement. But a $10 billion company being fined is small potatoes compared to the bigger story that most dental software isn’t encrypting patient data.
The level of encryption matters. My company, MacPractice, has been aware of this for many, many years. Yet, remarkably, MacPractice DDS is one of only a few single-database practice management and EHR software programs that is ONC-ACB Certified, meaning your data is encrypted at rest and in motion. That also means this data (and you) qualify for “safe harbor" and are not required, as you would be otherwise, to report a breach to the US Department of Health and Human Services (HHS), to your patients, and to the media.
5. How do you protect yourself?
Ask your software company if your software has built-in AES encryption (you might want to request third party verification) for both data at rest and data in motion.
If your software is not using AES encryption, consider full disk encryption on all of your computers and backup media with Apple’s FileVault for OS X or BitLocker in recent versions of Windows. Retain an IT consultant to help you purchase equipment and to install a VPN for your network and for outside connections. Keep in mind: There will likely be some performance degradation.
In addition, implement secure email instead of the standard email you are very likely using now, preferably using industry-standard direct messaging, from within your software if possible. Using standard email in your practice is like driving your car underwater, letting it air out for a few days, and then and saying it’s clean and ready to go. Unfortunately, it’s just not true.
Take these five points to heart, keep up with the latest in practice management software considerations, and you, your practice, and your patients will be protected.
More information about HIPAA security rule requirements, encryption, and direct messaging is available at www.macpractice.com/hipaasecurity.