MacPractice Secures ePHI with Built-in Industry Standard AES Encryption

Data encryption makes patient data collected and maintained by you, Electronic Protected Health Information (ePHI) as defined by HIPAA, indecipherable by hackers without your unique encryption key.

Data written to your disks is called 'data at rest'. Your practice management and imaging database(s) should be protected by a strong password that is unique and also encrypted. Be aware - some practice management software has been found to have the same, easily discoverable, hardcoded database password for every practice.

Data passed back and forth on your network between your server and terminals in your office, or from outside (including remote secondary offices) is called 'data in motion'. Data in motion also includes emails, text messages and any other electronic communication you have with patients as well as other practitioners and insurance carriers about patients.

Most doctors assume that their patient's data is protected by their software. But what if it's not as secure as they think it is? What if your software that you thought was using industry-standard (NIST) encryption required by HIPAA is actually making you liable for HIPAA fines? In the event one of your office computers with ePHI data at rest is lost or stolen, you are required to notify all of your patients and the public. However, if your data is encrypted, you qualify for 'Safe Harbor' * and need not notify.


Ransomware is a computer malware that a hacker installs secretly on the victim's computer. The hacker then executes a cryptovirology attack that seizes the effected computer (and it's data) and demands payment to restore it back to the way it was before the attack. Advanced versions of malware will shut a practice down for good until the ransom is paid either by payment vouchers or bitcoins.

There are two main forms of Ransomware. The first is Locker Ransomware which denies you access to your computer or device. The second Crypto Ransomware (currently the most popular these days) prevents access to certain files and data – although you can still use the computer, you cannot access certain files.

The first wave of modern Ransomware occurred in the wild in 2005 but has been steadily on the rise since 2012 with 4,000 attacks occurring per day (up from 1,000 per day in 2015).

In 2015, data security authority Symantec put out this report on the evolution of Ransomware.

Virtually every Ransomware occurrence has been targeted at PC's in a Windows operating system (possibly because Windows-based computers make up almost 90% of the market and Apple has proven to be a hard nut to crack).

In the history of Ransomware, there have been millions of Ransomware attacks on PC's and ONLY ONE on Apple (and it was shut down within hours by Apple). Experts say the closed nature of Apple's App Store and it's faster distribution of updates helps to close vulnerabilities. Either way, it's easy to see Apple computers are significantly less likely to be effected by Ransomware than PCs.

Typically, malware infects a computer through a misleading app or a fake antivirus scam. In 2015, the top six countries impacted by all types of Ransomware were the United States, Japan, United Kingdom, Italy, Germany and Russia.

The government has published this short overview of Ransomware along with some recommendations on how to protect yourself. You will notice that the only system affected in this report is Microsoft Windows.

Here's the takeaway. Ransomware is a growing reality and physicians and their patients data are an emerging target.

HIPAA: It's Your Responsibility to Know

To improve the efficiency and effectiveness of the health care system, the Health Insurance Portability and Accountability Act of 1996 (HIPAA), Public Law 104-191, included Administrative Simplification provisions that required HHS to adopt national standards for electronic health care transactions and code sets, unique health identifiers, and security. At the same time, Congress recognized that advances in electronic technology could erode the privacy of health information. Consequently, Congress incorporated into HIPAA provisions that mandated the adoption of Federal privacy protections for individually identifiable health information.

How does HIPAA fit in?

HIPAA establishes extensive requirements for protecting PHI and ePHI throughout your practice. 2016 is expected to be the year for auditing practices for HIPAA compliance. Did you know that fines could reach $1,500,000?

HIPAA requires doctors to protect the personal identity and health information of patients. Your practice management and clinical software can either facilitate this, or it can expose you to liability for not having encrypted your patient's data. HIPAA requires a Business Associate Agreement (BAA) with every person or business with access to patient information, who is not an employee. There are numerous other HIPAA regulations like this outside the scope of this article.

You cannot afford to be on the wrong side of this complicated issue. Your patients expect you to protect the personal identity and health information they have entrusted to you, and they expect you to comply with HIPAA Privacy and Security Rules.

Does your software secure your patient's information?

Without question, your practice should be using software that utilizes industry-standard AES data encryption and integrate secure messaging to protect your patient's information (ePHI) and communications. But does it?

What should you do?

First and foremost, take responsibility. Ask the developer if your software encrypts your patient's data using industry-standard AES encryption. Request third party verification. Unfortunately, there is a likely possibility that if your software is not MacPractice, it is not encrypting your patient's data, which means you are violating HIPAA and are susceptible to fines.

Although it can only help address encryption of data at rest, consider using full disk encryption on all of your computers and backup media. You can use Apple's FileVault for OS X or BitLocker in recent versions of Windows.

Implement secure email instead of the standard email you are very likely using now, preferably using industry-standard Direct protocol.

* Effective July 1, 2016, State of Tennessee Breach Law requires persons to be notified of a breach if name, SSN and credit/debit card information has been compromised. This law applies to encrypted files as well as non-encrypted files. Read More