{"id":12153,"date":"2024-04-10T08:06:07","date_gmt":"2024-04-10T15:06:07","guid":{"rendered":"https:\/\/www.planetdds.com\/?p=10980"},"modified":"2024-12-29T17:27:38","modified_gmt":"2024-12-30T01:27:38","slug":"is-your-software-provider-taking-cybersecurity-seriously","status":"publish","type":"post","link":"https:\/\/www.planetdds.com\/blog\/is-your-software-provider-taking-cybersecurity-seriously\/","title":{"rendered":"Is Your Software Provider Taking Cybersecurity Seriously?"},"content":{"rendered":"<p><em>This article was written by Planet DDS staff and originally published on <a href=\"https:\/\/orthodonticproductsonline.com\/practice-management\/it\/is-your-software-provider-taking-cybersecurity-seriously\/\" target=\"_blank\" rel=\"nofollow noopener\">Orthodontic Products<\/a>.<\/em><\/p>\n<p id=\"h-soc-2-type-ii-certification-is-one-of-the-ways-that-software-companies-like-planet-dds-show-that-they-take-cybersecurity-seriously\" class=\"wp-block-heading\">SOC 2 Type 2 certification is one of the ways that software companies like Planet DDS show that they take cybersecurity seriously.<\/p>\n<p class=\"wp-block-heading\">In our increasingly technological world, healthcare providers have replaced banks and convenience stores as the targets of small-time crooks looking for a big score. But it isn\u2019t the cash register or vault they\u2019re after, but valuable patient data that has focused the attention of a global crime wave of virtual smash-and-grabs looking to steal and <a href=\"https:\/\/orthodonticproductsonline.com\/practice-management\/it\/how-hackers-hold-patient-data-for-ransom-protecting-your-data\/\" target=\"_blank\" rel=\"noopener\">hold that data for ransom<\/a>.<\/p>\n<p>While the internet and cloud-based software have streamlined the old days of paper files and metal filing cabinets, the digital era brings a host of vulnerabilities and new concerns for small healthcare businesses like private orthodontic practices.<\/p>\n<p>That\u2019s why software companies that serve orthodontic practices, like <a href=\"https:\/\/www.planetdds.com\/\" target=\"_blank\" rel=\"noreferrer noopener\">Planet DDS<\/a>, have gone out of their way to shore up their clients\u2019 cyber defenses. The company recently announced that it had achieved System and Organization Controls (SOC) 2 Type II certification, a data security standard for enterprise software. But while SOC 2 Type II certainly sounds official, what exactly does data security certification entail?<\/p>\n<h3 id=\"h-soc-2-type-ii-at-a-glance\" class=\"wp-block-heading\">SOC 2 Type 2 at a Glance<\/h3>\n<ul>\n<li>System and Organization Controls (SOC) 2 Type II is a set of trust services criteria for data security, privacy, confidentiality, integrity, and availability developed by the American Institute of Certified Public Accountants (AICPA), one of the largest auditing bodies in the United States.<\/li>\n<li>SOC 2 Type II is the vehicle through which software companies like Planet DDS can receive third-party validation certifying that they have put proper security and privacy controls in place. It requires an investment of time and money from the company seeking certification and includes an ongoing auditing process that takes place over several months.<\/li>\n<li>It is one of several third-party security frameworks that enterprise software companies can choose to show compliance with the Health Insurance Portability and Accountability Act\u2019s (HIPAA) broad standards for data security. Other cybersecurity frameworks include the National Institute of Standards and Technology (NIST), the Center for Internet Security (CIS), ISO 27001, and HITRUST.<\/li>\n<\/ul>\n<h3 id=\"h-how-do-soc-2-type-ii-and-hipaa-come-together\" class=\"wp-block-heading\">How Do SOC 2 Type 2 and HIPAA Come Together?<\/h3>\n<p>The effort to meet SOC 2 Type II standards was headed by Liz Duncan, director of compliance and cybersecurity at Planet DDS. Duncan has spent more than 3-decades of her career combating cybercriminals. Working in Silicon Valley, she was there during the early days of cybersecurity threats, working on antivirus software, malware protection, and network data security. She later shifted her focus to smaller organizations that were often behind the ball in terms of cybersecurity compared to larger corporate America.<\/p>\n<p>While HIPAA provides the basis for the regulation of cybersecurity standards around patient data, Duncan says that the actual language is broad and leaves it up to companies to prove that they are meeting the letter of the law. Like a set of divine commandments, it\u2019s more of a list of \u201cThou Shalts\u201d rather than a detailed breakdown of what it means to be compliant.<\/p>\n<p>\u201cHIPAA really isn\u2019t prescriptive about what \u2018thou shalt do,\u2019 but it uses words like safeguards, reasonable under the circumstances, applying due diligence, and best practices,\u201d says Duncan. \u201cAnd that really leaves organizations with a hole in terms of what they need to do to demonstrate HIPAA compliance.\u201d<\/p>\n<p>Under HIPAA, companies are allowed to provide self-attestation that they are in compliance with regulations, but at the end of the day, they\u2019re just taking the word of a company that they\u2019re being compliant. As a result, several third-party cybersecurity frameworks like SOC 2 Type II have been developed to help companies demonstrate to the government and, more importantly, to their clients, that they are taking data security seriously.<\/p>\n<p>SOC 2 Type II is a thorough audit covering best practices, like encrypting data when it is stored and in transit. It ensures that access controls are only providing the minimum amount of access needed to perform a job. It also investigates the organization from top to bottom to gauge leadership\u2019s engagement with cybersecurity and data privacy risks.<\/p>\n<p>\u201cWhen you have to demonstrate your data security and privacy controls to a third-party auditable standard, it demonstrates a level of maturity of your control environment,\u201d says Duncan. \u201cMore importantly, it demonstrates the commitment to the security and privacy practices, because it isn\u2019t something that you can accomplish overnight. It\u2019s actually a continuous operational effectiveness, where your controls are evaluated day in day out, week in week out, monthly, quarterly, annually.\u201d<\/p>\n<h3 id=\"h-cybercriminals-understand-the-value-of-your-data\" class=\"wp-block-heading\">Cybercriminals Understand the Value of Your Data<\/h3>\n<p>As a healthcare provider, orthodontists are legally responsible to protect the sensitive data they use to provide thorough treatment for patients. In the healthcare industry, the personal healthcare information (PHI) that orthodontic and dental providers have access to is in a lower-risk category than a medical or mental health institution might have. However, it is still subject to the same legal protections.<\/p>\n<p>Unfortunately, hackers are well aware of this fact and rather than spending all their time trying to take down the Change Healthcares of the world, they look for the easy prey\u2014private practices.<\/p>\n<p>\u201cThe healthcare industry in general, but particularly dental and ortho, has been flagged as easy pickings,\u201d says Duncan. \u201cIt sounds a little bit rude, but the FBI actually uses that term, easy pickings.\u201d<\/p>\n<p>One of the primary reasons for healthcare\u2019s unique vulnerability is that there are often many points of access to valuable data. Instead of having a single comprehensive solution for all their needs, healthcare organizations rely on multiple different software solutions so that each has access to the same data. Each device or software solution can become a potential weak point that hackers can exploit to break into a system and take what they need.<\/p>\n<h3 id=\"h-offloading-your-cybersecurity-risks\" class=\"wp-block-heading\">Offloading Your Cybersecurity Risks<\/h3>\n<p>Large businesses can and do spend billions on cybersecurity every year, but a single orthodontic practice cannot feasibly afford the dedicated protections that top healthcare institutions invest in. That\u2019s why, Duncan says, it\u2019s important for orthodontists to offload as much of that risk as possible to a company that can demonstrate its ability to protect sensitive data.<\/p>\n<p>Cloud-based software has enabled that capability for private practice owners, allowing important data to be stored offsite in more secure locations where it can be backed up and ready to restore if a breach occurs. Unfortunately, the dental world has been slow to modernize.<\/p>\n<p>The FBI considers dental and orthodontic practices to be at least 10 years behind where the rest of healthcare is in understanding the need to move things out of the office and into the cloud, says Duncan.<\/p>\n<p>\u201cThe idea of the dental practice with a Windows 7 server in their closet that somebody reboots when something gets hung, and that\u2019s all they ever do with it\u2014that still exists,\u201d says Duncan. \u201cIn this day and age, nobody should ever be running their own infrastructure. The risk is too great, and the overhead of trying to hire the staff to maintain it is pretty significant. So, we can all outsource that aspect of it by making sure that you\u2019re looking for purely cloud-based solutions.\u201d<\/p>\n<h3 id=\"h-the-cost-of-ignoring-cybersecurity-risks\" class=\"wp-block-heading\">The Cost of Ignoring Cybersecurity Risks<\/h3>\n<p>Duncan recalls a client who had a significant ransomware attack where someone high up in the organization clicked on a phishing link. The link installed a keylogger on their computer, collecting login information that was used to access the practice management system where the hacker started exporting data.<\/p>\n<p>A data exfiltration event, as it\u2019s known in the cybersecurity world, is often a nightmare scenario for a private practice. The hacker was able to access sensitive patient documents and images and encrypt the files so that the client no longer had access. However, the hacker installed no viruses to disable the software. The PMS was still up and running with no impact. Yet, without access to the critical data, the office was forced to shut down for 2 months before it could return to operational order.<\/p>\n<p>When <a href=\"https:\/\/orthodonticproductsonline.com\/practice-management\/it\/change-healthcare-cyberattack-impacts-dental-industry\/\" target=\"_blank\" rel=\"noreferrer noopener\">cyberattack events make the news<\/a>, the focus is often placed on the astronomical ransoms that some organizations pay hackers to get back their data. However, the real cost, particularly for private orthodontic practices, is its damage to a doctor\u2019s ability to treat patients.<\/p>\n<p>Had that practice\u2019s files been backed up and stored in a secure location, it might have been able to return to operation with minimal delay. Duncan always recommends that organizations plan for these worst-case scenarios. Running a disaster exercise is in the practice owner\u2019s best interest, and, Duncan says, it can be fun for the staff as well.<\/p>\n<p>\u201cIt\u2019s an investment in time, but it\u2019s definitely worth it. Thinking through every aspect of how you operate, documenting it, and then training people on it,\u201d says Duncan. The middle of a major incident is not the time when you want to have to figure it out. You don\u2019t have to be super sophisticated. Just talking through what you would do under these circumstances usually generates a lot of really good ideas for how you could continue to operate.\u201d<\/p>\n","protected":false},"excerpt":{"rendered":"<p>This article was written by Planet DDS staff and originally published on Orthodontic Products. SOC 2 Type 2 certification is one of the ways that software companies like Planet DDS&#8230;<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[243],"tags":[233,1235,1236,66,1238,18,1239,185,351,240,1217,271,20,1350,1351,1240],"class_list":["post-12153","post","type-post","status-publish","format-standard","hentry","category-security","tag-breach","tag-business-continuity","tag-cybercrime","tag-dental","tag-emergency-action-plan","tag-phi","tag-phishing","tag-plan","tag-protected-health-information","tag-ransomware","tag-rcm","tag-recovery","tag-security","tag-soc2","tag-soc2type2","tag-tips"],"acf":[],"_links":{"self":[{"href":"https:\/\/www.planetdds.com\/wp-json\/wp\/v2\/posts\/12153","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.planetdds.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.planetdds.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.planetdds.com\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.planetdds.com\/wp-json\/wp\/v2\/comments?post=12153"}],"version-history":[{"count":0,"href":"https:\/\/www.planetdds.com\/wp-json\/wp\/v2\/posts\/12153\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.planetdds.com\/wp-json\/wp\/v2\/media?parent=12153"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.planetdds.com\/wp-json\/wp\/v2\/categories?post=12153"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.planetdds.com\/wp-json\/wp\/v2\/tags?post=12153"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}