By its very nature, emerging technology is still (and will always be) developing. Two increasingly familiar technologies that can have a strong effect upon a dental office are the “Cloud” and the “Internet of Things.” What are each of these?
The concept behind the cloud really isn’t new. “Cloud” is mainly used as a marketing term for a very simple idea: using electronic storage, software or other functionality hosted on someone else’s computer(s) which you access via the Internet (like Planet DDS, Dropbox, Gmail, etc.). That’s it. That’s the entire concept. A typical use of the cloud might be with a vendor acting as a Business Associate under HIPAA.
The nature of the cloud means someone else is literally in control of your data (including PHI), though your office can also be held responsible if those business associates violate HIPAA and there’s a data breach. Having office data, PHI, etc. handled and/or stored by someone else means any risks or vulnerabilities found in their systems are cumulative to any issues or concerns with your own office network or equipment.
There are a number of steps you can take to protect data in the cloud:
On the vendor side: For starters, you need to know what level of access your vendors have to your – and your patients’ – data. Any vendor you do business with should be HIPAA compliant, and you should have a written business associate agreement (BAA) with them clearly saying so. These vendors should have written policies in place regarding the storage and handling of PHI and other data, including detailed data backup procedures and security measures.16 Technical controls should be in place to track the data moving through a cloud vendor’s network, and the vendors must also have fully developed business continuity (BCP) and disaster recovery (DRP) plans.
On your side: Be sure to protect the computers and/or mobile devices used to access cloud data. If an attacker can compromise one of those “endpoints,” he or she can simply steal information off it directly. Additional detail can be found in the sections discussing computers and mobile devices in Part I. Attackers can also use stolen login credentials to access cloud data themselves, so cloud access and the credentials used for access should be carefully managed. Use strong passwords as discussed in the previous section and two-factor authentication whenever it’s available.
The Internet of Things (IoT) refers to rapidly growing types of “smart” devices including anything from baby monitors you can access when you’re not at home to refrigerators that use web-based monitoring to let you know when your food is likely spoiled. In the healthcare field, it relates directly to Internet-connected medical devices like picture archive and communications systems (PACS) and x-ray systems. Unfortunately, security is often an afterthought when these devices are designed and hackers are perfectly happy to use them as a poorly defended gateway into a healthcare network.17,18
It’s not uncommon for medical devices to use outdated software, have poor password protections, and not receive any updates even after security issues are discovered. Until these devices come better secured, protective measures such as firewalls and network segmentation (described in the network security section in Part I) can help to effectively secure the rest of your network from them. This is not a do-it-yourself project and skilled security personnel well versed in medical device security should be consulted.