What Your Email Address Says About You

By Steve McEvoy, Technology Consultant

Sending business emails ending with @Netcom.com, Aol.com, Earthlink.com and soon Yahoo.com are tell-tale signs you aren’t keeping up. People notice and may ask you if you are still driving the ‘72 Ford Pinto as well.

Using personal accounts from your Internet Service Providers (ISP) also looks old school like Comcast.net, TimeWarner.com, RoadRunner.com, SBCGlobal.net.

There is no rule making us keep up, or against driving a ‘72 Pinto, but I’d argue if you are in a marketing battle for new patients, this is just one small aspect you can easily improve.

For work, you really should have an email for your practice’s domain.   DrSmith@SmithOrtho.com or DrJones@SmileDental.com, for example. People expect this, and when they see FlyingPigs65@aol.com, you send a subtle message that isn’t positive.

You might certainly have a private, personal email account as well, but even for that, you should consider using something like BobSmith@gmail.com or JaneJones@Office.com.

This should also apply to any of your staff using email on behalf of the practice.

There may be other motivating reasons as well. Companies offering email services for free (AOL and YAHOO) that aren’t thriving financially in their core business won’t be putting development resources into keeping products current, safe and secure.  The news is full of stories about hacked email accounts and ransomware which typically makes its way into your computer via email. Companies like Google, Microsoft, and Apple have reputations to maintain and will have the resources to keep up.  If you are going to use a free email service, I might suggest you look to one of the major players.

Changing your primary email account is always a major hassle, and this is likely what has kept you from making the switch.  Setting up a new email account, and merely forwarding all the email from your old account indefinitely isn’t the right solution. Your old email account can still be hacked, and the company can still go out of business.

The steps generally are:

  • Setup your new email account – and take this opportunity to make sure the password is a hard one. I’d suggest you setup two-factor authentication with it as well.
  • Link your new account to your PC, phones, tablet, etc.
  • Using your old email, notify EVERYONE in your contact list that you are changing your email to the new one effective immediately.  You can do this in one mass email, but be smart about it and put all the recipients in the BCC list so they don’t see everyone else you emailed the list to. Make yourself the only official To:
  • Configure your old email account to forward to your new one (for a while).
  • After a month, check your old account to see if anyone you know is continuing to use the old account, then contact them directly to start using the new address.
  • After another month, turn off the forwarding from your old account and delete it at the vendors. Gone forever, but no risk of hacking.

You can also always enlist some help from your IT person, they should be well familiar with the process.

Reevaluating Your Password Management

By Dr. Matthew Larson

We live in an amazing age where the world is at our fingertips… if only we could remember our password.

It’s no surprise that passwords can be a frustrating part of our digital lives. Websites can have different requirements for passwords and then have to be changed at different intervals. In theory, there are clearly good reasons to have high standards for strong passwords. However, in real life this often means the same password is used for multiple websites and are frequently saved in other locations to remember them.

Here are a few questions to ask yourself about how you handle passwords in your office:

  1. Do you use strong passwords when needed?
  2. Do you have UNIQUE passwords for different sites?
  3. Do you change passwords when you have changes in staff?
  4. Do you keep important passwords private? (This means not posted in plain sight! In many practices the private WiFi password or Invisalign login can be easily found by opening the drawer or cabinet near the computer.)

If you answered no to most of the questions above you may want to consider a password manager app. (If you answered yes to all the questions and do NOT use some form of password manager, I would love to have your memory.) There are many good password manager programs – some are built into web browsers (Internet Explorer, Google Chrome, and Safari all have password managers) while some are 3rd party programs (some of the more popular ones are LastPass, Dashlane, 1Password, and Password Safe). These programs and apps can help manage your existing passwords and help create strong new passwords.

Here are my personal thoughts when selecting a password manager program:

  • Select a program that requires a strong master password to open the app. This rules out most default password managers within web browsers, although there are browser extensions available for many of the 3rd party programs which do require a separate logon. This master password unlocks all your other passwords, so carefully create a unique and very strong.
  • Select a company that has a strong history with good reviews. You want a company with a strong reputation that will continue to maintain high security.
  • Expect to pay a small fee for a high quality company. These programs are inexpensive overall (most range from free to about $5 for the app), so don’t get too caught up trying to find a bargain. A bargain price typically means they are either trying to grow (and then will likely increase fees later) or they are making money through other venues (and the priority may not be the password management program).
  • Use a program that works on mobile devices, Windows computers, and Macs so you can utilize it on all your devices. Additionally, make sure you can sync your database files easily in the cloud between devices.

Related to the database files, ensure the program you choose maintains an encrypted database file. This requires that you have the program and the master password to open the database. All the 3rd party programs mentioned about are encrypted with AES-256 encryption (which is much better than a word document on dropbox).

Currently, I personally use 1Password (https://1password.com/ ), mainly because I like the “Teams” option that allows you to share passwords between team members. You do this using shared “Vaults” as shown below. They charge per user so currently I only have one account for my personal use and one account that the staff uses for ordering and insurance. The program also allows you to save credit card information and profiles, so entering information on a new website goes much quicker. It is also a great way to organize NPI and license numbers for you and your team.

Another nice benefit of these managers is that you can actually load the sites and passwords very quickly and efficiently. I found myself actually saving time going through and paying bills after switching to a password manager because loading every site basically just takes a couple clicks of the mouse. A couple screenshots of how this looks on a mobile device are shown below. (I use this as quick access to my office Facebook account, since the app on my phone has my personal account saved.)

Some may have security concerns by having all your passwords stored in one spot. However, keep in mind that this is the focus of the company and they likely can manage it better than most people can with the little time they realistically devote to it. The first step to deciding if this type of program is right for you and your practice is an honest look at the security and efficiency of your current systems. If managing these passwords is stressful or they are not being stored securely, take a look into what current password manager programs can add to your practice.

2017 Winter Conference – Technology: Balancing Profit, Lifestyle & Patient Care

By Dr. Doug Depew

The 2017 AAO Winter Conference is quickly approaching. Our theme of this year’s meeting Technology: Balancing Profit, Lifestyle and Patient Care.  It promises to be a meeting filled with information for both newer and established practices to help make those tough decisions on what technology is important to use in our practices and when we may wish to invest in it.

The meeting will begin with keynote speaker Jack Shaw.   Mr. Shaw is a world- renowned technology futurist who will be discussing how cutting edge and disrupting technologies will change the way we do business and run our practices in the coming years.

IT guru Steve McEvoy will be answering some of those pesky questions we all have about computer hardware, effective and cost-efficient data backup, and security.   In the ever changing world of computers, what you hear at this meeting will certainly be different than what Mr. McEvoy would have talked about even a couple of years ago.

On Friday afternoon we’ll have a lively discussion by Drs. Greg Jorgensen and Neil Kravitz regarding building our practices through social media, websites, and Internet marketing. Their success in these areas has been paramount in growing their thriving practices.

Saturday morning will begin with Dr. Aaron Molen sharing his experience and thoughts on bringing emerging technology into our practices to help create more efficient and more comfortable patient care.

We’re excited to have Drs. Ed Lin and Christian Groth discussing how to integrate some of the latest technology hardware into our orthodontic practices. This includes workflows for using CBCT, Scanners and 3D Printing.

The conference will conclude with Chris Bentson and Charles Loretto with a discussion on how technology can affect the value and profitability in our practices. This should help answer the question about at what stage of practice a doctor might consider investing in advanced technology.

The location for the meeting is at the gorgeous Marriott Harbor Beach Resort and Spa in Ft. Lauderdale, Florida. The dates are February 10-11, 2017. The schedule is organized in a way to allow some time for afternoon recreation.

There will be plenty of time allotted for attendees to ask questions of the speakers to be sure all bases are covered.   To learn more and to register, visit https://www.aaoinfo.org/meetings/2017-winter-conference-technology-balancing-profit-lifestyle-patient-care

Am I legally responsible if I receive a patient referral from another dentist and it is sent to me unsecured?

By: Charlie Frayer, JD, MS, HCISPP, CIPP, CIPM

DISCLAIMER: Protected Trust cannot and does not provide legal advice, and the following question(s) and response(s)—like everything else we publish—are not intended as legal advice or opinion. If you need legal assistance, you should contact an attorney licensed to practice law in your jurisdiction.

For the purpose of this answer, we assume that “sent” means “emailed.” Yes, it is possible that you could be responsible if something bad happens to the patient’s electronic protected health information (ePHI) contained in the email referral, but only if it happens after you receive it.

Under HIPAA, a health care provider is called a “covered entity”. The HIPAA Privacy Rule defines “treatment” to include, “…the referral of a patient for health care from one health care provider to another.” The Privacy Rule also states that, “A covered entity is permitted to use or disclose protected health information…[f]or treatment…”. Therefore, under the scenario you describe, neither the referring dentist nor you are violating HIPAA by merely sending (disclosing) or receiving a patient’s ePHI as part of a referral. Given this good news, the core question now becomes, “Does a covered entity violate HIPAA by sending (or receiving) ePHI in an “unsecured” manner?” Again, the answer is mostly good news, but BE VERY CAREFUL AND READ THE REST OF THIS RESPONSE!!!

First, we have to know what makes ePHI “unsecured” vs. “secured”. Then, we need to know whether HIPAA requires ePHI to be secured (seems like a silly question, but you’ll probably be surprised). And, lastly, if HIPAA does not require ePHI to be secured, then what risks do you have if you face by choosing to leave it unsecured?

Unsecured vs. Secured ePHI
The HIPAA Breach Notification Rule states that, “Unsecured protected health information means protected health information that is not rendered unusable, unreadable, or indecipherable to unauthorized persons through the use of a technology or methodology specified by the Secretary [of HHS] in the guidance issued…”. The HHS guidance emphasizes the use of encryption to make ePHI secure. So, technical details aside, the simple answer is that “unsecured” means unencrypted, and “secured” means encrypted.

HIPAA: Encryption Is NOT Required…What?!?
That’s the title of one of our blog posts from Feb.-Mar. 2016—republished by AAO, which we highly recommend that you read immediately (here or here). Although you would be crazy to not use encryption when emailing ePHI—because the risks are enormous, it is true that HIPAA does not literally require encryption (again, read our blog post here or here right now). Rather, what the federal government decided to do was strongly encourage the use of encryption by making it a get-out-of-jail-free card (apologies to Parker Bros.). Under the HIPAA Breach Notification Rule, you must notify certain persons and/or entities whenever you have a breach (e.g., a loss or theft) of unsecured (unencrypted) ePHI. For example, depending on the breach details, HIPAA requires notifying not only the affected patients, but also the federal government (HHS) and prominent members of the media. But—and here’s the GREAT NEWS—if you have a breach of secured (encrypted) ePHI, you do not have to notify anyone. Why? Because the loss or theft of encrypted ePHI—which cannot be read without the key(s)—is not considered a breach at all. So, encryption=no breach=no notifications=no problems for you.

Risks of NOT Encrypting ePHI Emails
If you’ve already read the above-mentioned blog post—and, if you haven’t, stop now and do so immediately (here or here), then you already know the frightening list of risks you face for not using encryption. In summary, in the event of a breach of ePHI:

No Encryption = Notification(s)

Notification(s) = Investigations, Fines, Lawsuits, PR Disaster, and Lost Business

Investigations, Fines, Lawsuits, PR Disaster, and Lost Business = Wasted $,$$$,$$$.

Our Recommendations

  1. Never email ePHI without using Protected Trust Healthcare Email Encryption.
  1. Require all of your fellow covered entities (e.g., health care providers and insurers), other business associates, and patients to use Protected Trust Healthcare Email Encryption.

IMPORTANT REMINDER: As a Protected Trust client, all of these third-party persons and entities can communicate securely with you, free of charge, and forever. No catch!

  1. To comply with HIPAA, make sure everyone in your office has their own Protected Trust Healthcare Email Encryption account (shared accounts are not permitted by HIPAA).

HIPAA: Encryption is NOT Required…What?!?

By Charles E. Frayer[1], JD, MS, HCISPP, CIPP, CIPM

Introduction
cfrayer
No, that headline is not a misprint. Contrary to common assumptions—and what many email encryption providers may tell you, Congress, in its infinite wisdom (stop laughing, please) decided that the Health Insurance Portability and Accountability Act (HIPAA) should not—and, therefore, it does not—require the use of encryption to secure your patients’ private medical data (aka, electronic Protected Health Information or ePHI).

WARNING: IF YOU STOP READING NOW AND SIMPLY DECIDE THAT YOU DO NOT NEED ENCRYPTION, YOU MAY WAKE UP ONE DAY TO THE WORST FINANCIAL AND PUBLIC RELATIONS NIGHTMARE IMAGINABLE. SO, READ ON…

Required vs. Addressable: What’s the Difference?
In HIPAA, Congress adopted two types of implementation specifications—“required” and “addressable.” Those labeled “required” must be implemented or it will be deemed an automatic failure to comply with the HIPAA Security Rule. On the other hand, those labeled “addressable” must be implemented only if, after a risk assessment, the covered entity (that’s you, if you’re a Health Care Provider, a Health Plan, or a Health Care Clearinghouse) has determined that encryption is a reasonable and appropriate safeguard for managing risks to the confidentiality, integrity and availability (CIA) of ePHI. A brief sidebar about the CIA triad: confidentiality protects against unauthorized disclosure; integrity protects against unauthorized modification or destruction; and availability protects against disruptions to access and use of ePHI. Okay? Now, back to our story…

However, if you determine that encryption is not reasonable and appropriate (think about this carefully), then you must document your rationale for that decision and do one of the following: (a) implement an equivalent alternative to encryption that is reasonable and appropriate; or (b) if safeguarding ePHI can otherwise be achieved, then HIPAA even allows you to choose not to use encryption or any equivalent alternative measure, provided that you also document the rationale for this decision.[1] Shocking, isn’t it? Yes, Congress effectively (is that an oxymoron?) allows you to do nothing, provided you can and do back it up.

Now, if you’ve thought about that carefully, you’re probably wondering something like, “What if HHS audits me and they don’t agree with my carefully documented rationale for deciding that encryption is not reasonable and appropriate to protect my patients’ private medical data?” Perfect question! And therein lies the problem. It is difficult (impossible?) to even imagine a situation for which it would be “reasonable and appropriate” to decide not to use encryption to protect ePHI (remember, that lowercase “e” stands for “electronic”). So, even though HIPAA does not literally require encryption, it effectively requires encryption because there is no reasonable and appropriate alternative for protecting ePHI.

In other words, when it comes to using encryption to protect ePHI, there is little (if any) difference in Congress labeling it as “addressable” rather than “required” because not using encryption is simply too risky for your patients’ ePHI and, therefore, even riskier for your business.

Encryption: HIPAA’s Data Breach Safe Harbor
Under the HIPAA Breach Notification Rule, there are essentially two types of ePHI—unsecured (i.e., unencrypted) and secured (i.e., encrypted). Under HIPAA, every breach of unencrypted ePHI requires you to provide time-bound notifications to: (1) affected patients; (2) the Secretary of HHS (i.e., the federal government); and/or (3) prominent local/state media outlets. This, of course, will put you at risk of federal and/or state investigations, fines, possible lawsuits, and the worst kind of public relations disaster imaginable, which will almost certainly result in lost business.

But there is good news…no…GREAT NEWS!!! Under the Breach Notification Rule, encrypted ePHI that is “breached” (e.g., lost, stolen, or accidentally/intentionally sent to the wrong recipient) is not considered a breach at all because ePHI that is encrypted cannot be read or otherwise used without the key(s) required to decrypt it. Consider some of the risks of emailing your patients’ ePHI unencrypted versus sending it via encrypted email, as follows:

Screen Shot 2016-02-18 at 4.27.19 PM

So, if you use it, encryption is your lawful HIPAA-endorsed safe harbor against everything you want to avoid in the event of a breach of ePHI. Going back to our previous segment, even if you somehow came up with that rarest of all situations—where using encryption to protect ePHI was not reasonable and appropriate, you still need to use it because doing so gives you a complete “out” when the worst of all possible ePHI scenarios—a data breach—occurs (i.e., you get to simply walk away).

In summary, although HIPAA does not literally require encryption, Congress nonetheless has effectively mandated its use because (i) it is all but impossible to think of a real-world situation where encrypting ePHI is not reasonable and appropriate; and (ii) if you choose not to use it, you are exposing your business to a plethora of regulatory, legal, public relations, and/or financial risks that are easily avoidable—by simply using encryption.

[1] Charlie Frayer is a Michigan licensed attorney and Florida Authorized House Counsel serving as General Counsel and Chief Privacy Officer at Protected Trust, LLC, the leading provider of Simple Email Encryption with 24×7 free and unlimited support via phone, email, and chat.

[1] See: 45 CFR § 164.306(d)(3) detailing the difference between “Addressable” and “Required” implementation specifications at http://www.ecfr.gov/cgi-bin/retrieveECFR?n=sp45.1.164.c#se45.1.164_1306;

45 CFR § 164.312(a)(2)(iv) labeling encryption and decryption as “Addressable” at http://www.ecfr.gov/cgi-bin/retrieveECFR?n=sp45.1.164.c#se45.1.164_1312; and
the HHS HIPAA Encryption FAQ at http://www.hhs.gov/hipaa/for-professionals/faq/2001/is-the-use-of-encryption-mandatory-in-the-security-rule/index.html

Sending Sensitive Patient Data via E-mail

Foto-StudOnBy Dr. Andreas Detterbeck

The communication between clinicians via E-mail is fast, easy, cheap and widely used. But sending an unencrypted E-mail is as safe as sending a postcard. So, numerous parties have full access to E-mail-correspondence at all time. Violations against the patient privacy could cause dramatic consequences – depending on national laws, some of these solutions may even result in prosecution of the clinician (see HIPAA).

There are many commercial solutions to encrypt your communication, but if you are firm and experienced in using computers – you should at least know how to download and install software – there is no need to rely on any company. You don’t have to worry about high fees or losing your correspondence if your preferred encryption-business crashes. In this blog I want to suggest a few ways how to encrypt your E-mail communication easily and (almost) free of charge:

screenshot

Encryption of E-mail Communication by S/MIME
If I don’t want that my mails can be read by anyone except the receiver of the mail I have to convert the text in some sort of coded or encrypted form. Because it is not easy to invent an encryption of your own and sharing that idea with your communication partner a standardized tool would be very helpful. And this is where the Secure/Multipurpose Internet Mail Extensions (S/MIME) come in: S/MIME offers encryption and signing of E-mails in a standardized and reproducible way. Most current E-mail programs and free Webmail providers support this process.

Subsequent I will give a step by step introduction how to implement S/MIME in your mailing process:

  1. First of all you have to make sure you are using an E-mail program with S/MIME support (Mozilla Thunderbird, Microsoft Outlook and many more)
  2. Next you have to buy or even just create a certificate from a big commercial or non-commercial certification authority (CA). You may find some references here.
  3. Now comes the hardest step – but don’t worry you’re almost done:
    Deposit this personal-certificate in your E-mail program with S/MIME support. This process is very different depending on which program is used. Here are two useful how-to-links for the most common software:

Microsoft Outlook
Mozilla Thunderbird

  1. Users who have completed these steps are then ready to send digitally signed E-mails and receive encrypted messages (You sign a message when you want to prove that the mail comes from you and no modification of the text has been done during the transit).
  2. If users want to send encrypted E-mails of their own – and not only receiving encrypted mails – the receiver needs to have an S/MIME certificate, too.

For security reasons, your user certificate will normally remain valid for one or two years and is available from the CA for a small fee or even free of charge.

Conclusion
Maybe you think this sounds all strange to me and way too much work is required. There has to be an easier, less cumbersome solution.

But we don’t have the easy solution yet.

Of course you can pay a company for securing and encrypting your communication, but what happens if the company is insolvent or they decide to wind down the operations. What happens to your documents? There are providers that will allow you access to your data, but this may not be the case for all providers, so make sure this is the case before you sign up.

For use in daily clinical practice, I definitely recommend E-mail encryption by S/MIME. It is an IT standard since 1995 and a long term support is presumably. At least the corresponding doctors should have any form of secure communication.

Do not forget: The use of cryptography before sending patient data via E-mail is mandatory! If you are not sure how to encrypt your E-mail communication it is better to relinquish sending private patient data via the internet.

This blog-entry is based on:

Electronic transfer of sensitive patient data.
Detterbeck A, Kaiser J, Hirschfelder U.
Int J Comput Dent. 2015;18(1):45-57.
http://www.ncbi.nlm.nih.gov/pubmed/25911828

CryptoWall Virus Affecting Practices

By Steve McEvoy, Technology Consultant

steveMWe are seeing a fast spreading outbreak of a new virus called CryptoWall affecting many practices.   Similar to the Cryptolocker virus that emerged last year, this virus seeks to encrypt all your precious data on your computer, and hold it for ransom (asking you to send them $500 USD in Bitcoin to get the decryption key).

What makes this virus so alarming is that as of a few days ago ZERO out of nearly 50 antivirus programs were able to detect it. None.

How to protect yourself

Eventually the Antivirus programs will catch up and learn how to detect it, but at this point in time you need to rely on your own wits and acting responsibly.

So far the virus has been arriving as an attachment to an email message (usually a ZIP or PDF file). We’ve seen it claiming to be airline ticket confirmations, monthly statements from the power company, shipping receipts, etc. Avoid ANY email with attachments that you are not 100% expecting. If you receive an email that you are unsure of – DON’T OPEN IT – and contact the sender by other means and confirm that they did send it to you.   Reading the email doesn’t infect your PC, only opening the attachment will.

Signs that you are infected

2The virus needs time to tackle the encryption.   The longer it goes undetected, the more of your data it can encrypt.   You will notice the PC running much slower than normal (since it is using the computers processing power to encrypt your files). You may see files named DECRYPT_INSTRUCTION.TXT and DECRYPT_INSTRUCTION.HTML on the desktop, documents, pictures, mapped drives or any location where you have data saved.

1

What to do if you suspect an infection

Open the DECRYPT_INSTRUCTION.HTML file and note the time remaining to decrypt your data (they only allow you a short period of time to send them the money before they destroy the data permanently). Once you have that information TURN OFF THE PC. The longer it remains online the more data it can encrypt. Do not attempt to run scans and clean the system, this only buys it more time to encrypt data. Do not connect any external drives to restore backups of data as it will attempt to encrypt your backups when it sees the drives. Contact your IT person IMMEDIATELY for their assistance in recovery.

Encrypting your Laptop

By Steve McEvoy, Technology Consultant

steveMDepending on your interpretation of the HIPAA regulations your Practice’s HIPAA policy (you have one right?) might mandate that Protected Health Information (PHI) on portable electronic devices within your Practice should be encrypted.

Let me interpret that last sentence into English – If there is any chance that you have any information related to your patients on your laptop, it’s probably a good idea to encrypt the laptop to keep the attorneys and HIPAA Nazi’s away in the event that it is stolen or lost.   You probably have your own personal data on the laptop too, so this is good for several reasons.

I would expect that if I could canvas all of you reading this article that 90+% have PHI on your laptop in some form (as minor as an email message) and less than 1% of you will have your laptop data encrypted. I expect that most laptops that get stolen or lost now don’t get reported and the Doctors are just silently hoping it doesn’t get discovered.

You want to encrypt your laptop, but how do you accomplish this?   I’d like to be able to tell you the how to is simple “Just do this…” but I can’t.   Depending on your equipment you have to consider your options. If you invest the time to read through the article below the conclusions at the bottom will get you started on getting this done.

The Background that Matters

Encryption is basically a process where data stored on a computer is scrambled in a pattern using an encryption key.   The process is complicated, but renders the information useless to anyone unless they possess the key.

There are various levels of encryption, you might have heard of it described as 128 or 256 bit encryption.   This is referring to the length of the key.   A key is a string of 0’s and 1’s (binary language) and the bits mentioned describe how many characters there are.   For example, 8 bit encryption would be 2 to the power of 8 possible combinations of 0’s and 1’s, so 256 possible keys if you do the math.   If you used 8 bit encryption it would be pretty easy to just try each of the 256 keys to unlock your data.   Now consider that 128 bit encryption has 3.438 possible keys, specifically 340,282,366,920,938,463,463,374,607,431,768,211,456. That is a lot!   256 bit encryption has 1.1577 possible keys, and is generally considered unhackable (unless you’re the NSA). Fun fact – many banking websites now use 2048 bit encryption!

I’ve heard rumors that the number of bits used matters to HIPAA, but I have NOT been able to confirm for myself.   The rumor goes that 128 bit is NOT good enough for safe harbor. ‘Safe harbor’ meaning that if you lose it you don’t have to report it. It suggests that 256 bit is good enough for safe harbor.     Personally I think any level of encryption will keep your data safe since no one is likely to invest the time or effort to decrypt Dental records. They are going to take your stolen laptop, reload Windows and resell it on eBay or Craigslist for a quick buck.

If we agree that we want encryption and we’ll go with 256 bit, now what? It gets tricky here, so hang in with me.

Your two choices for Encryption

The encryption process (taking your data and mashing it up using the encryption algorithm with your key) takes computing power.   Something has to actually ‘do’ all that work.   That something can be one of two methods generally:

  • Software based encryption that has a little program plugged into Windows that is converting all the information on the fly, and thus this method uses some of your laptops CPU power and memory to get it done.
    • This is great because it is a solution that can work on any computer, in particular those that don’t have the special hardware.
    • On older laptops this can make them feel even slower (noticeably so) and can turn it from marginal to use to no fun at all to use.   Some older laptops just can’t deal with the load. I’ve seen it make a cheap 5 year old laptop nearly unusable.
    • There is some cost to this usually, ranging from free to perhaps $130.
  • Hardware based encryption is a solution where there is a special encryption chip (either on the hard drive storing the data or within the laptop) to do all the thinking. This method doesn’t borrow any resources from your laptop’s CPU or memory.
    • This is great since it won’t slow down your computer, even if it’s an older model.
    • Even new computers or hard drives don’t all have this hardware standard – you need to look for it.   When you order a new Dell or HP business laptop you need to select a hard drive with Opal security.   The cost increase is minimal, typical $20 to $50.

Software encryption is appealing to many since Microsoft began to include BitLocker for free in specific versions starting with Windows Vista.   There are only two versions of Windows Vista/7 that do include it, Ultimate and Enterprise editions. Unfortunately the vast majority of Windows 7 out there is Home or Professional editions. You can do an ‘In Place Upgrade’ of Windows 7 Professional to Ultimate, but it costs ~$130.   The good news comes in Windows 8 – Microsoft now includes BitLocker as standard in both the Pro and Enterprise versions of Windows 8.   So, if you have Windows 7 Ultimate, Enterprise or Windows 8 Pro version on your laptop enabling software encryption is as easy as going to Control Panel and clicking on BitLocker and following the prompts.   Allow from a few hours to 2 days for the initial encryption to complete (knowing you need to leave the laptop alone and plugged in for that period).   Pay close attention to the performance impact after BitLocker is setup. If you can’t notice the difference you are in great shape. If performance sucks afterwards, you can always turn it off and go back to normal again.

It is possible to replace your old slow hard drive with a new drive that includes hardware encryption.   A fancy super-fast Solid State Drive (SSD) with Opal security can be had for as little as $114 now (I am a big fan of the Samsung 840 Pro, and others like Intel make good units). The move to SSD will likely speed up your laptop substantially in general so it might be worth it on its own. Remember to factor in the cost of having your IT person help you copy your old drive to the new one and enable the encryption.

Just because you have an Opal compliant drive installed doesn’t mean it’s turned on.   Something has to work with it to turn it on and provide a key.   Unfortunately Windows 7 Ultimate and Enterprise editions can ONLY do software encryption – they have no idea about Opal drives or what to do with it. The good news is that Windows 8 BitLocker now has the intelligence to work with Opal drives and can control it for you. So, Windows 7 BitLocker you will get Software encryptions only, Windows 8 you can get Software or Hardware if your drive is compliant.

There are more Software encryption options than Windows BitLocker. As with many Microsoft features, BitLocker is sort of the bare bones of what is needed.   Third party companies such as Dell and Sophos have add-in applications for Windows that can do the same thing as BitLocker, maybe even better with less of a performance impact.   Dell Data Protection Encryption (DDPE) is available in several versions, but for about $50 you can add it to any version of Windows and turn on Software OR hardware encryption if you drive is compliant.

Auditing

None of these personal solutions may be truly 100% HIPAA compliant. If you believe that there needs to be a constant level of electronic auditing to be able to prove that your laptop was encrypted at the moment of loss, you need a better solution. DDPE for example has an ‘Enterprise’ level license that will include this kind of auditing, but at a cost. The individual license cost only goes up marginally, to perhaps $80, but you need to have an armada of Server software running somewhere that does the auditing process and an IT person to set it all up.

Personally I think this is overkill, and if your Practice’s HIPAA policy states that you shall BitLocker 256 bit encrypt, and you do it, just write a letter to yourself (or from your IT person) that states that “On this date we enabled 256 bit Bitlocker encryption on Laptop with serial number 1234, and stored the encryption key in this safe place” and sign it. Keep this document someplace safe.   You could add a periodic audit to this on an annual basis where you check that BitLocker is enabled (remember that it can be as easily turned off as it was to turn on) and document that you checked on the specific date.

Caveats

Really, really, really read this section and follow its suggestions. It’s based on the school of hard knocks I have personally attended.

Backup

If you enable encryption on your laptop I guarantee you this will cause a nightmare for your IT person down the road if you have a hardware failure (like a drive failure, Windows corruption due to spyware or virus, etc). I have lived this multiple times.   Without encryption, IT people have a substantial bag of tricks to try and recover fragments of data from your dead or dying hard drive (most of the time we can get part or all of your data back). With encryption, the drive thinks your IT person is just a bad guy and works to prevent access.   So, all those precious family photos or lectures you’ve prepared are at risk of complete loss.

You need a regular backup of your laptop data. We all know you should be doing this already, but rarely does anyone take the time to do it.   If you are, kudos to you!

My suggestion is to invest in an Internet Backup solution for your laptop in order to keep a near real-time backup copy of your data on your drive.   Other than the initial setup (which is very easy), you don’t need to do anything else. It will just run in the background anytime you are connected to the Internet.   The solutions are cheap now from companies like Carbonite, Mozy and Oak Tree Storage. A personal plan from Carbonite with unlimited storage is just $5 per month now, less than a quad shot vente latte at your favorite coffee shop. [One of you is going to ask “Is an Internet Backup HIPAA Compliant?” and that is a good questions but I don’t have space to answer here in detail other than “Probably Yes”]

Make sure your backup is complete BEFORE you turn on the encryption. An Internet backup might take from a few hours to a few weeks to complete the initial sync depending on how much data you have.

Don’t Lose your Key!

Regardless of what method of encryption you enable, all of the solutions are going to need to store a copy of the encryption key. Some solutions might use a special chip on your laptop called a Trusted Platform Module (TPM chip), and others might want you to attach a USB thumb drive.   If you use a thumb drive, just get a drive specifically for this purpose (they cost as little as $10 now) and then store the USB drive in a safe place (like a safe or lock box). Label the drive what it’s for “Encryption Key for my Laptop” and DON’T carry this drive around or use it like a regular USB key for your files, etc.   Think about it, if you lose the key someone has a critical part of your encryption process.   You might be able to make a copy of the encryption key file in several safe places (like a folder on your laptop that is then sucked up in the Internet backup).

Don’t keep the only copy on your laptop thinking that the encrypted drive is the safest place.   When the drive fails, your IT person will be asking you for a copy and you will be stuck with your keys locked in the car essentially. Another reason you might need a copy on USB key is that some laptops can sense ‘tampering’ and will lock themselves down if they think someone is trying something fishy to hack the encryption. The only way to unlock the drive and get your laptop functioning again will be to present the encryption key.

Encrypt it All or Don’t Bother

Some solutions offer you a way to have just an encrypted folder or similar setup where only a portion of the laptop hard drive is encrypted. It wouldn’t take much of a lawyer to tear you apart on this, essentially requiring you to prove that there was no possibility of there being PHI on the unprotected portion of the drive. Don’t use a half measure – use a solution that encrypts the entire drive.

A Password is Essential

There isn’t much point to encrypting your laptop if you don’t have a good password on your Laptop.   Imagine if your laptop was set to just automatically login without stopping for a username and password.  The thief would have direct access to your data without even needing to consider hacking the encryption.  Make sure you have a strong password.   Check out our previous Blog post on this.

What about Mac’s?

I am no Mac expert so I won’t try to be. A little research with Google points out that the latest versions of the Mac OS now include FIleVault2 (it appears that all you need to do is just enable it).   It will fully encrypt you Mac hard drive at the 128 bit level.   I don’t know if this is Software or Hardware encryption. I am not sure how this will play with Mac’s setup with BootCamp partitions, but I suggest you do a little research or enlist your Mac genius of needed. I’d still advise that you make sure you have a full regular backup in place.

What Would I Do?

Ok, you’ve suffered through the entire article to get to this. Here’s what I would do based on a few scenarios:

  • If I had an older laptop I was ready to replace – get a new laptop with Opal drive included and Windows 8 Pro and then enable BitLocker
  • If I had a decent existing laptop on a Windows version that already included BitLocker, I would just enable Software encryption and know the performance hit will be a little bit but not enough to matter
  • If I had a decent existing laptop on a version of Windows that did NOT include BitLocker and I didn’t want to replace the drive and OS (due to the hassles) I would get a third party encryption application like Dell Date Protection Engine (DDPE) or Sophos and setup software encryption.
  • If I had a decent existing laptop and was willing to upgrade the hardware and OS, I would get a new fancy SSD with Opal drive and then install Windows 8 Pro and use BitLocker to control it.
  • For any of these solutions I would add the Do-It-Yourself auditing to document the setup was completed and periodically review that it’s still enabled.
  • I would be sure to keep one copy of the encryption key on a USB drive in my safe, and another copy in a folder on my encrypted drive that would also get backed up by my Internet Backup plan.

If I had done one of these scenarios and my laptop was lost or stolen, I would rest easy that the data was safe.

Electronic Records Transfer: Do You Use E-mail to Transfer Records? Is it HIPAA Compliant?

Screen Shot 2014-08-22 at 3.44.15 PMThe August 2014 complimentary lecture of the month is now online.  Click the link below to immediately begin viewing:

Electronic Records Transfer: Do You Use E-mail to Transfer Records? Is it HIPAA Compliant?  presented by Dr. J. Martin Palomo.

 

What is “Big Data” and How Is It Related to the Practice of Orthodontics?

Dr.-Puntillo-PictureBy Anthony M. Puntillo DDS, MSD

Have you heard of the term “Big Data”?  My guess is that for many orthodontists the term is likely a bit like the term “The Cloud.”  They may have a general idea of the concept, but are not entirely sure how it is or will be important to them.  In fact, there is a strong relationship between the two terms that I will discuss later in this article.  First, however let’s look at “Big Data” by itself.  According to Wikipedia “Big data is a blanket term for any collection of data sets so large and complex that it becomes difficult to process using on-hand data management tools or traditional data processing applications.”

In 2009 the United States Congress passed the American Recovery and Reinvestment  Act (ARRA) which included the Health Information and Technology for Economic and Clinical Health Act (HITECH).  [For a detailed summary of this legislation please see Kirt Simmons blog posting from July 9, 2012 “The Electronic Patient Record: How it Affects the Private Practitioner”]. One of the requirements of HITECH is that full implementation of electronic health records (EHRs) for all patients is required by 2016.  The requirements of this act specifically pertain to healthcare providers who participate in the Medicare and Medicaid programs.  That means that currently few dentists are covered by this mandate.  However, this does not mean that we are not being affected.  Since 2009 doctors and hospitals across the country have spent billions of dollars, with the help of government subsidies, converting paper based systems to electronic digitally based health records.  These new digital systems are now collecting vast amounts of valuable data related to patient care.  Much of this information was collected before the legislation, but in a paper non-standardized format that was not easily aggregated and retrievable for meaningful analysis.  The value of all of this collected digital data is only beginning to be fully understood.  Big Data from all healthcare providers is being aggregated and programs to analyze the data are being used to improve the quality, safety, and efficiency patient care.  Hospitals are examining treatment protocols and doctors are making better informed treatment decisions based on the previous care of thousands of similar patients.

As I stated earlier, the EHR requirement of HITECH does not specifically pertain to most orthodontists so why is this important to us?  Many orthodontists have or are now also in the process of converting their practices to paperless systems (without the assistance of the government money).  Several of the orthodontic specific software vendors offer cloud based systems and here is where “Big Data” and “The Cloud” come together.  The aggregation of data from hundreds or thousands of individual private orthodontic practices into cloud servers is beginning to open the door for data analysis (mining).  Just think about how valuable that information can be to our patients and practices.  Most of the research studies published in our journals today involve treatment samples of less than one hundred.  The biannual Journal of Clinical Orthodontics Practice Study generally relies on the input for a few hundred survey responders (out of a possible pool of more than 8,000). Wouldn’t it be helpful for us to know the most efficient type of Class II corrector based on the actual metrics collected from the previous care of thousands of patients treated in practices all across the country or the globe?  Wouldn’t the knowledge that your treatment times/appointments vary significantly from the national or regional averages be useful? There is little question that access to “Big Data” analytics will offer our profession the opportunity to improve treatment quality, safety and efficiency for our patients just as it is beginning to do for the other fields of healthcare.