Healthcare Technology Featured Article

February 07, 2017

Securing Healthcare Data with the Right Encryption Strategy and Platform

Many people are inseparable from their smartphones and computers, constantly using them to text, email and browse the Internet. Doctors and their staff are no exception, and that creates serious potential problems since the cause of most data breaches is attributed to human error using a connected device.

Healthcare offices that use cloud-based solutions are especially at risk since the systems require a constant Internet connection, and the Internet is the conduit for ransomware and malware designed to access and steal patient data.

Security experts are predicting for 2017 the destruction of critical infrastucture and increased data theft that leverage glaring security holes created by Internet of Things (IoT) and increasing Distributed Delay of Services (DDoS) attacks like those that brought brought down the Dyn Domain Name System and high-profile Web domains across the U.S. in 2016.

Practice leaders can and should train staff to avoid “phishing” schemes, but even tech-savvy corporations and government agencies with huge cybersecurity budgets fall victim to data theft. And sophisticated crimefighting organizations like the FBI are helpless to stop it.

Keeping cybercriminals at bay is a serious challenge, but practices must find a way to secure data because patients are counting on them. Keeping personal and health information safe is critically important from both a patient trust and practice success standpoint.

How Encryption Can Help

Encrypting data with an algorithm that renders it indecipherable without an encryption key is essential. The National Institute of Standards and Technology (NIST) has certified Advanced Encryption Standard (AES) as the industry standard that complies with HIPAA.

HIPAA requires providers to protect electronic patient health information (ePHI) that is “at rest” (i.e., on a server, terminal, backup device, etc.) or “in motion” (i.e., traveling through an office network or to and from remote connections, etc.) with a unique AES encrypted database password. HIPAA also requires use of secure, encrypted email.

Healthcare professionals may assume that their practice software has built-in AES encryption and a unique password, but unfortunately, most software doesn’t. Offices that have software that integrates secure email and faxing, word processing, attachments, imaging and electronic health records (EHR) along with billing in a single database with built-in encryption are ahead of the curve; their HIPAA privacy officers will be able to easily monitor and maintain security and with lower or no IT provider costs for this service.

But how can practices without an integrated, encrypted system protect their vital patient data? That depends in part on which platform they use and whether they’re connected to the cloud.

The Importance of Platform and Cloud Security

Practices using software without built-in encryption that operates on Windows can shore up security by purchasing IT services to ensure encryption is deployed on every device that houses ePHI. On the Mac operating system, end users can simply turn on FileVault in preferences to safeguard data at rest.

For practices that don’t use software that automatically encrypts data in motion, a virtual private network (VPN) is an option, though it typically increases costs and degrades network response. But if the database password is not unique and encrypted — and this is the case in some major practice software products — there’s really no way to correct this deficiency except by changing software.

It’s important for practices to promptly address any deficiencies because malware and ransomware attacks are on the rise. HIPAA considers a ransomware attack to be a data breach that must be reported by providers who don’t qualify for Safe Harbor protection, and of course, paying the ransom is no guarantee of liberating data or that the data will not be stolen and sold later on the dark net. Worse yet, about half of those who fall victim to malware will be attacked again within a month or two.

Ransomware is prevalent among practices that use the Windows operating system, and it is a growing problem, with millions of users reporting attacks — 56,000 in March 2016 alone. The Electronic Protected Health Information of practices that use native macOS software has not been affected by ransomware.

More than 100,000 IBM employees use Macs, and IBM relies upon macOS’s built in application authentication and virus protection instead of the third-party software and hardware they purchase and install on 400,000 Windows PCs. In 2015, IBM decided to offer its employees the option of using Macs versus PCs. To its surprise, IBM found that PCs are 3X the cost to manage, require 2X the support, and that every PC cost $535 more over four years than Macs. As of October 2016, after supporting Macs for 17 months, 73 percent of IBMers expressed a preference for Macs. These numbers are derived from readily measurable data and do not account for productivity benefits of greater user satisfaction, reduced down time, and ease of use.

Unfortunately, cloud software and cloud hosting server farms don’t offer adequate protection from malware, including ransomware, which can affect every device connected to the infected computer, including cloud servers and backups. According to the FBI, the only certain way to recover is to restore data from an uninfected, disconnected backup and reformat devices.

There are 300,000 unfilled cybersecurity jobs in the U.S. alone, 1M worldwide according to Forbes, and, according to a Cisco report, the cybersecurity shortfall worldwide will increase to 1.5M by 2019. The jobs are unfilled because there is a shortage of qualified applicants, and that is not expected to change anytime soon.

The Business Case for Data Security

People are worried about the safety of their identity and health information, and for good reason, since news reports of high profile data breaches are increasingly common. And since about half of patients now select their doctors online, many are looking for evidence that the practice they’re considering takes its obligation to protect data seriously.

This is an opportunity for healthcare providers who want to stand out in the marketplace. By informing patients (via registration documents, practice website, online and print advertising, signs in the office, etc.) that they use software that encrypts and protects data, healthcare professionals can gain an edge over competitors.

In addition to establishing greater levels of trust with patients, healthcare professionals who use encrypted software on a secure platform can also reduce their practice’s exposure to HHS rules that require reporting breaches to HHS, their patients, and prominent media, as well as state and federal fines and possible criminal charges. But the bottom line is, protecting data is the right thing to do: it benefits both doctors and patients. 

About the Author

Mark Hollis, CEO and co-founder of MacPractice, Inc., developer of Mac and iOS native MacPractice software with 30,000 users, was practice management consultant to more than 600 practices in the New York Metropolitan for 25 years before cofounding MacPractice in May 2004.

Mark’s articles on security, Ransomware, HIPAA compliance, EHR incentives, all-in-one design, paperless, mobile, online services, etc. have appeared in numerous publications.

Edited by Alicia Young

By Special Guest
Mark Hollis, CEO of MacPractice ,

FREE eNewsletter

Click here to receive your targeted Healthcare Technology Community eNewsletter.
[Subscribe Now]