[BreachExchange] Encryption for Data Safety and Practice Success

[Audrey McNeil]

http://www.hitechanswers.net/encryption-data-safety-practice-success/

It’s an accepted part of everyday life — people text, shop online, use
social media platforms or browse the internet using whatever device they’re
carrying or seated in front of, even at work. Many employers shrug off the
thought of lost productivity, reasoning that if people weren’t online,
they’d be chatting with coworkers or doing something else instead.

But it’s more than a productivity issue; connected devices can pose a
significant risk to healthcare organizations. The fact is, many
high-profile data breaches are traced back to employee error. Doctors’
offices and other clinical organizations are at risk, especially since many
use cloud-based systems that are always connected, which can expose offices
to malware infections.

Unfortunately, there’s no end in sight to the danger of hacking and malware
such as ransomware. Experts expect the dangers to grow as hackers exploit
new endpoints created by devices and sensors that are connected to the
Internet of Things (IoT). Distributed Delay of Services (DdoS) attacks are
also on the rise, making practices vulnerable to the loss of crucial
operating systems.

Clinical organizations are fighting back by training staff to avoid
“phishing” attacks and other scams that expose systems to hacking. But
employee training alone won’t eliminate the danger; hackers are always
working on new angles to gain access to sensitive data. Encryption,
platform and cloud security solutions are important in protecting data —
and ensuring practice success.

How Encryption Protects Data
Using an algorithm to render data indecipherable without a key, also known
as encryption, is a cornerstone of data security. HIPAA requires clinical
organizations to use encryption that meets Advanced Encryption Standard
(AES), as certified by the National Institute of Standards and Technology
(NIST), as well as secure, encrypted email.

Under HIPAA regulations, providers must protect electronic patient health
information (ePHI) when it is “at rest” on a server, backup device, etc.,
as well as when it is “in motion,” e.g., being transmitted within a network
located in a provider’s office or to other locations. The protection must
be in the form of a unique AES-encrypted password.

However, most practice software doesn’t feature built-in AES encryption
with a unique password, and that can be a costly problem for the practices
and healthcare organizations that use this type of software. The only
solution is to find software that does include the protection or pay for an
outside expert to monitor security and ensure compliance with HIPAA
regulations.

How Platform Design and Cloud Security Keep Data Safe
While practices that use Windows software without built-in encryption must
pay for IT security services to deploy encryption on every device that
houses ePHI, Mac users can handle the safety of data at rest by simply
turning on FileVault (checking a box) in macOS X preferences. This is a
glaring example of the difference operating system platforms make in
keeping data safe and controlling the cost to the doctor.

Virtual Private Networks (VPNs) are an option for practices to compensate
for practice management and EHR software that does not encrypt data in
motion, but VPNs increase costs and complexity and can degrade network
responsiveness. And even with a VPN, practices must make sure their
software provides a unique, encrypted database password; otherwise, they’re
well advised to get software that does.

Hacking is on the rise, and ransomware is a huge problem for practices that
operate on Windows. In March 2016 alone, 56,000 Windows users reported
attacks. Practices that use native macOS software have not been affected by
ransomware. Macs are also less expensive to operate in the long run: IBM
gave employees the option to use PCs or Macs and found that each PC
required twice as much support and cost IBM $535 more than a Mac during a
four-year period.

Cloud software and hosting server farms aren’t the solution: Malware,
including ransomware, can infect every device that connects to an infected
computer, including offsite cloud servers and backup devices. In April,
Greenway Health, an EHR vendor, reported that 400 client organizations
using their Intergy cloud hosted software were affected by ransomware, and
some were not able to access all their data in the cloud for weeks.

The FBI says the only sure way to recover is to restore data from an
uninfected backup that is not connected, followed by reformatting devices.

Keeping Your Organization Safe and Successful
With hacking on the rise, patients are worried about their information
being stolen and exploited. Tech-savvy patients look for evidence that
their clinicians are keeping their data secure, so providers who use best
practices can advertise that fact in their offices and on the Internet to
improve their appeal to patients. Data safety is quickly becoming a
marketplace issue.

Clinicians who let patients know they use encryption to protect data can
reassure those who are concerned about hacking, but the fact is, encryption
and other security measures are vital to the health of a clinical practice
too. The penalties for data breaches can be severe, and the reputational
hit might be even worse. The bottom line is that using best practices like
encryption to improve data security helps both clinicians and patients.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170606/fd30b6f0/attachment.html>