In Part 4 of this series, Lorne Lavine, DMD, discusses the importance of encrypting your data and how consequential not doing so can be to your dental practice.
I have seen many incorrect assumptions and statements about encryption, so I wanted to tackle the most common misconceptions here:
1.Encryption isn’t mandatory. This is simply not true. If you look at the Health Insurance Portability and Accountability (HIPAA) laws, there are essentially 2 types of rules: required and addressable. Required is cut and dried: You must do it. Addressable is a bit more gray, but not that difficult to understand: If it’s reasonable and appropriate, you must do it (emphasis mine). If it is not reasonable, then come up with an alternative or document why you don’t think it’s required. This is not a get-out-of-jail-free card, because it all boils down to that reasonable and appropriate statement. You have to be able to prove that based on current standards, the requirement isn’t reasonable, and as you’ll see below, that’s a hard argument to make.
2. There are no consequences if my data isn’t encrypted. Even if we ignore the HIPAA requirement, this would be a significant mistake. Although much of HIPAA is somewhat ambiguous, the Breach Notification Rule is not: If you suffer a breach, then by law you must notify your patients in writing, alert the local news media (in certain cases), and be listed on the HHS “Wall of Shame” (if your breach affects 500 or more individuals). Getting back to that get-out-of-jail-free concept, it actually does exist, but only in this specific case: If your data is encrypted, then you are exempt from that breach notification. For this reason alone, it’s almost impossible to not justify encrypting your data. Another fun fact is that most (but not all) ransomware viruses have difficulty attacking encrypted files, so you reduce your chances of a ransomware infection if the data is already encrypted.
3. It’s too expensive to encrypt my data. Well, considering that it’s free, good luck with that argument! If yours is like most practices, you can and should be storing all your data on your server. With Windows Server 2008 no longer being supported and patched (and, thus, a HIPAA violation), you should be using either Server 2012, 2016, or 2019 as your server operating system. And every one of those operating systems (including Windows 10) has a built-in encryption software called BitLocker. It’s part of the system and costs nothing to activate. Unless you have extensive information technology (IT) experience, you’re better off having an IT specialist set it up for you and document it, but compared to the downside of declaring a HIPAA breach, it’s worth every penny.
4. Encryption will slow down my network. This may be true in theory, but the real-world consequences are almost impossible to detect. Decryption occurs on the fly, and modern processors handle this very quickly. For example, if it normally takes 1.5 seconds for your practice management system (PMS) chart to open, if the data is encrypted it may now take 1.6 or 1.7 seconds. Those are just random numbers; whatever slowdown might occur will be so negligible that you really won’t even be aware of it.
There is no good excuse for not encrypting your data. It’s a HIPAA law, it protects your data from infection, and it’s free. Above all, it protects the practice from having to declare a breach, which would be devastating to any dental office.
[ Editor’s Note: The Authentic Frontier Gibberish headline is a reference to the 1974 movie “Blazing Saddles,” directed by Mel Brooks. ]