Breaches and ransomware skyrocket: Maintaining Safe Harbor

Doctors, not software vendors, are required by HIPAA to protect their patients' identities and health-care information. The only HIPAA requirements that, if adhered to, protect your practice as well as your data in the event of a breach involve encryption.

Americans are painfully aware of the worsening vulnerability of health-care and other personal data to a growing number of hackers. In August 2016, Russians allegedly hacked Democratic National Committee e-mails, and cyber security software was stolen from the NSA. Some experts have speculated about Russian hackers interfering with our national election.

The same criminals and technology threaten and unfortunately compromised the personal identities and health-care information of 35% of Americans in 2015 alone.1,2

Doctors, not software vendors, are required by HIPAA to protect their patients' identities and health-care information. The only HIPAA requirements that, if adhered to, protect your practice as well as your data in the event of a breach involve encryption.

Protect electronic protected health information (ePHI) with advanced encryption standard (AES) encryption on every device it touches: "at rest" (e.g., servers, terminals, and backups) and "in motion" (e.g., office network and remote connections). Follow these rules and use a unique AES-encrypted database password, and you can qualify for HIPAA's Safe Harbor in the event of a breach. If you do not qualify for Safe Harbor, in the event of a breach you must (1)report to HHS and be listed permanently; (2) mail letters to patients and others affected; (3) notify prominent media; (4) post a notification on your homepage for 90 days; and (5) maintain a toll-free number for 90 days.

The potential consequences of a breach to your patients are disastrous. The consequences to your practice of having to report a breach are disastrous as well. Surveys indicate you will lose most patients, in addition to being subject to HIPAA and state fines.3 Note that your vendor can, but is not required to, build AES encryption into its software and provide you a unique, AES-encrypted database password as MacPractice does. Most do not. Most Windows software users who do not have built-in AES encryption must pay their IT consultants to provide additional cyber security services.

Ransomware

In August, the Office of Civil Rights reconfirmed that a ransomware attack is a breach. Ransomware is malware that can affect you financially, even if you qualify for HIPAA's Safe Harbor. The number of dentists using Windows who find a "ransom note" denying them access to their data is escalating. Dental industry message boards and Internet searches provide clear evidence that dental practices are being affected by ransomware, just as numerous hospital systems with large, well-paid IT departments and millions of patients have been.

The FBI advises victims to pay the hacker and hope to get access to their data again in just a day or so, if at all.

Note that ransom must be paid in bitcoin, so the culprit cannot be tracked (even by the FBI). To make matters worse, in August, Bitcoin itself was hacked and robbed. Customers' banking information may have been acquired as well.

Cloud software and cloud hosting server farms are not immune to malware, including ransomware. Ransomware can affect every device connected to the infected computer-every device. That includes cloud servers and backups. Restoring from an uninfected, disconnected backup and reformatting devices is the only certain way to recover.

In addition to normal malware, cloud software and hosts are vulnerable to specifically targeted malware like delay of service (DoS) attacks and distributed delay of service (DDoS) attacks. LinkedIn, Facebook, iCloud, Dropbox, and numerous other cloud vendors have been hacked, and user passwords and identities have been stolen and sold. Even the IRS is vulnerable. In August, Southwest and Delta were shut down; their flights were cancelled due to problems including faults with routers, the same kinds of routers in dental offices, at ISPs, and at the cloud host, all of which are required for dental cloud software to run primary and secondary failsafe, high-speed Internet connections.

Perhaps a cloud solution could be as secure as having your data in your office-if the hosting company employs an expert team of cyber security experts to constantly defend their high- value target of multiple databases and hundreds of thousands of patients on each server. But what if the host is affected by the national shortage of cyber security experts as the FBI and the CIA has been?

Users of native Mac OS applications like MacPractice have extremely low risk of ransomware because there have been only two events (versus 56,000 reported in March 2016 on Windows and other platforms)4 affecting a very limited group of Mac users.

Editor's note: References are available online. Go to DentalEconomics.com and search "Hollis."


Mark Hollis is the CEO of MacPractice, a practice management and clinical software company for dentists who prefer to use Apple technology. He has been in the dental software business for 30 years and has consulted with more than 650 practices, spoken at hundreds of Apple events, at dental schools and industry tradeshows, and has also written many articles for professional journals. Visit macpractice.com for more information.

More in Practice