Encryption is only as good as its use

2015 06 01 14 37 33 930 Benton Lindy 200

Maintaining HIPAA-compliant communications among dental providers, specialists, facilities, and patients is a must in today's environment. While just about every office relies on email, many do not realize these communications are often not secure, encrypted, or HIPAA-compliant.

Even when the email used is HIPAA-compliant, these systems often are clunky, expensive, and difficult for both providers and patients to use. This column explores options and issues for practices seeking to maintain HIPAA-compliant email communication streams and to send secure messages and attachments to comply with the protected health information (PHI) requirements of HIPAA.

Secure email

The desire for dental practices to share PHI is growing, based on my conversations with practice leaders, as are the risks associated with that data sharing. Since 2009, more than 29.3 million patient health records have been compromised in data breaches, according to encrypted email service provider Virtru.

Lindy Benton is the CEO of MEA|NEA.Lindy Benton is the CEO of MEA|NEA.

Along with this need to protect patient records, the call for patient email communications is not something that can be ignored. Patients are seeking immediate access to their health information. While patient portals are one possible solution, the ease of use for both the sender and recipient makes secure email a more viable and cost-effective solution for most dental practices.

The move to end-to-end encryption, also known as securely encrypted email, is seeing a rise in popularity. Clients sometimes have the perception that securely encrypted email is complicated to use, but they find this to be false and instead discover that encrypted email gives them total control over how to manage their information.

With the clear benefits of encrypted email, why don't all practices use it? With so many breaches of healthcare and other data, shouldn't there be more concern about not using such solutions?

Distracting focus

The reasons these encryption issues are overlooked or ignored are many and vary, but as the practice landscape has become more complex, such as with enhanced HIPAA regulation and ICD-10, practice goals other than security may take more precedence. Practitioners and practice leaders are not necessarily security experts, and they have little time for projects not related to patient care.

“ Some practice leaders believe breaches or IT security issues will never happen to them since they manage very small businesses.”

For many practices, especially smaller ones, encryption is just one more item to manage and could even be considered a distraction from serving patients. Based on my conversations with them, some practice leaders believe breaches or IT security issues will never happen to them since they manage very small businesses. Thus, many are essentially saying to themselves, "No one cares about my little practice's data, so why should I worry about protecting it?" That's to say nothing of cost, which scares many small providers away from adopting encryption. Smaller practices are not trying to avoid these issues, in my experience, but resources to manage their security may not be there and can become overlooked in the day-to-day process of growing a practice.

But even bigger practices and those with IT "departments" also may be susceptible to a breach, because even while they think they're managing the security of their patient and practice data, they may not be able to truly manage problems that arise.

Solutions

For the most part, in our experience at MEA|NEA, practice leaders want systems that are easy to use, so they can move onto patient issues. If they're going to invest in a secure email system, they want to plug in and play without a second worry.

There are options that ensure communications are easy, possible, and secure, as well as allowing for provider-to-provider communications, including communicating consult results, sharing of diagnostic images, ordering prescriptions, and scheduling information, among other features.

Some programs also enable PHI-encrypted emails to be sent and also revoked. In addition, these emails and their files can be set to autodelete sent messages and files and also restrict forwarding of emails. This way, confidential patient information sent to colleagues and patients remains private, audit-ready, and protected.

Thus, as the user experience goes, so goes the use of such technology. For example, security only matters, in email or otherwise, if it's not too difficult to use or maintain. If it won't work or it's not simple to use, it won't get used. Encryption is only good when it's being used -- otherwise, not so much.

The good news is that encryption, at least in regard to email communication, is easier than many might think.

Lindy Benton is the CEO of MEA|NEA, a provider of electronic attachment, health information exchange, and secure cloud storage solutions to more than 45,000 dental and medical providers throughout the U.S.

The comments and observations expressed herein do not necessarily reflect the opinions of DrBicuspid.com, nor should they be construed as an endorsement or admonishment of any particular idea, vendor, or organization.

Page 1 of 546
Next Page