We all hear about the large data breaches pulled off against huge companies such as Target or even the IRS, but the plain and simple truth is:
You are more likely to be robbed than hacked!
According to the Department of Health and Human Services (HHS.gov) breach records, the leading causes for a major breach of patient health information (PHI) are:
Theft 48%
Loss 11%
Hacking 7%
The vast majority of all thefts have one thing in common: inadequate data security.
When evaluating ways to improve your data security, two key areas to assess are the security methods deployed to protect your data from Physical and Technical threats.
Physical
Understand that you are defending against the loss or theft of any device that contains PHI. Some are very simple and may be employed with little to no expense.
If your office has a break-in the most likely target will be your server. So ask yourself:
- Where is the server located?
- Is it out of sight?
- Is it behind a locked door?
- Is the server locked down?
Keep in mind, you are trying to make it harder for a common thief to locate and steal your server.
Do you transport a laptop or removable hard drive that contains any PHI out of your office?
If you carry a laptop to and from your office be aware of the following:
- Laptops are the top item stolen from cars.
- If the data on your laptop is not properly secured it is a HIPAA violation.
Suggestion: Have a virtual private network (VPN) set up to allow you to work at home with your patient files without the files ever leaving your office.
If you use removable hard drives for your backup system and take them from your office at night, be aware of the following:
- Removable hard drive backups are notoriously unreliable.
- If the data on your removable hard drive is not properly secured it is a HIPAA violation.
Suggestion: Move from a traditional backup to a Business Continuity system, which will greatly increase the reliability of your backup and eliminate the use of removable hard drives.
Technical
When defending against the possibility of theft or loss of data, encrypt any device that contains PHI and may leave the office, either intentionally or due to theft.
Not all encryptions are created equal.
There are three different levels of encryption, but only one meets the present government regulations for securing PHI and that is AES 256-bit. When you are looking for ways to secure your patient data and you are told that a device or a software program is encrypted, make sure that you ask at what level it is encrypted and for your protection, get the answer in writing.
If you have a break-in and your server or any device containing PHI is stolen and the device is encrypted at a level of AES 256 or higher, then your data is secure per present government regulations and you have not had a reportable data breach.
The above information is intended to give general guidance. It is good practice to have an assessment of your network performed to bring to light areas where you can improve your individual office’s data security.
Guess I need to start being mandatory about BitLocker.
Keep in mind that Bitlocker defaults to AES 128-bit (with Diffuser). You’ll need to research how to configure Bitlocker to use AES 256-bit (with Diffuser), usually through the Group Policy Editor. If you have Bitlocker-secured drives already at 128-bit, then you’ll have to decrypt them and re-encrypt them to get 256-bit encryption.
Is Pattlock encrypted to this recommended level?
Does Eaglesoft have any built-in protection?
Dr. Basil, yes it does. I asked an EagleSoft expert and received the following answer.
“Simple database encryption was introduced with Eaglesoft Version 17. This encryption does not run automatically, but can be added with the aid of a support specialist.”
Thank you for your question.
Great article. I was curious on your thoughts on Google Drive now that it is HIPPA compliant? So the general outline would be to take Eaglesoft’s encrypted data and upload it to Google Drive.
Yes/No/Maybe?
https://support.google.com/a/answer/3407054?hl=en
Dr. Medina,
Thank you for your comment.
Regarding your question; Yes/No/Maybe…I would have to say Maybe.
Let me explain.
Assuming that all steps (BAA, Audit Trail and Device Sync) to insure that Google Drive is HIPAA compliant have been taken and you use the Eaglesoft encryption option then yes, your Eaglesoft data will be properly protected and stored off-site.
However, even when the Eaglesoft data file is protected there are other files that store PHI, most notably your image files. The most secure way to protect all data that resides on your devices is to do a full drive encryption on any device that could leave the office either on purpose or involuntarily.
In addition, when defending against cyber threats your recovery time from an attack or theft becomes critical. With a traditional back-up system recovering from say a Ransomware attack would mean having your IT professional rebuild and re-configure your server then download your back-up from the cloud. At that point you will see if your back-up is clean and usable. If not an older version of your back-up will need to be downloaded from the cloud. Time to recover is one or more days after the IT professional is on-site.
The alternative to a prolonged recovery time is a complete business continuity system that steps in and runs your network when your server cannot. In the case of our own DDS Rescue system we guaranty that we will have you back up and running in thirty minutes or less or we will send you a check for $1,000.00.
Nice, thank you.