What Software Companies Don’t Want You To Know About Your Data Security Liability

Today I received an email from a client. He had a question I have been getting a lot recently. In the software world, companies have been using this topic as a way to manipulate doctors into buying their software. It really bothers me because, as a doctor, I would be really upset if I knew how much exposure they were really costing me had I bought their deception.

Two types of systems

There are two types of systems. Cloud/Web based and client server.

  1. Client Server means the server and data is stored in the doctor’s office. Then other computers in that office connect to that internal server. Each computer and the server need to have the software installed on them. The software needs to be updated on a regular basis. Examples are Chirotouch and Platinum
  2. Web/Cloud means the server and data is stored in the cloud or more accurately, stored on a server that is in a data center connected to the doctor’s practice by the internet. In this case, the software itself is also stored on the same servers. You can think of it like quickbooks online version.

I want to own my data

Of course you do and you should. The lies start here. Some Client Server software companies have been telling doctors that if their data is on a cloud server they don not own it. There’s no other way to say it. It is a big fat lie. You always own your data. It doesn’t matter where the server is.

I want to keep access to my data

Again, of course. Client server companies have been telling clients for years, “if you ever leave that company you can’t access your data again”. It is a scare tactic, again a lie. If a company ever held your patient data and would not give you access to it, it would be illegal. By law cloud based systems must to store PHI (Protected Health Information) for 7 years or whatever is the legal requirement for that doctor’s state.

They will keep your data hostage

Maybe they are unaware, maybe it’s another lie, maybe they have no clue about running a business. Considering the other tactics I just discussed I have my own opinion.

The truth is we are all in business. Imagine what would happen from a PR standpoint if a cloud based system withheld access to a former client’s patient records. It just doesn’t make sense. In the age of Twitter, Facebook and other social media outlets withholding access to a client’s data for no real reason, legal or not, would be just plain stupid. Most cloud based systems have a clause in their contract for the case where a former client needs to gain access to patient files.

Again, consider the alternative. You buy a new client server system. You use it for a few years. You decide to go in another direction. Maybe you choose to move to the cloud. 5 years later a patient has a legal case unrelated to your practice and they request records that were on your old client server system from 7 years ago. By law you are required to provide them.

You go into the dark recesses of your office where your old server is. Hopefully you still have a computer connected to the server. In any case you haven’t fired either of those babies up in 5 years! Who are you going to call? How will you get the records? What if the server doesn’t even turn on?

If you don’t have a computer hooked up to that server you’d need to do so. Will a new computer be compatible? It would need to have the software installed on it in any case. Do you think that old software company will actually give you a license? What if they were bought out in the meantime? (There’s a reason all of these client server systems are getting purchased by the way)

Where is the data safest?

PHI data is some of the most valuable data on the black market. Some questions you should be asking are:

Where is a hacker most likely going to try to get such data? One might think it makes sense for them to go to a large data center where the most data is stored.

The correct answer? They will go where it is easiest to get.

Where is the easiest place for a hacker to get data?

My software is cloud based so I can tell you. Our data is stored in a HIPAA compliant data center similar to those data centers that store Wall Street Data. The data center’s security system requires biometric scanning just to enter the building. The power source to the center has diesel generator backups in case of catastrophe. In such a case the data centers are among the first to receive the diesel gas even when there is a shortage. Even before gas stations. There is 24/7 security on site. For the data center it is best practices to have the latest firewall protection measures in place and constantly update them. It’s like Fort Knox for data. The connection from the doctor’s office to the data center have the latest banking level encryption required by law. Every keystroke is protected. If you were a hacker, would that be the place you would go?

Consider their alternative.

On the other hand we have doctors who were told keeping their data in their own office was safer. Their office network in not likely to have firewalls at all and most likely they are not updated on a regular basis. There are many holes in the system a hacker could penetrate. For example, many of these systems tout online patient intake forms that send intake forms to the software server in the office. The problem is it also leaves a big fat hole for a hacker to penetrate. If I were a hacker I would do a Google search for physicians in any given area and start hacking. They are the weakest most vulnerable link.

Is there an liability if your data is stolen?

You bet. Big time. If your data is stolen because of negligence such as purchasing a software like one of these client server systems, the fines are all yours. That software company has zero liability. Even if they did I would bet they have insurance against such claims. They will never feel it. It could put you out of business.

One the other hand. With a cloud based system you have basically outsourced the liability since the system is entirely contained and HIPAA compliant. If the data center gets hacked you will most likely have zero liability. Cloud based software companies should carry hefty data security insurance policies.

What will it cost you if your data is stolen?

The fines are considerable. Remember each patient record that is compromised even if they have not been in your office for some time, counts as one occurrence. It is also PER OCCURRENCE AND PER YEAR you’ve had that patient record.

There are 4 categories. CE stands for Covered Entity which would be your office in this case.

Category 1: A violation that the CE was unaware of and could not have realistically avoided, had a reasonable amount of care had been taken to abide by HIPAA Rules

Category 2: A violation that the CE should have been aware of but could not have avoided even with a reasonable amount of care. (but falling short of willful neglect of HIPAA Rules)

Category 3: A violation suffered as a direct result of “willful neglect” of HIPAA Rules, in cases where an attempt has been made to correct the violation

Category 4: A violation of HIPAA Rules constituting willful neglect, where no attempt has been made to correct the violation

Not sure which category these examples fall under? That’s a great point. Guess what? You’ll have to pay a lawyer just to argue that point.

The Fines:

Category 1:Minimum fine of $100 per violation up to $50,000

Category 2: Minimum fine of $1,000 per violation up to $50,000

Category 3:Minimum fine of $10,000 per violation up to $50,000

Category 4:Minimum fine of $50,000 per violation

Potential Jail Time:

Tier 1: Reasonable cause or no knowledge of violation – Up to 1 year in jail

Tier 2: Obtaining PHI under false pretenses – Up to 5 years in jail

Tier 3: Obtaining PHI for personal gain or with malicious intent – Up to 10 years in jail

Source: http://www.hipaajournal.com/what-are-the-penalties-for-hipaa-violations-7096/

Will the government ever really enforce these laws?

There is a major misconception about this. In the early years of HIPAA the government did not effectively enforce many HIPAA violations. It was a typical example of the government coming up with a “great law” but forgetting it would be only as good as their ability to enforce it. So they didn’t for a while.

With the economic downturn and the lack of revenue to the government they started getting creative. That combined with the rise in data security awareness as recent as the 2016 election got the government’s attention. Who better to recapture revenue from than the “rich doctors”. The Obama administration decided to hire private parties to find such violations. The HIPAA mercenaries are paid a percentage of the penalty received by the government. Actually a good a idea if that is the business you’re in. The tiers and categories were signed into law in 2009 by president Obama as part of the American Recovery and Reinvestment Act. If you remember this was in the very early days of his administration. The first bill be signed if I remember correctly.

The answer to the question is yes.

In summary

  1. Do you own your data if it is in the cloud? Always
  2. Do you have access to your data in the cloud? Always
  3. Is your data safer in the cloud? Much safer
  4. Do you have more liability in the cloud? No, much less

Disclaimer: I am not an attorney and this article should not be considered legal advice in any way. Always consult with your attorney for legal advice on these matters.