Data Protection for the Cloud-Based System: Protecting your patients and your practice

The Cloud-Based system you outsourced data security is more vulnerable than you might think. Here’s what you can do to protect your patients’ information and your practice’s longevity.

Attacks on health care providers’ managed service providers (MSPs) are on the rise this year. Hackers realize the efficiency of attacking IT MSPs that handle multiple dental practices and getting all the MSPs clients’ electronic Protected Health Information (ePHI) rather than targeting one practice at a time.

“Cybercriminals now are going after your IT companies because it's easier to knock one of them out and hit 100, 200, or 500 dental offices, all in one clean sweep,” says Demetrios Andritsogiannis, founder and CEO of Aspida, a technology solutions company that specializes in HIPAA compliance.

Hackers get into the MSP system through security lapses, which include weak passwords and networks that are not using two-factor authentication.[1] Another way is through vulnerabilities in the software that allows MSPs to remotely monitor and manage your computer updates and other IT services, especially when the MSP hasn’t updated the system with the latest security patches.[2] One security expert described these remote management tools like the golden keys to distribute ransomware.

“Your number one threat is your IT provider,” Andritsogiannis says. “They have access to everything. The question you have to ask yourself is, does that company have all the security measures in place to make sure that they don’t have a problem that will become your problem?”

Dental practices need to understand what your MSP for the cloud-based system is doing to protect themselves from attack from a technological point of view. You should understand their policies and procedures, or what the MSP can and would do in the face of an attack.[3]

We spoke to experts in data security and compliance to get an idea of how dentists can do that. Here’s what they had to say.

While HIPAA regulations are the same, details might differ

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) set the national standards for protecting ePHI. Dental practices are considered a “covered entity” under this law, which means compliance to the HIPAA rules is essential.

“HIPAA is all about securing your patient data. You want to be able to identify who has viewed it, who has touched it, and the steps that were taken to safeguard that information as well,” says Laura Miller, compliance manager for Aspida. “It all comes down to being able to identify those items.”

The regulations are the same for a cloud-based system and a server-based system for data security, says David Broom, senior director of product management for TechCentral by Henry Schein One. That said, there are some specific cloud-based considerations the practice should acknowledge. For example, with a cloud-based system, he recommends ensuring that you have regular backups, that the cloud-based system you are using is backing up the correct data, and that the backups work.

“Moreover, if you choose not to have a local backup and only back up on the cloud,” Broom says, “you need to understand how the restores work.”

About cloud data centers

Mike Uretz, Executive Director of Dental Group Partners and founder and editorial director of dentalsoftwareadvisor.com, says that while groups and practices focus on the evaluation of potential software vendors they are interested in, they infrequently go the next step-evaluating the actual data center that will host the cloud application. That’s where the vulnerabilities will lie. Uretz says cloud-based dental software vendors don’t run their own data centers and contract this function out most of the time. Although they have a lot of control over the operating of their software within these data centers, the software vendors don’t do the bulk of data center management.

The recent cyber-attacks in Wisconsin on the MSP PerCSoft affected 400 dental practices around the country, who lost access to their electronic files. However, it wasn’t PerCSoft that was hacked; it was their third-party vendor Digital Dental Record that handled the backups for PerCSoft clients.[4]

“You want to make sure that the data center itself has various policies and procedures that dictate how they manage HIPAA compliancy including how they will handle a data breach if it occurs,” Uretz says.

When it comes to protecting yourself, it’s important to ask the potential cloud-based system host if the data center they use has experience with medical and dental regulations and if they are HIPAA compliant, Uretz says. Also, you want to ensure that the data center is in the US because it isn’t, the data center might not be subject to the HIPAA regulations.

“If your ePHI is in another county, there is not much you can do if it gets breached because they can’t go after the data center in Montreal or wherever,” Uretz says.

Be nosey and do some digging

Practices need to understand how the MSP is protecting themselves, Broom says. In other words, what measures do they have in place to ensure they don’t get hacked? From vetting employees and partners to policies and procedures in case there is an issue with the insurance they have, Broom says you should ask about all of it.

“You must vet your third parties tightly on this,” Broom says.

Practices should also discover how their MSP minimizes client risk for a data breach, Broom adds. The way the MSP manages the day-to-day tasks will affect the amount of vulnerability you have for a violation.

For example, one of the ways Henry Schein One manages some of their client’s risk is segmenting their back-end management of client data. Henry Schein One separates the passwords from the backups, managing them for the client through separate portals in order to protect their clients, Broom says.

“It also protects me,” Broom says. “If I have a rogue employee, I know for sure they can only damage a portion of the business. They can’t damage everything.”

Multifactor authentication is essential for data security on the MSP side for either type of system and on both the client and MSP side of logging in. Multifactor authentication refers to an extra step of verification for who is logging in, e.g., a text message to a mobile number or entering a PIN code. In some cases, it is biometric, like a voice prompt or fingerprint.

Continue reading on the next page...

Broom suggests practices always work with MSPs that require multi-factor authentication for the MSP employees who work with their accounts.

“If I were a practice interviewing an MSP, I would ask how their employees log in. It is a straightforward question,” Broom says. “If they say, ‘username and password,’ and they are not using multi-factor authentication, I would be looking for another partner.”

Another area to consider when researching an MSP is to have the company clarify their procedure to permanently delete data. It could be necessary if you ever leave the vendor or switch to a different system.

“You want to make sure that if the time ever comes that they have to delete all your data, it’s gone,” Uretz says.

Another critical area for consideration with your MSP is how they handle staff education pertaining to HIPAA laws. Asking an MSP how they handle staff HIPAA and security education and ongoing training is another essential part of the conversation, Uretz says.

“Every day there is potential for a new problem. You want to make sure that your people are educated consistently. That’s the responsibility of the data center to make sure that people are educated constantly how to prevent problems and handle issues should they occur,” Uretz says.

Whichever partner you land on, it’s important to ensure your agreement of what the MSP provides is in writing, Uretz adds. Otherwise, if there is a problem, you could end up with no help from the MSP.

Five questions to ask about cloud-based system security

When it comes to data protection for cloud-based systems, Andritsogiannis says there are five questions to ask yourself about your compliance:

• Do you have a Business Associate Agreement with whomever your cloud-system provider is? The HITECH Act of 2009 elevated the responsibilities of anyone who works with your ePHI as an MSP. In other words, business associates are subject to the same standards as the practice for ePHI, as stated by the Privacy Rule. They need to commit to it in writing, or the practice is responsible for any issues. Per the HHS, The Business Associate Agreement (BAA) is required for either a person or a company that is not employed by the practice directly, but works on their behalf or provides services to a dental practice. HIPAA requires that you have them with any vendor that handles IT for you to ensure that they will do everything they should to protect your patients’ ePHI.

• Are they storing the data encrypted, and do they have redundancy for it? Data Encryption, per Miller, is recommended to be AES (Advanced Encryption Standard) 256 to meet the standards set by the National Institute of Standards and Technology. Redundancy is a fail-safe measure against losing your hard drive.[5] Andritsogiannis recommends that the redundancy is Redundant Array of Independent Disks (RAID) enabled, which means where the redundancy stores copies of the files on a series of disks. The idea is if one fails, then one of the other drives will kick in and provide uninterrupted service.

• Are you accessing that data in the cloud securely? Secure access to the cloud seems like a no-brainer, but according to Andritsogiannis, 99.9 percent of the time, that is not a given.

• Do you have multi-factor authentication when you are logging in to the system? Multifactor authentication is vital for cloud-based data security. Per Norton, it adds an extra layer of protection, which means that hackers need more than your username and password to get into your ePHI.[6]

• Can you ensure that you only allow access from the static IP? Static IP stands for static Internet Protocol and is a permanent number assigned to a computer by an Internet Service Provider. Limiting access to the static IP, rather than from outside the system, helps keep hackers from using remote access to get into the server.

Using the cloud does not exclude local security

Most practices do not realize that even with a cloud-based system handling much of the ePHI, there still might be other data stored on the practice’s hardware. For example, 3D images can be difficult and costly to upload and store in the cloud, which means you still need a server-based data security system at your location where they’re stored, Andritsogiannis says.

“Most of the time, most people don't realize that they're deciding between cloud and local for their practice management solution, but not necessarily their whole business solution,” Andritsogiannis says. “There are a lot of moving parts, and you usually need a technology consultant that understands everything, not just the software, to help you make a wise decision on the total cost of ownership.”

Sometimes, using a cloud-based practice management software program leads the practice to believe they don’t need to worry about security at the local network as much, Broom says. He says this assumption is a mistake.

“The same challenges you have with usernames and passwords on the server-based system are the same challenges you are going to have with a cloud-based system as well. You need to have the same security measures in place,” Broom says.

Broom says that he also often hears that practices think they do not need to worry about the firewall as much with a cloud-based system. However, this belief also isn’t true. Controlling how people come onto the network is crucial.

“As an example, if you have wireless access points in your practice, which everybody does, you still want the side the patients use, the public side, to be separate from the business side,” Broom says.

Uretz says you also want to ensure that along with having appropriate credentialing for logging into the system-the software should have a robust auditing system which records every change to the ePHI and who made the change. If there is a data breach, Uretz says that one of the first things the Office of Civil Rights (OCR) is going to want to know is if the practice and the data center had done everything possible in terms of security and HIPAA compliance to prevent the breach.

“In order to try to understand and recreate the issues, a detailed auditing system is immensely valuable,” Uretz says.

How the OCR responds to a breach depends on a lot of factors. Typically, the OCR employs an action plan, tasking the practice with fixing the problems, Miller says. However, if they don’t fix the problem, there could be fines.

“The fines could be in the millions upon millions of dollars, depending on the circumstances,” Andritsogiannis says.

“Sometimes, the fines are minimal compared to the damage you get from it being out in the news,” Miller says. “Some offices say their reputation is so tarnished patients don't want to come there anymore, especially if they had a breach or something along those lines. They end up having to close the doors.”

True compliance is the best data protection for the cloud-based system, Andritsogiannis says. Maintain your BAAs, participate in an annual risk assessment, fix the vulnerabilities you discover, and repeat the process will be your best defense.

“Every year, a new risk will arise,” Andritsogiannis says. “So, every annual assessment will help you find those risks, and then, hopefully, you'll knock some off the list the following year. Then, you'll find new ones added to the list. It's a never-ending process.”

References:

[1] Dudley, Renee. “The New Target That Enables Ransomware Hackers to Paralyze Dozens of Towns and Businesses at Once.”  Propublica.org. 12 September 2019. Web. 25 November 2019. https://www.propublica.org/article/the-new-target-that-enables-ransomware-hackers-to-paralyze-dozens-of-towns-and-businesses-at-once.

[2] Ibid.

[3] McGee, Marianne Kolbasuk. “Ransomware Attack Impacts Hundreds of Dental Practices: After Vendor Systems Crypto-Locked by Malware, Practices Await File Restoration. 30 August 2019. Web. 25 November 2019. < https://www.bankinfosecurity.com/attack-on-vendor-affects-hundreds-dental-practices-a-13002>.

[4] McGee, Marianne Kolbasuk. “Ransomware Attack Impacts Hundreds of Dental Practices:

After Vendor Systems Crypto-Locked by Malware, Practices Await File Restoration. 30 August 2019. Web. 25 November 2019. < https://www.bankinfosecurity.com/attack-on-vendor-affects-hundreds-dental-practices-a-13002>.

[5] Lloyd, Craig. “Backups vs. Redundancy: What’s the Difference?” howtogeek.com. 30 March 2018. Web. 25 November 2019. < https://www.howtogeek.com/346907/backups-vs.-redundancy-what%E2%80%99s-the-difference/.

[6] Kovacs, Nadia. “The importance of two-factor authentication.” Us.norton.com. Web. 25 November 2019. https://us.norton.com/internetsecurity-how-to-importance-two-factor-authentication.html.