| Reasonable doubt exists and some have questioned | | | | Quality Web-based systems reduce risk |
| the security of web-based dental systems when | | | | Now, consider a quality architected web-based |
| compared with legacy, office-based, client/server | | | | solution. The data does not reside in the office. |
| based systems. While the question is reasonable, the | | | | Instead, the data is located in multiple tier-4 secure |
| answer is very clear. Web-based systems have the | | | | facilities designed specifically for storage, maintenance |
| capability of providing substantially greater security | | | | and security of important electronic data. These |
| than any on-site, client/server based system. | | | | facilities cost millions of dollars to build and substantial |
| While web-based systems have the capability, that | | | | resources to maintain. Though the office staff access |
| on its own does not ensure that all web-based | | | | information through office based computers, there is |
| systems meet the requirements for world class | | | | no patient data on any computer in the dental office |
| security. | | | | – it all resides at the redundant hosting facilities |
| This paper will discuss the importance of data | | | | with several layers of security and backup. |
| security in the dental environment. It will also explore | | | | Security systems include both physical and logical |
| and address several key points associated with the | | | | security. Some of the industry's most sophisticated |
| high level of security required of protected personal | | | | physical safeguards are implemented including |
| health information. Comparisons will be made to other | | | | restrictions only to authorized persons verified by a |
| markets where valuable assets are protected by | | | | combination of physical pass keys, digital fingerprint |
| third parties in a similar fashion as web-based dental | | | | scans, likeness matching on photo ID badges, and in |
| systems. | | | | some cases retinal scans and other recognition |
| Importance of data security in a dental environment | | | | technologies. The locations are not published to |
| The security of Dental Records should not be | | | | reduce the ease in identifying the location as a data |
| brushed aside. A lax or haphazard approach to the | | | | warehouse. Ultra secure bulletproof doors and walls |
| protection of personal heath information in a Dental | | | | restrict forced entry and multiple layers of locked |
| Practice can result in patient dissatisfaction at the | | | | access points, using various types of mechanisms, |
| least and some combination of financial and social ruin | | | | make simple lock picking extremely unlikely. These |
| at its worst. | | | | facilities are guarded by armed officers on a 24/7 |
| There are many potential problems associated with | | | | 365 basis. Also, these facilities implement the best |
| the typical security in most modern dental software | | | | and most expensive software and hardware |
| systems. They include: | | | | "firewalls" protecting access to data from |
| Unauthorized release of personal and legally protected | | | | un-authorized hackers. The systems are virtually virus |
| health data. Imagine if you had a well known patient | | | | proof and are built and managed by the industry's |
| (perhaps a local businessperson of prominence or a | | | | best and brightest software security professionals. |
| city council or school board member, perhaps an | | | | Additionally, the software is updated on a regular |
| entertainer or other person) and that patient's HIV | | | | schedule to all users without user intervention. No |
| positive status, or some other personal data were | | | | office time is spent in this process and no outside |
| released to the public by an unauthorized source | | | | technical staff is needed to be employed in the |
| originating in your office. That type of disclosure | | | | process. This automatic process ensures currency of |
| could cost you your practice and your reputation. | | | | the application and a certainty that the latest |
| Theft of valuable technology. Consider what the high | | | | enhancements and fixes are implemented the same |
| priority items are that a burglar might seek to steal in | | | | day they are available. |
| your office. The first thing on their mind is not your | | | | This overall security plan is well beyond any dental |
| schedule book, but that is just what they will get | | | | office in type, scope, depth, function, and expense. |
| when they take the computer server that is running | | | | You just can't purchase it any other way. |
| your practice. In addition to the potential of | | | | Redundant systems hold office information so that if |
| unauthorized release of data, a theft can result in | | | | any individual computer component breaks, another is |
| complete chaos in a practice. | | | | ready to pick up where the one left off, without |
| Lost productivity while systems are being restored. | | | | losing any data. Full redundancy provides significant |
| How long will it take before you can have a system | | | | protection against data loss and improves the |
| up and running again? What production will you lose | | | | security of access. Additionally, redundant physical |
| as you purchase the replacement hardware and then | | | | facilities add the ultimate layer of access confidence. |
| configure the system and then try and restore your | | | | Basically, your data will be in two separate locations in |
| last backup? Think back to when you installed your | | | | separate geographical regions, both of which are |
| system for an idea of the cost of the equipment. | | | | capable of providing full access and service. All data is |
| Now add the lost production and you are well into | | | | recorded back to both locations simultaneously. Then, |
| strong five figures. | | | | a separate backup is created every hour of every |
| HIPAA. Though prosecutions for HIPAA violations are | | | | day. This is not a volatile backup tape or flimsy CD. It |
| not widespread, the law still permits prosecution. Care | | | | is a full disk to disk backup that is electronically taken |
| should be taken to ensure an office is in compliance | | | | to a third secure location just in case the |
| with these federal requirements. Most client/server | | | | unimaginable happens and a restore becomes |
| based systems are inherently at a disadvantage and | | | | necessary. A history of these backups is kept. Each |
| fall short by providing between 4 and 6 of the 19 | | | | backup is validated against the source data to ensure |
| mandated HIPAA physical and technical security | | | | that it is a perfect copy, ready to be used at a |
| requirements, while web-based companies have the | | | | moment's notice. Most quality hosted solutions have |
| capability of providing all 19 of the same | | | | never had to resort to this final backup level, but it's |
| requirements. Unfortunately, it's not the software | | | | there just in case. |
| company's obligation to comply, it's your obligation. | | | | With this background, it is relatively easy to |
| The more that your software vendor can provide | | | | understand how a professionally managed web-based |
| for you, the less you have to do for yourself. There | | | | solution is easily several orders of magnitude more |
| is a cost in both time and dollars when you are left | | | | secure than an office-based client/server system. |
| to fulfill the requirements that your vendor is unable | | | | Other markets have adopted web-based |
| to assist with. | | | | technologies |
| Software Updates. Software needs to be maintained | | | | Though the Dental industry is just beginning to adopt |
| and updated to remain secure. With client/server | | | | these mature web-based technologies, other |
| systems, this requires a manual process that | | | | industries have had widespread adoption for many |
| frequently results in disruption to the office or | | | | years, and in some case almost complete domination |
| sometimes needed reconfiguration of servers and | | | | of web-based solutions. |
| drivers. | | | | The fastest growing medical office management |
| Finally, there is the simple peace of mind when you | | | | system in the United States is a web-based product |
| have confidence in the security of the core business | | | | that was introduced to the industry in 1999. It has |
| tool used in your practice. | | | | better than 99.95% uptime from inception and |
| Risk associated with a typical dental installation | | | | supports a broad spectrum of medical specialties |
| Let's consider the typical dental office setup for client | | | | across every state of the Union. The sales force |
| server based dental software system. | | | | automation and CRM industries have many |
| First, there is a file server - typically located either in | | | | web-based systems and sports one of the largest |
| a "broom closet" or under a desk somewhere. | | | | and fastest growing public companies. As a |
| Access to that server is available to most anyone in | | | | web-based product, has become a venerable |
| the practice and definitely to anyone who might | | | | competitor in many industries that require sales |
| break in. Expensive technology products are among | | | | tracking. |
| the first to be stolen in an office break-in. Also, | | | | Virtually every bank in the world has adopted |
| disgruntled or careless staff can put the data at risk. | | | | web-based technologies and offers on-line banking to |
| Next, the database is usually directly addressable by | | | | every banking patron. Consider that every dollar in |
| anyone on the network. In other words, someone | | | | every bank account, including savings, checking, |
| could easily come in, and using simple "drag and drop", | | | | retirement accounts, etc. throughout the world, are all |
| copy the entire office database onto a removable | | | | on-line and available for transactions through |
| media like a CDROM or thumb drive. No record of | | | | web-based products. Security is an absolute must, |
| that copy would ever be made and there is no | | | | and is best delivered through web-based technologies. |
| accountability for that stolen information. | | | | On top of these core business applications, the |
| Software updates are typically a manual process | | | | industry is chock full of consumer directed |
| where staff are required to install updates from a | | | | web-based products. Consider eBay, Google Earth |
| CDROM onto each workstation in the office. There | | | | maps, PayPal, e-Trade, and thousands of ecommerce |
| is not usually any automated or certification process | | | | web sites. It is actually hard to find an industry that |
| that ensures that these upgrades actually happen. | | | | does not have a significant, if not dominant |
| It is not uncommon to require the assistance and | | | | web-based product offering. Though lagging other |
| expense of an outside IT professional to install the | | | | industries, web-based solutions are now being |
| update and correct any needed or sometimes | | | | offered to the dental industry as well. |
| unintentional changes that may have occurred to the | | | | Analogies |
| network or workstation setup. | | | | Consider your retirement account. You work hard, |
| Office based client/server based systems require | | | | save and invest. Do you keep your savings at home, |
| constant vigilance and maintenance of virus | | | | in a nightstand or under your mattress? Would you |
| protection software. | | | | feel more or less secure having your accumulated |
| Backup processes at most dental offices are manual | | | | wealth on-line with a bank or physically in your home? |
| processes that do not require validation of the | | | | The answer is painfully obvious – it's most secure |
| backup medium. Basically, someone has to remember | | | | in a bank. Why? Because a bank spends the required |
| to backup the data. If they forget or are in a rush, | | | | resources to secure it. They purchase really big safes |
| the backup doesn't happen. Validation of the backup | | | | with very substantial locks (the type you just can't |
| is typically overlooked in most dental office settings. | | | | pick very easily). Banks also institute best practices |
| This validation is needed to ensure that the required | | | | and appropriate processes to ensure data safety and |
| files are indeed being backed up. | | | | security. Hired staff have background checks and are |
| Many studies have been done that show between | | | | trained professionals specializing in banking security. It |
| 40 – 60% of backups are bad. Some reasons for | | | | is just not possible to have the same type of |
| backup failure include backup scripts that address the | | | | security at home . . . so you use a bank. |
| wrong files, scripts that backup some but not all | | | | Does putting your money in the bank make it less |
| necessary files, and backup media that have flaws. | | | | accessible? No, quite the contrary. It is more |
| Each of these will make a restoration impossible. This | | | | accessible with a bank. You can access it using a |
| last point is particularly true of portable magnetic | | | | check, debit card, wire transfer, or an ATM if you |
| media (like backup tapes) that is used multiple times. | | | | like. You don't need to have the cash in your wallet |
| Also, scratched digital media can cause restore | | | | to use it. That reduces the risk of loss from theft or |
| failures. The result is that a large percentage of | | | | carelessness. The same is true of web-based |
| offices that feel secure regarding the quality of their | | | | systems and your data. It is more accessible and |
| backups, are actually walking time bombs of system | | | | more secure at the same time. |
| failure. | | | | Conclusion |
| Finally, the backup media may be taken off-site. | | | | The last 10 years of web-based technology |
| Though having backup media taken off-site may | | | | development and infrastructure have created a more |
| provide an incremental level of redundancy, it does | | | | secure and available solution for storage, backup, and |
| introduce a security nightmare if not done | | | | access of data than is possible with legacy client |
| professionally. What is the typical security of the | | | | sever systems. A well architected and maintained |
| off-site location? Commonly it is a nightstand or | | | | web-based dental software system is inherently |
| home office desk - perhaps simply an office | | | | more secure than any office-based client/server |
| manager's purse. It may provide for off-site storage, | | | | system. |
| but the security of it is of dubious quality. | | | | |