Guest: Mark Hollis
Presenter: Neal Howard
Guest Bio: A graduate of Washington & Jefferson College with an extensive entrepreneurial background and having served in public office in Brooklyn, NY for two terms, Mark Hollis was a practice management consultant to more than 600 practices in the New York Metropolitan for 25 years before cofounding MacPractice in May 2004. With 35 years’ experience, Mark is an industry expert who represents MacPractice as one the top 40 EHR vendors in the Electronic Health Records Association (EHRA), the national trade organization that advises and consults CMS, HHS and the ONC. Mark’s company is also a member of Commonwealth Health Alliance, a nonprofit comprised of top EHR vendors who are constructing a national patient ID system as a foundation for national interoperability.
Segment overview: Mark Hollis, CEO of MacPractice, a software security and healthcare technology expert, discusses what physicians and practices should know about encryption and how it plays an important role in their organization’s success.
Health Professional Radio – MacPractice
Neal Howard: Hello and welcome to Health Professional Radio, I’m your host here on this Health Supplier Segment. Thanks so much for joining us here today. Our guest in studio is Mr. Mark Hollis, CEO of Mac Practice. Welcome to Health Professional Radio Mark.
Mark Hollis: Thank you.
N: Thank you. Well you’re a software security and healthcare technology expert. Tell us a little bit about yourself and Mac Practice.
M: Well Neal I’ve been working with doctors in their offices for about 30 years, I handled to about 650 practices that I consulted with in New York Metropolitan area and I did that for about 25 years and now I co-founded Mac Practice with Patrick Clyne, he and I are equal partners in our privately held company. We have about 30,000 users in 4,000 practices throughout the US and in about 30 countries.
N: So when you say you’ve got that many users, so is this a totally online platform or is it a combination of online and maybe a little consulting at a physical location?
M: Well our software is a client-server application so everyone of our clients has a server in either their only office if they’re a practitioner that has a single location or in some instances about 3 – 4 hundred practices of ours have multiple locations that are connected via the internet or by some other means.
N: Now I was talking about your being here to discuss encryption and how that plays an important role in a health care organization’s success. Well for those, most of our listeners are health care professionals but for those of us that maybe don’t know, explain what encryption is.
M: Encryption is the application of an algorithm to data that changes the data so that it requires an encryption key in order to be able to decipher the data in order to be able to read it and would you like me to tell you a little bit about the stages of encryption that are actually important in a medical practice? or actually … (crosstalk)
N: Yeah, especially since we are discussing medical practices in particular, that would be beneficial.
M: So let me talk to you about in relationship to HIPAA’s regulation, HIPAA Security role that became effected in 2013 requires encryption of data at rest, now data at rest means when a practice is actually logged out of the software, so that the software is static and the data is actually encrypted. Now that’s both on the server whether the server is local or the server is remotely hosted and that’s also data that might be on backups. So every form of that data is actually encrypted and that’s data at rest. Then data in motion is when the data is moving across the network whether the network is inside the office and got a terminal that’s connected to a server that’s in the office or whether it’s from outside the office and it’s connected to that location or whether it’s a cloud solution and it needs to encrypt the data between the browser which is typically used in a cloud instillation and the hosting database wherever that might be. So that’s data at rest and then data in motion and then there’s an additional, there’s 2 other additional things that are important in terms of HIPAA in regards to encryption and that is the encryption of the database password. So a hacker can actually hack the database password if it’s not encrypted, so they can come in and get access to your data even if your data were encrypted. If they have the password as you have the password then they would be able to get into your data even if your data were encrypted. So HIPAA requires that the database password be unique, meaning it’s not hard coated, it’s not the same password in every various system from that developer, it’s a unique password to that practice, to that doctor’s office and it’s also encrypted. And then the other encryption element is encryption of messaging or we usually call it secured messaging, I think it’s easier for some people to understand it as secured emails. So basically where it has to be encrypted at rest, meaning that you’re creating an email, think of it as when you’re using a mail client, everybody can understand that you’re using a mail client, you’re creating an email, it needs to be encrypted at that stage, it needs to be encrypted as it is sent, as it’s in transit between providers for example. So if it has electronic protected health information which is any identifying information of the patient and some information that is considered clinical and electronic protected health information might not be logical, some people might realize, well they might think well that if I’m sending my clinical notes, no it might be that you’re actually sending a statement because a statement has codes on it and tells the reader of that statement what procedures were actually done for that patient. Or if you’re sending a prescription or if you’re sending advice as to actually register, telling the patient how to register, it could be any information that you’re sending that patient that has a combination of some identifying information – some unique identifier for them and their clinical information. And so that also has to be secure according to the HIPAA Security guidelines.
N: So it’s a huge undertaking and quite a bit of different types of data, it would seem to be even more complicated than financial data and we all hear about the efforts that are in place and that are being sold to us to protect our financial data from identity theft and hackers as we’re talking about it. Why do you think that the health care industry has become a particular target and the focus of Mac Practice?
M: So you actually ask a couple of questions, one of which I ‘d like to comment on, you’re absolutely right that it is very challenging and it’s very daunting for doctor’s office in private practice to be able to actually have all of their data encrypted. So in regard to that, I’ll touch on that for a second and then maybe if you’d like I’ll come back to that and then I’ll talk about the value of it, why is it that health care data commands a premium for hackers and why are they going after that data. So the first thing in regards to the encryption of the data, the software vendor that develops the practice management and electronic health records software, that vendor can actually build the encryption into their software or they can leave it up to the doctor to have to hire their IT people at their own expense to try to protect the data. So if it’s build the end of the software becomes a lot easier and in addition one other element is if everything that we just talked about, all the electronic protected health information and the services like sending secure messaging is done from within the software so that there’s no data that needs to actually be outside the practice management software because much simpler, because even though there might be 10, 15, 25, or a hundred computers in a large clinical practice being able to access the data, none of them actually have that data present on their computer. Only one computer which is a server has it and if a software itself encrypted it’s an all in one software, it’s got integrated facts, it’s got… built within it, secure messaging is built within it, integrated network where processing is built within it so everything is there in that one place then only one computer really needs to be protected and managed and monitored by the HIPAA Security office. So to answer the other question, the primary driving motive for hackers in my opinion to go after health care data, there’s a couple of primary motives. So number one it seems to be easier to get health care data than it is to get bank data, that’s if they can’t get bank data because we know they’ve gotten it and that they will continue to get it but they, the health care organizations not seemed to be as well protected even the large organizations such as hospital organizations with large IT departments seemed unable to protect the patients’ data in the system. So it’s easier, that’s what it seems to be and then secondly it commands a higher premium, so there’s a monetary incentive. So if they’re selling personal identification information without health care information, they may be able to sell it, I’m goanna say for example maybe for 25 dollars a person but if they have health care data that may command twice that figure of 50 dollars per individual and the reason for that because it can be used in a lot of different ways. So they have the identification information for example of an American citizen and then they also have their insurance information then they can file false Medicaid claims, do false other insurance clients and they can actually receive benefits from them, they can go in if they have their social security number which they may have as a result of having this combination of all this information, they can go and get their social security checks. If they have banking information because they’ve placed charges in the system, did not encrypted that information and they actually got the credit card information, they can go to the bank account or the credit card and do false charges. And all of these things are, if you look it from a hacker’s point of view, they have the ability to be able to capitalize. Now the hackers not capitalize in general, the hacker actually is capturing the information then selling it at a premium to somebody else who then is going to use it in order to be able to take financial advantage and you could just imagine recently, I don’t know if you mind me telling you but of the effect on patients potentially but just imagine that one of your relatives for example was going to one of a hundred and forty five cancer clinics in the South East United States and you were to find out that their identity and health information was compromised and exposed and they were cancer center which means they were very likely receiving life sustaining treatment and they ran the risk of not being able to make their own payments, not being able to if they get the Medicare was fraudulently built by a hacker or by a criminal then they might not be able to actually continue to receive care. (Crosstalk) And in that case actually the FBI came in and forced this group of a hundred and forty five health care cancer clinics to report.
N: Now where can our listeners go and get information about Mac Practice?
M: So our software website is macpractice.com and if they register at macpractice.com, we’re a little different I think little bit different approach, we are a website where we feel that kind of like SIMS, I don’t know if you remember the educated consumers are best customers so we put a lot of information actually on our site. Unlike a lot of other companies, a lot of cloud based solutions we have actual people in the field, so we have a group of about 40 representatives throughout the United States, nearly and virtually every region of the United States that are available to do onsite presentations but beyond that they’re all capable of doing onsite training and implementation which is what’s necessary to actually implement a system successfully in a doctor’s office.
N: What’s the one thing that you’d like to say to a health care provider or an organization when it comes to enhancing their encryption efforts?
M: Well we talked about this earlier before getting on the call. There is a recent study that and I’m just going to take 1 kind of malware and that uses encryption called ransomware and I’m assuming that perhaps the people that are on the call have heard of ransomware, they know somebody else who may have had ransomware very likely if they’re on Windows, if they’re on Mac they may not have heard of ransomware because as a matter of fact there were one and a half million reported incidence of ransomware over all of 2015 and up to April…one and half million incidence in Windows and there was one incident in Mac and Mac was in March of 2016 and unlike the Windows events Apple actually addressed the vulnerability in Apple operating system within a matter of a couple of days and the software which was a software called Transmission, itwas very different than the way that it occurs in Windows because it was actually programmers not doctors that actually went to a website called BitTorrent, they downloaded Transmission, they had this infected software and it was discovered and removed within about 8 hours. Everything that’s happened to Windows is the same kind of ransomware software that is actually encrypting data and then holding it ransom. An example, I don’t know if you, there’s actually a hospital organization in Tennessee didn’t get their data up in running for 20 days so if you can imagine what effect that may have had on patients whose data was held hostage for 20 days while the hospital tried to get access to it in order to be able to treat them -I mean that’s devastating.
M: Well we’ve done everything we can to make it as simple as possible because doctors have, what they already have is complicated. We minimize their onsite IT by building it into our application to provide them the assurance that they don’t have to spend additional thousands of dollars in IT. Most of our clients spend no more than a few hundred dollars even with the ten or fifteen station system in their practice, they only spend maybe a few hundred dollars a year at most for onsite support and we try to make this very easy. The one thing that doctors should may want to remember is that while HIPAA requires them to have encryption it does not require the vendor to build encryption into their software and it does not require their vendor to reveal to them unless they ask whether or not they build encryption to their software. So it’s really the doctor who’s responsible to have it but it’s not the vendor’s responsibility to have it. If a doctor has a malware event or has ransomware and their data has possibly been exposed and possibly stolen by a hacker to be resold, the data has to be reported to HHS and it’s put up on HHS’ website, there’s no way to be able to get it removed, there’s no method for getting it removed at this point, so it’ll be there virtually forever. They have to send a letter, a first class letter to all of their patients and others affected that might be the referring doctors, could be the hospital. In addition to that they also have to put a notice on the homepage of their website for 90 days and they have to have an 800 number for patients to call. And as if that’s not bad enough, they also have to report this breach to prominent media so this is really devastating, it’s devastating. Now if they have their data encrypted at rest, in motion and they have an encrypted data base password and they fulfill HIPAA’s requirements that these are the minimal requirements that HIPAA has for security so if they have this encryption built in for all of these things then they qualify for safe harbor and they did not have to report.
N: Okay so an added benefit of encrypting properly encrypting.
N: Yeah, great. Well that’s excellent information, good to know. It’s been a pleasure talking with you here Mark.
M: Well thank you, it’s been my pleasure to share some information about Mac Practice and I appreciate the opportunity.
N: Thank you. You’ve been listening to Health Professional Radio, I’m your host Neal Howard for this Health Supplier Segment of the show, in studio with Mr. Mark Hollis, CEO of Mac Practice. He’s a software security and health care technology expert and he’s been discussing what health care organizations should know about encryption and how encryption plays such a vital role in their organization’s HIPAA success as well as patient outcomes. Transcripts and audio of this program are available at healthprofessionalradio.com.au and also at hpr.fm and you can subscribe to this podcast on iTunes.