Keeping it Confidential

Onsite servers, cloud computing among methods dispensaries can use to protect patient info

by Bart Schaneman

At PDI Medical, a dispensary in Buffalo Grove, Illinois, new patients must fill out a thorough intake form – similar to what they would complete in a traditional doctor’s office.

The form asks for their social security number and other personal details such as medical conditions, emergency contacts, a list of medications the patient is taking, any diagnoses and physician information.

“We use all that information to help us help the patient as we sit down and do the consultation,” said Joseph Friedman, PDI’s chief operating officer. “There’s a lot of pertinent, confidential medical information that’s on those forms.”

Indeed, PDI and other dispensaries around the country often collect a wealth of sensitive data about patients, though it varies depending on state requirements and the individual business.

Keeping that information secure is therefore a crucial task: Data breaches could put patients at risk, which in turn might create a backlash against companies and the entire industry – not to mention land a business in legal hot water.

Sometimes dispensaries have no control over the situation.

In December 2016, a security researcher found that the personal information of more than 11,000 medical marijuana dispensary applicants in Nevada could be accessed online, including social security numbers, home addresses and even physical traits. The revelation led the state to shut down its online portal. The Nevada Division of Public Behavioral Health followed up by investigating a possible cyberattack on its database.

So, what can medical cannabis dispensaries do to keep patient information secure?

They have a number of options, including storing information in the cloud or on locked onsite servers. Overall, though, analysts agree that conducting regular backups, outlining a detailed security philosophy and researching your security provider are all crucial to keeping information out of the wrong hands.

Consider ‘Cloud’ Coverage

Kind Financial, a cannabis compliance technology company based in Los Angeles, believes the answer lies in the cloud.

The firm uses the cloud computing platform Microsoft Azure for its commercial application as well as for its government customers.

“Without giving away the secret sauce and letting the whole world go try to hack us, our application is housed in the cloud,” said David Dinenberg, CEO and founder of Kind Financial.

Kind Financial fully relies on Microsoft to protect its data. Dinenberg said he’s confident in Microsoft Azure’s government certifications and data storage redundancy.

Microsoft does not sell directly to cannabis companies, however. Kind Financial offers cannabis businesses compliance and financial software through a partnership with Microsoft to provide customers the same security and encryption features as Microsoft’s products.

Micah Thor – president of Tech Guru, a Minneapolis-based IT support company that provides strategy and business consulting for security businesses of all types – agrees. He said one of the easiest ways for a small business to keep its data secure when using only a few machines is to employ Microsoft-level encryption solutions.

Moe Asnani – a partner at Arizona Dispensary Solutions, which has multiple facilities – said state law requires his company to keep on file a patient’s name, address and date of birth. Asnani also uses an outside company, MJ Freeway, as his data storage provider.

“We always want to trust our platform that we use for patient record management,” Asnani said. “You can only do so much. Your data provider has to be the one who’s on top of the security infrastructure.”

Do It Yourself

PDI Medical’s Friedman doesn’t trust the cloud, citing recent cybersecurity breaches involving MJ Freeway. Instead, PDI Medical uses an onsite server that sits in a locked, fireproof and waterproof rack. It isn’t accessible to anyone but PDI Medical’s IT professional. To date, the system hasn’t been breached, and Friedman doesn’t expect it will.

PDI Medical has compared the costs and benefits of having an onsite server versus storing data in the cloud. The result: PDI’s information technology specialist strongly suggested going with an onsite server. Friedman said it’s probably more costly, but the data is much more secure.

“That way we’re managing our own destiny,” he said.

He’s also not worried that the system could be compromised from the inside.

“A disgruntled employee won’t be able to get in,” Friedman said. “It’s secure from anybody and everyone.”

If someone wanted to access the server, they would have to physically break into the room where the server is housed.

“This way we have control of everything,” he added.

The one vulnerability he sees is that when data is backed up offsite, it must travel from his server to the backup server.

To help mitigate that vulnerability, PDI added additional hardware and encryption features.

“We haven’t had any breaches so I guess we’re doing the right thing,” Friedman said.

Protect Your Computers

Viruses are the most typical avenues of data loss.

“Getting a virus on your machine could have all kinds of ramifications,” Tech Guru’s Thor said.

Both Dinenberg and Thor agree that retailers should be wary of viruses first and foremost. A computer can contract a virus by a user simply clicking on an email and opening something dangerous.

“A desktop virus is very common, and it could be tragic,” Dinenberg said. “If you’re using a server-based system – whatever that might be – if you get a virus or you get hacked, you’re totally exposed.”

You want to make sure you’re performing regular backups and that your vendor is conducting security protocols.

Thor also recommends using a best-in-class antivirus program that is updated constantly. He also suggests real-time patching for Windows updates and third-party apps like Adobe, Flash and Java.

“Most every time that a virus gets on a computer, it exploited a known vulnerability from one of those applications,” he added.

Thor suggests ensuring you’re receiving a status report from the antivirus software to make sure your machine is still up to date.

“It’s not a set-it-and-forget-it type of scenario,” he said.

Develop a Security Philosophy

A critical piece of protecting patient information involves developing guiding principles for data security.

Dinenberg has one key piece of advice on this end: If you operate a small business and incorporate programs you’ve developed, back everything up. Store your backups to the cloud. Make sure you’re using a very secure and well-known cloud.

“It’s like hiring a lawyer,” Dinenberg said. “You can save money and get a cheaper lawyer, but how protected are you? I would not look for a shortcut in data storage. It’s not that expensive in the first place, so you should choose the best, not the cheapest.”

Dan Stofka, Kind Financial’s executive vice president of engineering and operations, said your key security principles should “generally mimic that of health care facilities’ data security.”

His advice: Start by looking at the data security strategies of pharmaceutical manufacturers.

“Ultimately, a multitiered approach is ideal. That starts with front-line prevention,” he said. “Things such as password creation guides, change guidelines, bring-your-own-device policies, employee exit strategies and, at the back of the house, any of the vendors’ policies that hold your data must also be aligned.”

Another part of a dispensary’s security philosophy should involve limiting access to computers and servers with patient data, which should help prevent applications from getting on the computer that don’t belong there.

“In other words, only the IT person or the owner of the business should have administrative-level access,” Thor said.

That’s the same philosophy Friedman adheres to when keeping his server locked and off-limits to anyone but his IT technician.

Vet Your Storage Provider

Do your homework before selecting your storage provider. Ask questions such as:

  • Where’s my data stored?
  • What certifications do those data centers hold?
  • Do they have a published data security disclosure?
  • In how many locations is my data stored?
  • Does the information leave the United States?
  • How long has the company been in business?
  • Have they had any data breaches?
  • What is their file-level encryption policy?

You should be looking for a data center that adheres to industry standards, Thor said.

“You want to make sure that it’s not running out of their closet,” he added.

You also want to make sure your provider has a cybersecurity response policy. The provider is likely to be reluctant to disclose too many specifics for security reasons, but you’re looking to ensure the data center has a redundancy program and a certain level of encryption that will be used for all web traffic.

Dinenberg recommends paying attention to the operational software you’re licensing. Notice how your vendor secures its data and, in turn, its customers’ data.

“You can never ask too many questions about security and data,” he said. “I encourage everyone in the marketplace to pay great attention to that.”

System Design

Thor recommends working with a consultant in the data security industry to design your system – either a managed security provider or a cybersecurity expert.

“The landscape is constantly changing,” he said.

Your vendor should be able to sustain, as well as expand, and still deliver security superior security.

“I’m just a true believer in being able to grow with whoever your service providers are,” Dinenberg said.

“There are no secrets anymore in our world,” Dinenberg added. “If somebody wants to get something or find something, they’re going to try. All we can do is protect ourselves as best as we can.”