Why Cloud Software is Essential for Cybersecurity and HIPAA
Cybersecurity incidents are on the rise. More than 400 healthcare providers have data breaches every year per the Office for Civil Rights (OCR), with nearly 29 million patients impacted. Dentists fit within this broad category and, although are not involved in the lion’s share of incidents, face very real risks. For example:
- An unidentified dentist was greeted with a pop-up message on her computer informing her that her patient data had been hijacked by a hacker. The hacker demanded $5,000 in bitcoin to unencrypt it. She negotiated a lower fee and the hacker agreed, but then only sent a corresponding percentage of the data. It took weeks and the full $5,000 before she had her data back.
- A Dallas, Texas practice unlawfully disclosed a patient’s protected health information (PHI) and was fined $10,000 by the OCR. Between that and public backlash, the practice closed.
- An Alabama dental provider with multiple locations was the victim of a ransomware attack. As is protocol, the practice had to notify nearly 400,000 patients that their PHI may have been accessed. The practice shut down for nearly two weeks. Thankfully, there was no evidence the hackers accessed any PHI, and a judge threw out the class action lawsuit against them. The practice has since undergone a name change and a full rebranding.
HIPAA and Cybersecurity Are Interlinked
The Health Insurance Portability and Accountability Act, typically just referred to as “HIPAA,” mandates that providers, health plans, clearinghouses, and business associates take care to safeguard PHI, such as specific demographic data, conditions, treatment, and payment information.
Taken from the U.S. Department of Health and Human Services (HHS) website, and per the HIPAA Security Rule, dental offices are required to:
- Ensure the confidentiality, integrity, and availability of all e-PHI they create, receive, maintain or transmit;
- Identify and protect against reasonably anticipated threats to the security or integrity of the information;
- Protect against reasonably anticipated, impermissible uses or disclosures; and
- Ensure compliance by their workforce.
In other words, if patient data is accessible to people who shouldn’t have access, if you fail to ensure the data remains available to those who need it, or you fail to take reasonable measures to protect PHI, you’re in violation of HIPAA regulations. You must make cybersecurity a priority for the sake of HIPAA compliance, and also if you don’t want to face consequences like the practices mentioned above—fines, ransom fees, temporary shutdowns, permanent closures, and reputation damage.
Know Your Cybersecurity Risks for Dentists
According to OCR data, the vast majority of dental data breaches occur due to unauthorized access or disclosure of PHI. Hacking and IT incidents also make up a significant number of the total breaches. As a provider, these are the things you’ll want to focus on most to reduce your risks.
That said, theft, improper disposal of PHI, and loss of PHI are also common throughout the healthcare industry. You’ll want to mitigate these cybersecurity risks too.
How the Cloud Keeps You HIPAA-Compliant and Addresses Cybersecurity Risks
Traditional on-premises dental software (the program is installed on a server inside your practice) isn’t inherently dangerous, but it typically leaves cybersecurity up to the practice to manage. That means if you’re not a cybersecurity expert or didn’t hire one to help you set up your systems, there’s a good chance you’ve overlooked something that can put your practice at risk.
Below, we’ll go over how cloud-based systems address HIPAA and cybersecurity, so it’s easier to see if you have gaps and why cloud software may be the better option for your needs.
Cloud-based systems have the latest security.
If you’re using traditional dental software, you’re likely responsible for updating it on a regular basis. Most people equate updates with new features, and they have that too, but they can also include security updates. If you’re not on the latest version, you could be exposing your practice to emerging threats.
On the other hand, cloud-based software automatically updates itself. You don’t need to devote time or energy to upgrades. You just log in and are automatically using the latest version of the software.
Cloud-based systems can leverage two-factor authentication.
Be honest. How many people in your practice currently share their software passwords? Or, how often does someone log into a system and leave themselves logged in—perhaps out of forgetfulness or even intentionally, so they don’t have to log in again later?
That’s a huge risk. Anyone who can physically access that computer can gain access to PHI. And, with password sharing, there’s no telling who has the password at a certain point. Furthermore, if your system has audit logs to show who accessed data or took specific actions, those logs are useless.
Two-factor authentication (TFA) gives you a layer of protection beyond passwords. In most cases, TFA means the person logging in also receives a text message with a temporary unique login code. You need both the password and the code to log in. It eliminates issues like those covered above and also means that, even if a hacker somehow manages to gain access to your computer, they’re not going to be able to log in and see patient data.
Not all cloud-based dental software offers TFA, but it’s included in ThriveCloud with an option to turn it on in the user-level settings. It’s also worth noting that ThriveCloud has automatic inactivity logouts, so your team will be prompted to log back in if they’ve been idle.
You can lock access down by location.
To be fair, if you’re using on-premises software, you’re pretty much locked down to only using the program when you’re physically at your practice. There are exceptions to this, such as if you’re using remote logins or worked with an IT provider to host your data in the cloud, but most need to be in their offices to see information.
Cloud-based dental software obviously opens up doors here and allows you to access the program anywhere, and often on any device. The downside to that is that your team can potentially access patient information at home for reasons that have nothing to do with patient care. And, of course, hackers can also access your PHI from anywhere.
Again, not all cloud-based solutions offer this, but with ThriveCloud, there are user-specific settings that determine where the person can log in. For example, you may only want your dental assistant to log in while at the office, while your office manager may need to be able to log in from home sometimes too. With ThriveCloud, you just add the IP addresses for allowed locations and those will be the only places those people can log into. Don’t worry if you need to access it while at the beach or traveling. Location-based access can be left open too.
It’s also worth noting that ThriveCloud lets you set specific hours employees can access the software. Again, this helps ensure access is only granted during working hours and curbs middle-of-the-night logins from unscrupulous employees or hackers.
Cloud-based software takes care of your backups.
Even if your system is locked down tight to prevent hackers from hijacking your data, life happens. Servers crash. Computers break. Practices can face issues like fire or floods. When these unfortunate things happen, a good backup of your patient data will prevent disruption of services. But, if you’re using traditional practice management software, it’s up to you to ensure you have a good backup. Not only do you need to take backups of your data at least daily, but you must also test those backups to ensure they can fully restore your database.
With cloud-based software, the company providing your software usually manages the backups for you, so you don’t need to worry about taking backups or testing them. ThriveCloud also duplicates the data for an added measure of assurance.
Your data is secure.
One other major challenge with data is keeping it secure while it’s on the server and being stored as backed-up data. Practices commonly use thumb drives for daily backups and larger external hard drives for weekly or monthly backups. Either is generally a good choice because they’re portable, so you can store the backup offsite and be covered even if something happens to your physical practice. However, many do not come encrypted, so without some kind of third-party software, the data can be accessed by anyone in physical possession of the drive.
Cloud-based systems manage this aspect for you, so there’s no worry about loss or theft of your data. ThriveCloud, for example, is built on a HIPAA-secure cloud environment trusted by Fortune 100 companies such as Intel, Verizon, and GE, so your sensitive and confidential information stays protected.
Fulfilling patient record requests is easy.
Patients have a right to their records per HIPAA guidelines. Practices have 30 days to fulfill requests. However, individual states may have shorter windows. California, for example, gives practices five days. Aside from the time crunch, that can be a challenge because patient charts are full of PHI, which means you can’t just email a patient their records without their express consent, and many programs don’t make it easy to extract information and send it. Instead, offices wind up printing volumes of information and mailing it or leaving it at the front desk for pickup. That’s a huge burden.
Cloud-based solutions typically make it much easier to fulfill records requests because everything is already digital. ThriveCloud takes this a step further with Patient Portals. Each patient already has on-demand HIPAA-compliant access to much of their information, including previous treatment and treatment plans. You can also send x-rays digitally with just a few clicks too.
You can go fully paperless.
While some traditional dental software options allow you to go paperless, it’s often via piecemealing services together. For example, if you want to automate your patient reminders and stop sending postcards, that’s one program. If you want to send e-claims or e-bills, you’ll need more programs.
There’s also a lot of printing. For example, if you want the team to be able to follow along on the schedule during your morning huddle, you’re likely printing copies and passing them out. You might be printing out lists of people who are overdue for their cleanings, so you can cross them off as you go too. There are patient intake forms, consent forms, and treatment plans. The list goes on.
That’s certainly an inefficient way to go about things and adds to your supply costs, but what many don’t realize is that each sheet of paper with PHI represents risk. If a third party like a patient passes by your desk and reads it, it gets left out, or it unintentionally lands in the recycle bin rather than the shred pile, you’ve just violated HIPAA guidelines.
Cloud-based systems are built on the latest technology and designed with the fully paperless practice in mind. For example, patients can complete and sign all documentation on their own devices or yours with ThriveCloud. The team can use the practice’s or their own devices (phones, tablets, laptops, and PCs) for a live view of the schedule during meetings. Plus, every program you need, from e-billing through e-claims and automated reminders is already part of the software.
Improve Your Cybersecurity and HIPAA Compliance with ThriveCloud
In addition to all this, ThriveCloud makes cybersecurity and HIPAA compliance easy with a host of other features, such as audit trails that let you see who performed actions in the software, individual user access limits, so team members can only access the data they need for their specific role, customizable schedule views that make it easy to hide PHI on computers in shared spaces, and more.