Protecting your patients’ data on your local server requires a lot of considerations. Our experts share their insight on what you can’t afford not to know.
Dental practices have valuable information for treating patients and running their business stored on servers and computers in the practice. However, your practice’s patient information is a virtual gold mine for the bad guys-and hackers will get to it if they can.
For practices that have a local data-storage solution, there are numerous considerations for keeping it out of the bad guys’ hands. We spoke to several experts on data security about what they think is essential for dental practices to know about protecting their local data storage, and here’s what they had to say.
Have an enterprise-level data-risk assessment
Steve White, Vice President of Sales and Marketing for DDS Rescue, says the best place to start for security of the electronic protected health information (ePHI) is a proper data-risk assessment. This risk assessment needs to be more than a question or answer-type that you find in do-it-yourself assessments. White says the risk assessment should have an IT process associated with it to find the answers and you should have it on file in the practice.
“It's the starting point to, ‘what is my IT network now and what should it be?’ ” White explains. “Not only for regulatory reasons of HIPAA, but also just best practices for preventing data breaches and downtime.”
White says the risk assessment gets the team together and organized. It defines who is working on what to get the network as safe as possible. It also ensures that you actually do whatever is discovered in the risk assessment, something that White says doesn’t always happen.
White also says that your risk assessment is not a one-and-done exercise. Moreover, you are never “done” with risk or becoming HIPAA compliant. When you change hardware or software, or employees leave or come on board and need their logins terminated or added, or you add new vendors with new Business Associate Agreements, you should have another risk assessment.
“Compliance is not a certification. It’s an ongoing process,” White says. “You assess, correct, and continue. That’s why HIPAA says the risk assessment must be done at least once a year.”
Continue reading on the next page.
Restrict the data to one location
Many times, practices have patients’ ePHI spread out on devices all over their local network, which makes it more challenging to protect from hackers and maintain compliance per HIPAA regulations. Demetrios Andritsogiannis, Founder and CEO of Aspida, a compliance technology solutions company that specializes in Secure Solutions for HIPAA, says it is a best practice to centralize your ePHI on one server. He compares it to having all your children in a playpen.
“If you put all your children inside the playpen and they can't get out, they're all in the playpen at the end of the day,” Andritsogiannis says. “But if you take them out and let them run around, now you have to keep up with every one of them and make sure they're not all over the place.”
White says that a common mistake risk assessments discover is that people have ePHI on a workstation, like a downloaded image or patient record, and forgot it was there. White says his team advises the practice to delete it from that workstation or properly protect that workstation as you would your server.
“If it’s in your practice management software, you don’t need it there on that workstation,” White says. “Get rid of it.”
Take care of the tech specs
Per HIPAA, any ePHI data must also be secure from a technical standpoint. White says that can be proper antivirus, anti-spyware and encryption.
“If any protected health information, specifically ePHI, leaves your office voluntarily or involuntarily, it must be protected at the levels specified by the government. The most common way is encryption and at the right level,” White says. “If it leaves your office without encryption and it is lost or stolen with over 500 files, it is a major data breach.”
While there are many different ways and levels you can use to encrypt data, Laura Miller, Compliance Manager for Aspida, says the National Institute of Standards and Technology (NIST) released the appropriate algorithms. It isn’t enough to have 64-bit encryption, or even 128. Miller says it does need to be a NIST-level of encryption.
“They recommend AES 256 encryption as a minimum,” Miller explains.
Continue reading on the next page.
David Broom, Senior Director of Product Management for TechCentral by Henry Schein One, also emphasizes the essential nature of encryption. He explains that encryption takes the data and uses an algorithmic calculation to convert it into nonsensical characters, meaningless to someone who doesn’t have the key. AES stands for Advance Encryption Standard and is the NIST’s standard block cipher algorithm.1 The higher the number of the encryption, the more difficult it is for someone to break the code.
“At 256, it would take somebody, depending on what kind of build you had, multiple years for them to be able to break that code,” Broom explains.
Back-up, back-up, and back-up
Broom says in addition to proper encryption, every practice should have a hybrid back-up system, meaning a local copy and a copy somewhere else. In most cases, this means a local back-up and one on the cloud.
“Typically, cloud, which is the best thing to do, would be encrypted and would have incrementals, so that practices can recover back-ups from prior days and prior times,” Broom says.
Broom says the reason for the second off-site back-up is in case the local back-up is no longer available to you. Maybe you lose it to theft or a natural disaster. Then, you can’t restore your data. The incrementals, which are a type of back-up that only saves data that has been added or changed since the last back-up, ensure that you don’t lose a days’ worth of data.
Pricing for back-up in the cloud is less than in the past. However, the amount you pay depends on how much data you have to back up and how many incrementals you have available at any given time.
“It gives you an extra level of protection,” Broom says. “It is very smart business-wise and recovery-wise to make sure you have a cloud and a local back-up.”
It is essential to ensure that your back-up system takes all the files. Most systems will back up Microsoft Office files, and Excel spreadsheets, but they do not always back up the specific software used by an application, like your practice management software. With Henry Schein’s hybrid back-up, the system backs up everything.
“It’s just simpler, and it makes it easier for the client and because the pricing structure that the cost of the hardware appliances and the cloud back-up are less expensive, it’s just so much better,” Broom says.
Furthermore, Broom says there is more than practice management files that need back-up that other systems might miss. There are business filings, accounting files, and communication with the lab that are important to have also.
“That’s why we always recommend that everyone puts everything on one server, so everything backs up to the server,” Broom explains.
Continue reading on the next page.
Broom also advises practices to have automatic backups. Look for a system you can “set and forget.” If you use a managed service provider, make sure they actually check the back-up and that it’s happening as it should.
“Make sure it occurs automatically,” Broom says, “so you don’t have to think about it.”
And don’t forget the firewall
John Flucke, DDS, and Technology Editor for DPR, says it is imperative to update the operating systems of your software with all the security patches. It is essential to be “up to speed” on things like a firewall that will keep people out of your system. Dr. Flucke says it is crucial to make it as hard on hackers as possible so they will give up and find an easier target.
“It’s like parking your car in the parking lot. You know if somebody really wants a car, they are going to steal it. But if the guy parked next to you has the windows down and the keys in the ignition, which one are they doing to go for?” Dr. Flucke says.
Physically protect the data, too
Another area our team of experts says is critical to data protection for the server-based system is the physical location of the server. In other words, where do you keep the server? Andritsogiannis says that it should be locked up with access controls and a sign-in sheet for entering and leaving that physical location in the practice.
White says DDS Rescue got into the business of data security because thieves robbed one of his customers. The thieves threw a brick through a window, went to the basement, picked up the server, and were gone in less than 90 seconds.
White says the office had done nothing wrong; they simply got robbed. However, the physical server was not protected. White explains that part of the HIPAA-mandated risk assessment specifies that all devices that carry any electronic protected health information (ePHI) must be physically protected. That stipulation includes thumb drives, laptops, old computers, and, of course, the server.
“The server itself needs to be physically restrained. There are ways to do it that only cost a couple hundred bucks, and it is locked in place. Which prevents somebody from simply picking it up and running out with it,” White says.
“What physical security are you providing, and what audit logs are you providing for the physical security?” Andritsogiannis says, adding that these are the kinds of things the OCR (Office of Civil Rights) would want to examine in an audit if there is a security breach.
Miller says that for HIPAA compliance, this documentation is essential.
“For example, let’s say the server is in a closet, but there's not a lock on the door, or it's under the front desk. You need to document why it is where it is and talk about the other safeguards that you have in place to keep it protected. This type of situation is where the documentation is key,” Miller explains.
“The best place to put a server is in a bank vault. So if your dental practice has a bank vault, which I've actually seen, then you've got the best security ever. But if you don't have a bank vault, then you've got to find other ways of securing that data,” Andritsogiannis says.
Andritsogiannis says that the different ways to protect the server are dependent upon your environment. The HIPAA laws allow you to do what is best for your location and practice size. So, if you must keep it under the front desk, do you have an alarm on the doors that goes off if someone breaks in? Do you have a person staffing the counter at all times when the practice is in operation? Andritsogiannis says you have to be logical about the physical protection.
“There's no one way to skin the cat, and that's the hard part about HIPAA, but it's also the beauty,” Andritsogiannis says. “It means you have the leeway to protect your server the best way for your environment.”
Continue reading on the next page.
Mind the tech specs and setups
Some additional technical measures of security that the Aspida team suggest are having mirrored hard drives to protect against loss in case one of the hard drives die. Andritsogiannis says it's best to have a raided hard drive solution. Also, having servers that have redundancy, whether it be power supplies, hard drives, or something else. In addition, Andritsogiannis recommends running a real server, meaning that you're running server software.
“Quite often, you'll see someone running a Windows 10 desktop version instead of Windows Server 2019. Having a real server that is set up as a domain versus a workgroup is imperative,” Andritsogiannis explains.
A workgroup means that all the computers in the network are all equal and connected. It also means they are sharing data, and when it comes to protection, “it’s every man for himself,” Andritsogiannis explains.
A domain means the server is in charge. Users have to log into the server after authentication, and it grants permission where they can go based on their credentials.
“Then, it can audit you and log where you've been,” Andritsogiannis explains.
Broom also supports the idea of using independent usernames and passwords, something he might not have said in the past. Five or six years ago, he says, having shared username and passwords was not that significant of a threat.
“It is a big deal today. It’s just too risky not to follow some protocol for usernames and passwords,” Broom says.
Another essential thing to remember is that Windows 7, Windows Server 2008, and 2008R all have an “end of life” of January 14, 2020. End of life for software or hardware is what it sounds like; the vendor will no longer support it or sustain it. If your practice is using this software or hardware, experts agree it is time to replace them.
Consider hiring some help
It is a big responsibility to protect your data with a server-based system. When it comes down to it, Broom says the simplest solution is to outsource the data security. Partnering with an expert managed services provider (MSP) can lift some of the burdens off the dentists.
“It’s something we do. We provide the antivirus; we’re watching the firewalls. The dentist should be focusing on what the dentist does best,” Broom says. “Dentists need to partner with somebody that understands IT and makes sure their environments are where they need to be and make sure those security things are in place.”
White agrees adding that you should find out their experience with health care providers, as well as dental practice management software and SQL files. You also want to know the average size of the network they manage and if they can manage a domain environment. White says references are another vital thing your potential MSP should provide.
“Get references from offices that are equivalent to the one you own and manage,” White says. “If you are a small group, you want to know what other small groups they have worked with, too.”
Moreover, the threats are changing all the time. Broom says when you are choosing an MSP, it is critical to understand their policies and procedures. How are they ensuring they aren’t going to get hacked? Do they have a high trust certification? How do they operate from day-to-day?
“The types of malware coming out today and these other things that are coming out today are becoming much more complex,” Broom says. “Make sure you have a trusted partner who’s managing this for you. That’s their job.”
1. “128-Bit SSL Encryption Vs. 256-Bit SSL Encryption.” Clicksslnet. 10 November 2019. Web. 23 November 2019. < https://www.clickssl.net/blog/128-bit-ssl-encryption-vs-256-bit-ssl-encryption>.