Rise of unencrypted cards

[packets]

Here's a little morsel for thought...Do you know if/where CC data is stored and if encrypted in transit and at rest? My experience is Frontdesk workstations get infected with malware the most, and these are the machines which accept CC payments.

71 percent of merchants were found to store unencrypted payment card data in 2011, which is an increase of 8 percent since 2010, according to a study by SecurityMetrics.

http://preview.tinyurl.com/89xss7w

[jordansparks]

If using Open Dental, all the CC numbers are stored on offsite servers and encrypted during transport. We use certified solutions.

[packets]

If using Open Dental, all the CC numbers are stored on offsite servers and encrypted during transport. We use certified solutions.

And "Certified Solution" means what? As the article suggests with most POS, not much...
Example: Until their latest release, X-charge stored such data (unencrypted) on the local machine (i.e., the X-charge server)...and transmitted it the same. I found this out about 2 year ago because X-charge wouldn't publicly state they were HIPAA/HITECH compliant. Obviously a different measure than PCI DSS. At the time they did tell me this would be resolved in their new release and the data would only then be encrypted, transmitted, and stored on their secure servers (not the local machine). Same issue with most fax solutions BTW.
I still don't find anything "HIPAA/HITECH Compliant" on their site and also no suggestion of offering a Business Associate Agreement (BAA) required for a covered entity. No?

[DavidWolf]

What about unencrypted emails? My understanding of the HIPAA rules are that it is against the rule to email patient information that is unencrypted.
I would assume that if we use the email portion of Open Dental to send out a patient referral or patient statement or any other thing about the patient we are violating the HIPAA rules.
Who is liable for the breach, I would say the dentist.
Is anyone using any kind of disclosure to the patient to get permission to do this?
Even if the patient gives us permission to email them or email a referral to another doctor, is it still a HIPAA violation?

[jordansparks]

Yeah, that's a big problem right now. Very few patients would be able to handle an encrypted email if we sent it to them, so the typical solution that other software tries is a web portal for the patient to check their "email". But then, each patient needs to have a username and password given to them in advance. There is also a big push in EHR right now for the backend communication between offices to get built out. That should be interesting over the next few years.