(December 30, 2012): Generally speaking, from the standpoint of a dental practice, “Cloud Computing” involves the use of an offsite server to store and access medical records, maintain patient information and or practice business records (such as coding and billing information). Cloud Service Providers (CSP) offer various services to dental practices. In most instances, the information stored is encrypted. Depending on the nature of the information maintained, dental professionals, their staff and / or their patients may have various levels of access to the information maintained by a CSP.
I. Introduction: Overview of Dental Cloud Computing Options
Over the past year, Dentists, Orthodontists, Oral/Maxillofacial Surgeons and Periodontists around the country have been increasingly gravitating towards cloud based records and billing systems. While dental professionals have moved in this direction more slowly than many other health care provider groups (such as physician practices and hospitals), many are finding that the financial and convenience benefits achieved with cloud computing are too tempting to resist implementing for their dental practices. The purpose of this article is to point out a number of risks that are often overlooked by dental professionals choosing to move one or more of their business systems to the cloud.
At the outset, it is important to keep in mind that dental cloud computing options can take many forms. For the sake of simplicity, we have categorized these systems into three groups:
A. Public Cloud: A “public cloud” is an offsite server maintained by a third-party CSP which allows members of the public to have full access to information and computing applications created and maintained by a dental practice. In most instances, the dental practice would require that individuals desiring access “register” with the provider prior to allowing access. The information maintained by the dental practice on a public cloud is not typically encrypted and Protected Health Information (PHI) or other sensitive information is not stored on this server. In most instances, this type of cloud based system would be intended to serve as an information resource for the public, covering various aspects of dental care and treatment.
B. Private Cloud: The term “private cloud” generally refers to an offsite server maintained by a third-party CSP who limits access to the information maintained on its system to only authorized staff of the dental practice. The information is almost always encrypted (in various ways and in varying levels of security) and may be marketed by the CSP as being “HIPAA Compliant.” Access is carefully protected by a firewall and is continuously monitored and maintained by professionals working for the third-party CSP.
C. Hybrid Cloud: The term “hybrid cloud” incorporates the properties of both a public cloud and a private cloud. Although a portion of the information on the CSP’s server is readily accessible to the public, PHI and other sensitive information (such as billing records and health care provider financial data) is encrypted and may only be accessed by authorized dental practice personnel.
D. Mixed Cloud: A “mixed cloud” would include a scenario where highly sensitive information (such as patient dental records and / or coding or billing records) is kept on local servers and less sensitive (but non-public) information is kept on encrypted cloud servers.
While no studies of only dental professionals have recently been conducted, a recent survey by IT News found that 33 percent of all health care providers responding to the survey have already moved their information to the cloud. Moreover, the survey found that 48 percent are ultimately planning to make cloud computing part of their organization’s technology infrastructure. Notably, at the time of this survey, only 19 percent of all health care provider respondents were not planning on moving all or part of their data to the cloud.
II. Benefits to Dental Practices Choosing to Adopt a Cloud Based System
Advocates of cloud computing can point to number of significant benefits achieved by moving a health care provider’s information to a CSP. Two of the greatest benefits include:
A. Cost Savings: Many dental practices and other health care providers have cited “cost” as a primary reason for moving all or part of their records systems to the cloud. The savings from using a CSP can be significant. Employing a CSP to maintain a dental professional’s medical records and / or billing systems can alleviate a provider’s ongoing need to purchase, maintain and update expensive IT computer equipment and software. It also reduces the need for a dental practice to set aside space to house server resources and greatly alleviates the need for outside IT consultants.
B. Access: Cloud-computing systems allow dental professionals (and often their patients) to obtain access to a wide variety of information from anywhere in the world, over the Internet. Access is typically restricted and the information is encrypted to prevent unauthorized persons from logging in to the system. CSPs often point to the fact that their security systems are continuously updated and maintained, thereby preventing hackers from gaining access to their systems. In contrast, dental professionals choosing to maintain their information on local server systems are often much more lax in their efforts to guard against the latest recent threats to IT security.
Although only a portion of dental professionals participate in Medicaid and / or Medicare, as reimbursements continue to fall and the likelihood of post-payment audits increases, the cost of maintaining a server in-house will become increasingly important. As this occurs, we anticipate that dental practitioners participating in federal / state health care programs will be looking at new ways to reduce their infrastructure costs. The number of dental professionals utilizing cloud based systems is likely to increase as reimbursements decline.
III. Concerns When Moving Over to a Dental Cloud Computing Environment:
While only time will tell whether CSPs are able to properly safeguard a dental professional’s patient medical records, coding / billing data or other sensitive business information, it is worth noting that almost all server “break-ins” are caused by someone “inside the company with keys to the castle.” Notably, this security risk can include both employees of a dental practice (over whom you supervise) and employees of a CSP (over whom you have no control whatsoever). Unfortunately, dental professionals have no real way of knowing if CSP staff is reliable or trustworthy. If a disgruntled CSP employee accesses or steals sensitive data, there is little, if any, way that a health care provider can take remedial steps to quickly address the problem. Other security concerns to take into account include, but are not limited to:
A. A Dental Professional’s Obligation to Ensure that PHI is Secured Cannot is Delegated: The security of PHI and other sensitive information entrusted to you by patients is paramount – it cannot be ignored or delegated to a third-party, such as CSP that has completed a valid Business Associate Agreement. Although your particular contract with a CSP may provide a variety of promises and other assurances (such as an “indemnification” provision intended to reimburse you if their negligence or error results in you being fined, sued, etc.), it is important to keep in mind that your dental practice remains ultimately responsible for any information it entrusts with a CSP. Any agreements between your practice and a CSP may essentially provide a level of “cold comfort” but will not shield your practice from state or federal causes of action resulting from a breach. Moreover, many states now provide for a “private cause of action” to be brought against your practice directly by an individual whose PHI or other covered sensitive information has been breached.
B. Federal and State Laws and Regulations Lay Out Your Obligations to Secure PHI Placed Under Your Control: As a Covered Entity, your dental practice must adhere to a myriad of federal and state laws and regulations under HIPAA, HITECH and various state laws which might be implicated. For example, the state of Texas recently passed HB 300, which imposes a number of new privacy obligations on dental professionals and other health care providers.
C. The Weakest Link to the Security of PHI Under Your Control May be in Your Pocket: One of the most important benefits of cloud computing is that it may be accessed through the Internet. Dental professionals are able to access the cloud from their smart phones, IPADs, and from their computer laptop. Our law firm recently conducted a survey of health care providers who listed “other” (as opposed to in-house server breach, stolen laptop or lost documents) as the cause of a PHI breach when reporting the incident to the Office of Civil Rights. Interestingly, a number of the health care providers we spoke with reported that “other” referred to a smart phone that was lost or stolen. Symantec, a computer security company, recently conducted a test in which it “loaded” 50 smart phones with sensitive information and then “lost” the in public places (elevators, food courts, transit stops, etc.), in five metropolitan cities around the country. Prior to dropping the phones, remote tracking software was installed so that their locations could be monitored. This software reported that 96 percent of the phones were found and that the sensitive information was accessed on 70 percent of the phones. Notably, less than half of the finders of the lost phones attempted to contact their owners to return the device. In an informal survey of individuals by our firm, a significant portion of health care providers admitted to keeping log in information (including their user name and password) in the contacts folder on their smart phone. Once lost, this information could be used to access a dental practice’s supposedly secure information on a cloud server.
D. Software Licensure Concerns: When using a CSP, a dental practice may be required to use a non-licensed software application without its knowledge. Is there potential third-party liability? Possibly so.
E. CSP Financial Stability: Is the cloud provider financially sound? If the CSP were to declare bankruptcy, what would happen to the servers (and most importantly, your information)? Who really owns this information? How can you ensure that your information is erased or destroyed from the CSP’s server if the company goes out of business?
F. Contracts of Adhesion: Check out your agreement with the CSP – is your contract with the cloud provider a “contract of adhesion”? Adhesion contracts ultimately leave you with no bargaining power and allow the cloud provider to do practically anything with your data. Be careful. The agreement may initially appear to safeguard your information when in reality it allows the cloud provider to moves its servers, transfer your information to other data storage devices and make changes to the applications on their system.
G. You Can Never Really be Sure that the Relationship is “Terminated”: After a while, you may choose to “terminate” the agreement and move your data to either an in-house server or to another CSP. How can you ever be sure that your information is not backed-up on the cloud provider’s server or storage system? Once information leaves the control of your dental practice, it is gone forever!
IV. Cloud Platforms Aren’t Good Enough for the Government (Yet), So Why Are Dental Professionals Flocking to the Cloud?
The federal government is aggressively encouraging its agencies to adopt cloud-based information systems. In fact, on December 9, 2010, the Office of Management and Budget (OMB) released a formal plan outlining the government’s intent to utilize cloud-based solutions in an effort to increase the public’s access to information in the government’s possession. To that end, OMB has encouraged agencies to use cloud-based solutions whenever a secure, reliable, cost-effective cloud option exists.
As part of this approach, OMB established the Federal Risk and Authorization Management Program (Fed RAMP) in early 2011 to provide a cost-effective, risk-based approach for the adoption and use of cloud services. As part of its responsibilities, Fed RAMP has been tasked with setting up a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. Based on the standards identified, it is notable that to date:
No CSPs have formally met Fed RAMP requirements or have been granted a Fed RAMP Provisional Authorization.
The mere fact that no CSPs have been found to meet Fed Ramp’s requirements is extraordinarily important. Health care providers choosing to maintain and access their sensitive information on a cloud platform may ultimately find that their trust in a CSP’s security systems has been misplaced.
In consideration of the concerns outlined above, we recommend that health care providers exercise considerable caution before choosing to move PHI and other types of sensitive information to an off-site cloud provider. As we have repeatedly noted, once PHI and other sensitive leaves your control, you essentially have no way of safeguarding the data. While maintaining in-house servers is likely more expensive than moving your data to a cloud provider, it’s the only true way to ensure that your patient’s PHI is protected in accordance with HIPAA’s Privacy and Security Rules. In addition, you should consider conducting an internal HIPAA audit of your physical security, administrative safeguards, and electronic transmissions. Importantly, this audit should be done through counsel, so that any concerns may be reasonable covered by the attorney-client privilege.
As a final point, Apple co-founder Steve Wozniak recently said, “the more we transfer everything onto the web, onto the cloud, the less we’re going to have control over it.” And that’s exactly right. Health care providers need to seriously asses the risks of placing PHI in the hands of CSPs, particularly in light of HIPAA and its counterpart, HITECH.
The bottom line is relatively simple – the safest way to store sensitive information used or maintained by your dental practice is to place it on a local server and ensure that it is encrypted. Should you choose to use a CSP, you must conduct due diligence in selecting a secure provider. As the above concerns reflect, there will always be a number of inherit risks when utilizing the services of a CSP.
Robert W. Liles is Managing Partner at Liles Parker. He represents dental professionals in connection with audits and investigations by federal and state authorities (and their contractors). Mr. Liles also works with dental practices to help ensure that they have implemented an effective Compliance Program, including systems to help prevent the likelihood of a privacy breach. Should you have questions regarding cloud computing or other dental practice compliance issues, please give Mr. Liles a call for a complimentary consultation. He can be reached at: 1 (800) 475-1906.
 The survey was conducted April 9, 2012 through April 12, 2012. The article can be found at: http://www.healthcareitnews.com/survey-analysis-cloud-use-health-it
 Mobile devices bring cloud storage — and security risks – to Work; June 8, 2012, quoting Dion Hinchcliffe, executive vice president of strategy at Dachis Group, an IT consultancy. The article may be found at: http://www.computerworld.com/s/article/9227888/Mobile_devices_bring_cloud_storage_and_security_risks_to_work
 Honey Stick Project” Exposes Risk from Lost Smartphones; March 12, 2012. The article discussing this survey may be found at: http://www.securityweek.com/symantecs-honey-stick-experiment-shows-what-happens-lost-smartphones
 Robert MacPherson, Apple co-founder Wozniak sees trouble in the cloud (Aug. 5, 2012).