SOC 2 Type II certification is one of the ways that software companies like Planet DDS show that they take cybersecurity seriously.

In our increasingly technological world, healthcare providers have replaced banks and convenience stores as the targets of small-time crooks looking for a big score. But it isn’t the cash register or vault they’re after, but valuable patient data that has focused the attention of a global crime wave of virtual smash-and-grabs looking to steal and hold that data for ransom.

While the internet and cloud-based software have streamlined the old days of paper files and metal filing cabinets, the digital era brings a host of vulnerabilities and new concerns for small healthcare businesses like private orthodontic practices.

That’s why software companies that serve orthodontic practices, like Planet DDS, have gone out of their way to shore up their clients’ cyber defenses. The company recently announced that it had achieved System and Organization Controls (SOC) 2 Type II certification, a data security standard for enterprise software. But while SOC 2 Type II certainly sounds official, what exactly does data security certification entail?

SOC 2 Type II at a glance

  • System and Organization Controls (SOC) 2 Type II is a set of trust services criteria for data security, privacy, confidentiality, integrity, and availability developed by the American Institute of Certified Public Accountants (AICPA), one of the largest auditing bodies in the United States.
  • SOC 2 Type II is the vehicle through which software companies like Planet DDS can receive third-party validation certifying that they have put proper security and privacy controls in place. It requires an investment of time and money from the company seeking certification and includes an ongoing auditing process that takes place over several months.
  • It is one of several third-party security frameworks that enterprise software companies can choose to show compliance with the Health Insurance Portability and Accountability Act’s (HIPAA) broad standards for data security. Other cybersecurity frameworks include the National Institute of Standards and Technology (NIST), the Center for Internet Security (CIS), ISO 27001, and HITRUST.

How do SOC 2 Type II and HIPAA come together?

The effort to meet SOC 2 Type II standards was headed by Liz Duncan, director of compliance and cybersecurity at Planet DDS. Duncan has spent more than 3-decades of her career combating cybercriminals. Working in Silicon Valley, she was there during the early days of cybersecurity threats, working on antivirus software, malware protection, and network data security. She later shifted her focus to smaller organizations that were often behind the ball in terms of cybersecurity compared to larger corporate America.

While HIPAA provides the basis for the regulation of cybersecurity standards around patient data, Duncan says that the actual language is broad and leaves it up to companies to prove that they are meeting the letter of the law. Like a set of divine commandments, it’s more of a list of “Thou Shalts” rather than a detailed breakdown of what it means to be compliant.

“HIPAA really isn’t prescriptive about what ‘thou shalt do,’ but it uses words like safeguards, reasonable under the circumstances, applying due diligence, and best practices,” says Duncan. “And that really leaves organizations with a hole in terms of what they need to do to demonstrate HIPAA compliance.”

Under HIPAA, companies are allowed to provide self-attestation that they are in compliance with regulations, but at the end of the day, they’re just taking the word of a company that they’re being compliant. As a result, several third-party cybersecurity frameworks like SOC 2 Type II have been developed to help companies demonstrate to the government and, more importantly, to their clients, that they are taking data security seriously.

SOC 2 Type II is a thorough audit covering best practices, like encrypting data when it is stored and in transit. It ensures that access controls are only providing the minimum amount of access needed to perform a job. It also investigates the organization from top to bottom to gauge leadership’s engagement with cybersecurity and data privacy risks.

“When you have to demonstrate your data security and privacy controls to a third-party auditable standard, it demonstrates a level of maturity of your control environment,” says Duncan. “More importantly, it demonstrates the commitment to the security and privacy practices, because it isn’t something that you can accomplish overnight. It’s actually a continuous operational effectiveness, where your controls are evaluated day in day out, week in week out, monthly, quarterly, annually.”

Cybercriminals understand the value of your data

As a healthcare provider, orthodontists are legally responsible to protect the sensitive data they use to provide thorough treatment for patients. In the healthcare industry, the personal healthcare information (PHI) that orthodontic and dental providers have access to is in a lower-risk category than a medical or mental health institution might have. However, it is still subject to the same legal protections.

Unfortunately, hackers are well aware of this fact and rather than spending all their time trying to take down the Change Healthcares of the world, they look for the easy prey—private practices.

“The healthcare industry in general, but particularly dental and ortho, has been flagged as easy pickings,” says Duncan. “It sounds a little bit rude, but the FBI actually uses that term, easy pickings.”

One of the primary reasons for healthcare’s unique vulnerability is that there are often many points of access to valuable data. Instead of having a single comprehensive solution for all their needs, healthcare organizations rely on multiple different software solutions so that each has access to the same data. Each device or software solution can become a potential weak point that hackers can exploit to break into a system and take what they need.

Offloading your cybersecurity risks

Large businesses can and do spend billions on cybersecurity every year, but a single orthodontic practice cannot feasibly afford the dedicated protections that top healthcare institutions invest in. That’s why, Duncan says, it’s important for orthodontists to offload as much of that risk as possible to a company that can demonstrate its ability to protect sensitive data.

Cloud-based software has enabled that capability for private practice owners, allowing important data to be stored offsite in more secure locations where it can be backed up and ready to restore if a breach occurs. Unfortunately, the dental world has been slow to modernize.

The FBI considers dental and orthodontic practices to be at least 10 years behind where the rest of healthcare is in understanding the need to move things out of the office and into the cloud, says Duncan.

“The idea of the dental practice with a Windows 7 server in their closet that somebody reboots when something gets hung, and that’s all they ever do with it—that still exists,” says Duncan. “In this day and age, nobody should ever be running their own infrastructure. The risk is too great, and the overhead of trying to hire the staff to maintain it is pretty significant. So, we can all outsource that aspect of it by making sure that you’re looking for purely cloud-based solutions.”

The cost of ignoring cybersecurity risks

Duncan recalls a client who had a significant ransomware attack where someone high up in the organization clicked on a phishing link. The link installed a keylogger on their computer, collecting login information that was used to access the practice management system where the hacker started exporting data.

A data exfiltration event, as it’s known in the cybersecurity world, is often a nightmare scenario for a private practice. The hacker was able to access sensitive patient documents and images and encrypt the files so that the client no longer had access. However, the hacker installed no viruses to disable the software. The PMS was still up and running with no impact. Yet, without access to the critical data, the office was forced to shut down for 2 months before it could return to operational order.

When cyberattack events make the news, the focus is often placed on the astronomical ransoms that some organizations pay hackers to get back their data. However, the real cost, particularly for private orthodontic practices, is its damage to a doctor’s ability to treat patients.

Had that practice’s files been backed up and stored in a secure location, it might have been able to return to operation with minimal delay. Duncan always recommends that organizations plan for these worst-case scenarios. Running a disaster exercise is in the practice owner’s best interest, and, Duncan says, it can be fun for the staff as well.

“It’s an investment in time, but it’s definitely worth it. Thinking through every aspect of how you operate, documenting it, and then training people on it,” says Duncan. The middle of a major incident is not the time when you want to have to figure it out. You don’t have to be super sophisticated. Just talking through what you would do under these circumstances usually generates a lot of really good ideas for how you could continue to operate.”OP