Industry Insider | November 2019 Hearing Review
As more and more of the hearing industry pursues digital transformation as a business strategy, practice owners are taking more time to educate themselves about the importance of data security and privacy. In the wake of a recent cyber crime which impacted a major hearing aid manufacturer, Hearing Review thought it was a good opportunity so sit down with Sycle Cofounder and CEO Ridge Sampson to talk about data security today, what Sycle does to protect their customers, and what business owners need to know to protect themselves.
HR: Sycle has a long history of addressing data security and privacy. Why has this always been a big part of your company’s approach to developing software?
Ridge Sampson: We pioneered cloud-based practice management software long before any other companies were even thinking about it within the hearing healthcare space. In the early days that was a big hurdle we had to overcome when we were trying to launch—people were very skeptical of putting their patient data in the cloud. There was no room for error, and we knew we had to build the most secure and private data environment we could.
HR: What were some people’s concerns back then, and do they still exist today?
Sampson: When we first started Sycle, people’s biggest concern was someone downloading all of their customer data. Our argument then was your biggest security risk is the files you have in your office and the potential for them not only to be stolen but also destroyed. With Sycle we have made data security top priority, so not only is it hard to get access to more than one patient record at a time, we also log all access so we can look back and have a paper trail if the need arises. We have redundant servers that are constantly backing up all the data we store. And these are essentially stored in redundant servers at the same time, milliseconds apart.
HR: What are new concerns that you see the hearing industry facing when it comes to data security?
Sampson: Now that more data is online, you have more people out there trying to find vulnerabilities. It’s not enough to have passwords at login, you need encryption on the rest for your data, so if there is a breach the data is useless.
You need to make sure all access points are secure. That’s why we ensure every patient data touchpoint is secured, and not just the main database. Electronic Document Storage (EDocs), APIs, backups, even log data, are all places where you could be vulnerable. It can add a layer of complexity but it is critical to not only meet the requirements of law, but it is also about doing what is right for your business and your patients.
Investment in hosting providers are also things to consider. How many times have we read the news about Company X being hacked and millions of dollars in data being lost. What you don’t see in those stories is the ancillary effect of others in a given data center if there is security leakage over the network. While it is much more expensive, Sycle has invested in hosting that cordons off our data from other companies in our data centers to add an additional layer of protection.
HR: Sycle has broadened into other areas beyond hearing care through the years. How has your team’s experience in these other fields informed your security experience?
Sampson: I founded an advertising agency where we worked with a number of companies in highly regulated industries like healthcare and financial services. Pertaining to healthcare and medical devices, our experience working with Medtronic, AMGEN, and Johnson & Johnson shaped how we tackle patient data and exposure to data privacy teams of some of the leading healthcare companies in the world.
HR: Outside of the United States and beyond HIPAA laws, what goes into Sycle’s security considerations?
Sampson: Sycle is a global company with customers in the US and Canada, but we also have users all over the world, and each country has their own data privacy laws. One in particular that improves Sycle’s overall security practices is our work with the NHS in the UK. Beyond HIPAA, the UK has requirements to meet the government standards plus EU standards like GDPR. So that we don’t have a different policy for each country we are in, Sycle has built a data security infrastructure that complies with our global reach and that we apply in all of our data centers around the world.
HR: We’ve all heard about a big cyber attack, and they’re increasingly common. When I was digging around for background material, I found a statistic that the US economy loses somewhere between $57 billion and $109 billion per year due to cyber crime. What’s important for the average hearing care professional to know about cyber crime?
Sampson: At the risk of stating the obvious, security is very important. A big public company can sustain a large financial hit, but a small practice can’t. Imagine if you had a practice and lost 3 weeks or even several months of sales? That might be $40,000 to multiples of that amount for a hearing care business—which could very well put you at risk of going out of business.
Sycle.net supplied this list of data security questions to answer when shopping for new software:
- How often does a third party run penetration tests to ensure all data is secure from hackers?
- Is the data stored with encryption at rest?
- Is the software HIPAA compliant?
- In addition to the core platform, is the document storage solution also HIPAA compliant?
- Is internal communication HIPAA compliant, email, messaging, etc?
- Is there an audit log of every action by user?
HR: How does Sycle stay on top of security concerns?
Sampson: We have a multi-pronged approach. First, we have a team called our Security Working Group that shares knowledge about security concerns from all over the world and how Sycle should be thinking about the impact. They also keep us up to date on policy changes from various sources. Additionally, we partner with some of the most secure data centers around the world where we do cooperative security checks. Finally, we do an annual penetration test with a 3rd-party partner at financially significant cost—but it is important that we make sure we go above and beyond base necessities. It’s one of the best investments we make every year.
HR: What are some common mistakes people make when it comes to securing their data?
Sampson: PASSWORDS! I know, I know…passwords annoy us with their complexity and rules, but they are extremely important. Don’t leave them out on a Post-it note, don’t make it your favorite child’s date of birth (everyone knows which one is your favorite!), or use the same one you’ve been using for Facebook for years. A password needs to be complex and secure. There are a number of password manager apps and programs out there that can make it easy, so you don’t have to remember them all and they’ll also remind you to change your password every 60–90 days.
Another thing to be concerned about is leaving printed materials out where anyone can see them. We worry about digital data security, but we also have to remember some of the most vulnerable data is in the filing cabinet. With smartphones everywhere, you never know if you have data leakage if you leave the wrong piece of paper laying out; someone can just snap a picture and have a copy.
Correspondence can be addressed to HR or: [email protected]
Citation for this article: Strom K. Cyber attacks and how to protect your practice: An interview with Ridge Sampson of Sycle.net. Hearing Review. 2019;26(11):12-13.