HIPAA Security - Windows/Cloud Disadvantages
MacPractice Secures EPHI with Built-in Industry Standard AES Encryption
MacPractice has achieved ONC-ACB 2014 Certification and is one of only a few software developers that invested the considerable time, resources and money to obtain certification to protect patient data using industry-standard NIST encryption.
Data encryption makes patient data collected and maintained by you, Electronic Protected Health Information (EPHI) as defined by HIPAA, indecipherable by hackers without your unique encryption key.
Data written to your disks is called 'data at rest'. Your practice management and imaging database(s) should be protected by a strong password that is unique and also encrypted. Be aware - some practice management software has been found to have the same, easily discoverable, hardcoded database password for every practice.
Data passed back and forth on your network between your server and terminals in your office, or from outside (including remote secondary offices) is called 'data in motion'. Data in motion also includes emails, text messages and any other electronic communication you have with patients as well as other practitioners and insurance carriers about patients.
Most doctors assume that their patient's data is protected by their software. But what if it's not as secure as they think it is? What if your software that you thought was using industry-standard (NIST) encryption required by HIPAA is actually making you liable for HIPAA fines? In the event one of your office computers with EPHI data at rest is lost or stolen, you are required to notify all of your patients and the public. However, if your data is encrypted, you qualify for 'Safe Harbor'* and need not notify.
Ransomware is a computer malware that a hacker installs secretly on the victim's computer. The hacker then executes a cryptovirology attack that seizes the effected computer (and it's data) and demands payment to restore it back to the way it was before the attack. Advanced versions of malware will shut a practice down for good until the ransom is paid either by payment vouchers or bitcoins.
There are two main forms of Ransomware. The first is Locker Ransomware which denies you access to your computer or device. The second Crypto Ransomware (currently the most popular these days) prevents access to certain files and data – although you can still use the computer, you cannot access certain files.
The first wave of modern Ransomware occurred in the wild in 2005 but has been steadily on the rise since 2012 with 4,000 attacks occurring per day (up from 1,000 per day in 2015).
In 2015, data security authority Symantec put out this report on the evolution of Ransomware.
Virtually every Ransomware occurrence has been targeted at PC's in a Windows operating system (possibly because Windows-based computers make up almost 90% of the market and Apple has proven to be a hard nut to crack).
In the history of Ransomware, there have been millions of Ransomware attacks on PC's and ONLY ONE on Apple (and it was shut down within hours by Apple). Experts say the closed nature of Apple's App Store and it's faster distribution of updates helps to close vulnerabilities. Either way, it's easy to see Apple computers are significantly less likely to be effected by Ransomware than PCs.
Typically, malware infects a computer through a misleading app or a fake antivirus scam. In 2015, the top six countries impacted by all types of Ransomware were the United States, Japan, United Kingdom, Italy, Germany and Russia.
The government has published this short overview of Ransomware along with some recommendations on how to protect yourself. You will notice that the only system affected in this report is Microsoft Windows.
Here's the takeaway. Ransomware is a growing reality and physicians and their patients data are an emerging target.
HIPAA: It's Your Responsibility to Know
To improve the efficiency and effectiveness of the health care system, the Health Insurance Portability and Accountability Act of 1996 (HIPAA), Public Law 104-191, included Administrative Simplification provisions that required HHS to adopt national standards for electronic health care transactions and code sets, unique health identifiers, and security. At the same time, Congress recognized that advances in electronic technology could erode the privacy of health information. Consequently, Congress incorporated into HIPAA provisions that mandated the adoption of Federal privacy protections for individually identifiable health information.
How does HIPAA fit in?
HIPAA establishes extensive requirements for protecting PHI and EPHI throughout your practice. 2016 is expected to be the year for auditing practices for HIPAA compliance. Did you know that fines could reach $1,500,000?
HIPAA requires doctors to protect the personal identity and health information of patients. Your dental practice management and clinical software can either facilitate this, or it can expose you to liability for not having encrypted your patient's data. HIPAA requires a Business Associate Agreement (BAA) with every person or business with access to patient information, who is not an employee. There are numerous other HIPAA regulations like this outside the scope of this article that also apply to dental practices.
You cannot afford to be on the wrong side of this complicated issue. Your patients expect you to protect the personal identity and health information they have entrusted to you, and they expect you to comply with HIPAA Privacy and Security Rules.
Does your software secure your patient's information?
Without question, your practice should be using software that utilizes industry-standard AES data encryption and integrate secure messaging to protect your patient's information (EPHI) and communications. But does it?
Did you know that, "Henry Schein...will pay $250,000 to settle Federal Trade Commission charges it falsely advertised the level of encryption it provided to protect patient data...and, in doing so, ensured that practices using its software would protect patient data, as required by the Health Insurance Portability and Accountability Act (HIPAA)."
Conversely, if your software obtained ONC-ACB 2014 Certification, the developer represented to an ONC-Authorized Certifying Body that your data is encrypted at rest and in motion. MacPractice is one of only a few dental software developers that invested the considerable time, resources and money to obtain certification.
What should you do?
First and foremost, take responsibility. Ask the developer if your software encrypts your patient's data using industry-standard AES encryption. Request third party verification. Unfortunately, there is a likely possibility that if your software is not MacPractice, it is not encrypting your patient's data, which means you are violating HIPAA and are susceptible to fines.
Although it can only help address encryption of data at rest, consider using full disk encryption on all of your computers and backup media. You can use Apple's FileVault for OS X or BitLocker in recent versions of Windows.
Implement secure email instead of the standard email you are very likely using now, preferably using industry-standard Direct protocol.
* Effective July 1, 2016, State of Tennessee Breach Law requires persons to be notified of a breach if name, SSN and credit/debit card information has been compromised. This law applies to encrypted files as well as non-encrypted files. Read More
- Serious Cloudflare bug revealed secret user data from major websites
- IT leaders say it's hard to keep the cloud safe
- 64% of Windows users would consider switching to Mac in light of Windows 10 privacy issues: report
- Survey: 44 Percent of Consumers Worry Their Personal Health Data Will Be Stolen
- 25% of Healthcare Orgs Not Encrypting Patient Data in Cloud
- How to prevent a bad case of cloud buyer’s remorse
- Five certainties to drive healthcare IT strategy in the New Year
- Ransomware attacks against providers likely to soar
- Breach affects data of 400,000 members of Washington plan
- Huge LA County cyberattack affects 756K individuals
- Microsoft, Intel, IBM Push Back on China Cybersecurity Rules
- How Windows 10 data collection trades privacy for security
- 7 Security Predictions for 2017
- FBI Warns Internet Online Attacks on Private Industry Will Continue
- Major DDoS attack on Dyn DNS knocks Spotify, Twitter, Github, PayPal, and more offline
- 'Unprecedented' cyberattack involved tens of millions of IP addresses
- Chinese firm admits its hacked products were behind Friday's massive DDoS attack
- Dyn DDoS attack exposes soft underbelly of the cloud
- World’s Biggest Data Breaches Continues To Grow
- Yahoo says 500 million accounts stolen in one of the largest cybersecurity breaches ever
- Health System contends PHI wasn't compromised in cyber attack that incapacitated systems for 20 days
- The healthcare industry lacks a consistent mechanism for sharing information when cybersecurity issues occur
- Ransomware Statistics In 2016 Are Staggering
- PC's are more vulnerable than Macs
- Cloud Services Are Not As Safe
- Cyber Security Is A Big Problem