Posted 11-10-14

Multi-Layered Security: The Best Defense
by Brad Royer, Dentrix Product Manager

Defense in the Middle Ages
In the late twelfth and early thirteenth centuries, defense strategies for castles, the most prominent fortification for nobles, underwent significant changes. While earlier castles had some forms of defense, their defenses were often weak and relied heavily on moats and the central keep—a fortified tower within the castle. One of the greatest improvements in later castles' defense strategy was the implementation of a "concentric defense," which provided "several stages of defense within each other that could all function at the same time to maximize the castle's firepower."

Defense in the Technology Age
Similar to castles, in the early days of electronic health records, fortification policies and practices were often weak and vulnerable to attack. Since the Health Insurance Portability and Accountability Act of 1996 (HIPAA), requirements to fortify against the improper use and access of patient health information have called for entities to improve strategies and tactics. These requirements have been reinforced with the HITECH Act (Health Information Technology for Economic and Clinical Health) of 2009 and the Omnibus Final Rule of 2013.

What Are the Rules?
At Henry Schein, we are working to help providers know and understand the rules and requirements for data security. In our January 2014 eNewsletter article, "Dentrix and Data Security – What You Need to Know," we emphasized that offices are responsible to ensure that patient data is protected, outlined some of the critical areas that need to be considered and highlighted what we are doing to help. Similar to later castle defense strategies, the cumulative effects of each of these policies and safeguards will increase the protection of your practice.

In the article "Secure Your Data with Dentrix Passwords" in our Summer 2014 issue of Dentrix Magazine, we emphasized the importance of implementing Dentrix passwords. That article stated, "Your first line of defense should be the vigilant use of passwords in Dentrix and Microsoft Windows." As with a castle defense strategy, it is critical to remember that Dentrix passwords are only the first line of defense and must not be the sole security method used. In addition, the use of passwords is required under HIPAA in the Technical Safeguards (164.312) section of the law, which includes five standards: Access Controls, Audit Controls, Integrity, Person or Entity Authentication and Transmission Security. Without passwords enabled, providers cannot have appropriate Audit Controls or Person or Entity Authentication and are not able to implement unique user identification within Dentrix, a requirement under the Access Controls standard.

Who Is Responsible for Data Encryption?
One area that is receiving a lot of attention is encryption and decryption for data at rest, an addressable item under the Access Controls standard. Dr. Lorne Lavine, CEO and founder of The Digital Dentist, stated, "The vast majority of practices that we work with, unfortunately, are not encrypting their data." There seems to be a lot of confusion about who is responsible for encryption and what to do if there is a security breach.

Perhaps some of the confusion stems from the fact that HIPAA refers to these concepts as "addressable." In "Security 101 for Covered Entities," released by the Centers for Medicare and Medicaid Services (CMS), they note that "addressable does not mean optional." The law states: "When a standard adopted…includes addressable implementation specifications, a covered entity must:

  1. Assess whether each implementation specification is a reasonable and appropriate safeguard in its environment, when analyzed with reference to the likely contribution to protecting the entity's electronic protected health information; and as applicable to the entity—
    a. Implement the implementation specification if reasonable and appropriate; or
    b. If implementing the implementation specification is not reasonable and appropriate, document why it would not be reasonable and appropriate to implement the implementation specification and implement an equivalent alternative measure if reasonable and appropriate."

While the language is somewhat difficult, HIPAA is clear that dentists are responsible to ensure that their data is protected and that encryption plays a critical role in that.

Protect Yourself with Full Disk Encryption
Older methods of defense, just like the moat and central keep in older castles, are not enough to protect doctors from some forms of data breach, and our customers must take additional measures. Dr. Lavine emphasized, "In the modern dental practice, patients certainly have a right and an expectation that information that they share with the dentist is going to be kept confidential, is going to be kept secure while it's in the dentist's presence. What we find is that a lot of practices aren't doing the necessary steps to protect that." One such step is the use of full disk encryption (FDE). Unlike master boot record (MBR), FDE signifies that everything on the disk is encrypted—including the programs that can encrypt bootable operating systems partitions—when part of the disk is necessarily not encrypted.

Implementing full disk encryption requires additional effort, but in the long run it's better than the alternative. For example, late last year one Dentrix customer, Dr. Meaglia, experienced his worst nightmare when he arrived at work to find that his server had been stolen. Unfortunately, his patient data was not secured using full disk encryption. Under the Omnibus and HITECH acts, he was required to follow the appropriate breach notifications, which included notifying local and federal authorities, news agencies and his patients of the breach. Needless to say, it had negative effects on his reputation, both personally and professionally. Not to mention the fines he had to pay. To avoid a situation like this in the future, he implemented full disk encryption methodologies to ensure that he and his customers would be protected.

As with the implementation of passwords, full disk encryption should not be the only form of security. In its "Guide to Storage Encryption Technologies for End User Devices," the National Institute of Standards and Technology (NIST) states that full disk encryption does not "mitigate OS and application layer threats (such as malware and insider threats)."

Data Security Is More than One Battle, It Is a War
The Department of Health and Human Services writes, "Security is not a one-time project, but rather an ongoing, dynamic process that will create new challenges as covered entities' organizations and technologies change."

Henry Schein offers assistance in implementing appropriate network security through TechCentral, our technology experts. We strongly recommend that our customers protect their practices by consulting with TechCentral. TechCentral offers proven security from web-based threats via an active web firewall and virus protection. Later this year, they will offer new customers who purchase a server or laptop the ability to implement full disk encryption using Microsoft BitLocker. For more information about the TechCentral Protected Practice, visit www.HenryScheinTechCentral.com. To speak with a Henry Schein TechCentral expert today, call 877-483-0382.