7 Questions to ask your software vendors to ensure your data is kept secure
- Cubiko, Security
- Chris Smeed
- June 30, 2021
It is crucial to ensure your data is kept secure. As a business, you can leverage data to achieve business and financial insights. Ensuring that your data, such as patient information, is secure is an essential part of the healthcare industry.
Long gone are the days of recording patient information on paper and manually storing information in filing cabinets. As we move into a more technologically advanced era, the risk of data breaches, malware, viruses, and other malicious attacks increase.
Doctors, nurses, and other healthcare professionals are increasingly relying on technologies and cloud-based software to access, update, record and analyse patient data. As a result, the need for better security solutions increases to help minimise the risks of malicious data attacks and data breaches.
What is Data Security?
Data security refers to the practice, processes and technologies used to safeguard your valuable and sensitive data. The objective of data security in the healthcare industry is to ensure that you have developed an effective plan to safeguard your practice and patient data. At the same time, minimising exposure to internal and external risk factors.
Why is Data Security Important?
With the sensitive nature of healthcare data, data security is of particular importance for healthcare providers. Without an effective plan to safeguard your practice’s data, you run the risk of leaving your practice open to cyber-attacks.
In June 2020, Australia’s Notifiable Data Breached scheme reported that 22% of all cybersecurity breaches were within the health sector in the last six months. Cybercriminals are becoming increasingly interested in stealing electronic medical records, as this information can be quite lucrative. This is due to electronic medical records containing information such as patients’ names, dates of birth, addresses, phone numbers, insurance information and more. Obtaining such information can lead to complete identity theft, blackmail, and extortion.
Free Download: Data Security Safety Checklist
Measure and compare how reliable software companies are when it comes to ensuring that your data is protected.
7 Questions to ask your software vendors
With the increasing number of data breaches in the healthcare industry, we’d recommend that you do some research before signing up for a particular software. You need to have a clear understanding of what their data security protocols are and how they handle your data.
Below is a list of questions that we think are important for Medical Practices to look into before signing up for a particular software:
- What cloud-based hosting platform do they use?
- Is my data encrypted?
- What does their privacy policy look like?
- Do they do Penetration Testing?
- 6. Is the software developed in Australia?
- Is my data stored in Australia?
- Are they Partner Approved?
1. What cloud-based hosting platform do they use?
With great data, comes great responsibility. You want to know that your data is secure and in safe hands. There are plenty of off the shelf hosting solutions – but I say, “Don’t be afraid of the cloud”. Amazon Web Services (AWS) and Microsoft Azure are two of the biggest names for cloud-based hosting. Both come with some of the best industry certifications. AWS & Microsoft Azure are both tier-one cloud hosting providers.
AWS has a long-standing relationship with government agencies, and their compliance offerings include certifications in ITAR, DISA, HIPAA, CJIS, FIPS, and more. In addition, they provide security so that only screened persons can access the cloud. This is a must for companies handling sensitive information.
Like AWS, Azure has over 50 compliant offerings, including ITAR, DISA, HIPAA, CJIS, FIPS. They, too provide the same level of security as AWS, by setting up permissions so that only screen persons can access information.
Cubiko is a cloud-based platform hosted on AWS and Azure. This provides Cubiko with the ability to scale and keep your data secure.
2. Is my data encrypted?
Data encryption is the process in which data is encoded so that it remains inaccessible to unauthorised users. Data encryption protects sensitive information and data and should be used to enhance the security of communication between apps and servers. Essentially, if your encrypted data gets in the hands of an unauthorised person, they will not be able to access the sensitive information.
Data encryption is vital! Unfortunately, often the lack of encryption is where the problem lies in data breach situations. According to Haresh Kumbhani, founder and CEO of Zymr, a cloud consulting and agile software development services company “80% of breaches occur because data and access security is not well secured”.
It’s important to us that your data remains safe. So, at Cubiko, we use industry-leading encryption technologies to protect data during communication, transit and at rest. We use access controls and audit records (among other security tools and technologies) to protect the data held and processed by us.
3. What does their privacy policy look like?
A privacy policy is probably one of the most important documents you can have on your website. It’s a legal document that outlines how a company’s views and how it uses, discloses, and manages a customer or client’s data.
The Australian Privacy Act 1988 requires all businesses collecting personal information online in Australia to have a Privacy Policy. Note – an up-to-date privacy policy is an essential component to your accreditation.
When researching different software for your medical practice, it’s essential to note how detailed, in-depth, and transparent the policy is. The more information and transparency they can provide, the better it is for you to know how your data will be protected.
Cubiko’s Privacy Policy gives an in-depth overview of the steps we take to ensure that your data is in safe hands. Here are just some of the things included in Cubiko’s privacy policy:
- Outline how your data is protected
- Details reasons for storing your data locally
- Direct marketing policies
- Employee privacy policy procedures for sensitive information collected – such as background checks
- Incident response
4. Do they do Penetration Testing?
Penetration testing is a crucial way to examine whether an organisation’s security policies are genuinely effective. It identifies vulnerabilities and ways malicious entities may try to exploit organisations. Any software company that holds a significant amount of data should be undertaking 3rd-party penetration testing.
Here at Cubiko, we take the safety of your data seriously. To minimise the risk of malicious break-ins and data breaches Cubiko undertakes third party security penetration testing to ensure there are no vulnerabilities in how your data is stored.
5. Is my data stored in Australia?
Storing data on the cloud is becoming increasingly popular. However, without the proper precautions, you may leave yourself open to risk. Especially with medical records and data, which is subject to strict legal requirements. One such protection you may take is to ensure that your data stays in Australia. Server location is a vital consideration when choosing a cloud service provider – data stored in Australia is highly recommended. This should be the number 1 question you as before signing up to a cloud-based software.
At Cubiko your data is stored within Australian data centres and is subject to Australia’s rigorous privacy laws. In addition, we take significant additional measures in respect to personal information shared with us by our medical practice clients to provide our analysis services to them.
6. Is the software developed in Australia?
While a company’s databases may be located in Australia, it’s becoming more and more common for companies to make use of cheaper software development found outside of Australia. The risk of overseas development is that again, it opens up opportunities for data to leave the country, as ‘real data’ is often needed to scenario test software during its development.
Overseas development also opens up the risk of poorly functioning built for industry software. This is especially noticeable in industries like healthcare, where scenarios such as MBS billing and CDM optimisation are highly specific and contextualised to Australia only.
Cubiko’s software is developed solely within Australia, supported by a team of ex-industry practitioners and data analysts. This ensures that data is kept safe within the country’s strict privacy laws and that the solutions used to solve complex industry problems are validated by people who have genuine industry experience.
7. Are they Partner Approved?
Practice Management Systems (PMS) and Accounting Software, such as Best Practice (BP) and Xero, do a lot of homework before approving software partnerships and integrations. Such software is subject to rigorous testing, security audits and answering all the necessary questions to ensure compliance is met before partnering or integrating with BP and Xero. They’ve done the heavy lifting, so you don’t need to! Be on the lookout for the BP Partner Logo and Xero’s Certified Connected App logo to see which software gets its seal of approval.
Head to our Trust Centre to learn more about how Cubiko handles your data.
Ensuring that your data remains safe is important to us. Head to our Trust Centre to learn more about the steps we take to ensure your data is protected.
What do I do if I have a data breach?
A data breach occurs when personal information or intellectual property is subject to unauthorised access, disclosure, modification, or is lost. There are a number of ways in which data breaches occur, including but not limited to:
- Unauthorised third-party breaches
- Unauthorised access, disclosure or modification by Employees or Office Bearers and users
- Data breaches of third-party services that affect user data
In your medical practice, you should have guidelines and processes of what to do if a data breach occurs. The process should look something like:
- Suspected or Known Data Breach occurred
- Report data breach to the appropriate team member i.e. practice manager, practice owner etc
- Contain – steps should be taken to contain the suspected or known data breach.
- Assess – Gather and evaluate as much information to assess any risks associated with the breach
- Notify – Notify the Office of the Australian Information Commissioner (OAIC) and the patients/people who were impacted by the data breach.
- Evaluate – review and learn from the data breach incident and identify ways to improve the handling practices of personal information.
For more information on data breach action plans for health service providers, please head to the QAIC website.