How Pearly Protects Patient Data

Cybersecurity is a growing topic which has resonated within the discourse of IT professionals and technology-oriented leaders. In the dental industry, and more specifically within revenue cycle management (RCM), most technical systems are governed by HIPAA and financial industry standards. Cybersecurity best practices, when applied consistently with these standards, are designed to safeguard practice and patient data.

Recently the importance of cybersecurity has unfortunately been thrust into the spotlight for Dental RCM professionals. Change Healthcare, a RCM Division of UnitedHealth Group (UHG), recently fell victim to a cyberattack that debilitated its systems and concomitantly the billing and claims practices of their national customer base.

Our team at Pearly empathizes with the professionals affected by this. We have spoken to countless RCM practitioners and understand the challenges and anxiety brought about by this breach.

We want to take this opportunity to reinforce your confidence in Pearly’s security systems and practices. Cybersecurity is a foundational element of our business, and while our security measures continuously evolve in step with the threat landscape, we want to highlight some of our key practices below:

INFRASTRUCTURE SECURITY

As a modern enterprise, Pearly’s application, server, and database infrastructure all operate within a single cloud provider - Google Cloud Platform (GCP).  Within GCP our infrastructure components exist within a dedicated Virtual Private Network (VPN), and access to these components is strictly controlled through Google Identity and Access Management. 

Application users (either Practice Users or Responsible Parties) authenticate and are granted permissions through Google Identity Platform, and all permissions are scoped to the account and/or group the user has access to.

All Protected Health Information (PHI) is encrypted in-transit and at-rest using the latest encryption standards implemented by Google.  You can learn more about GCP’s security practices at the Google Cloud Platform Trust Center.

Pearly performs two layers of database backups: continuous point-in-time recovery as well as daily snapshots in multi-region cold storage.  This means in the unlikely event of a loss of database access, we can immediately recover and reprovision our database systems. 

HIPAA BUSINESS ASSOCIATES AND PHI

Pearly and our customers operate in a security environment governed by the Health Insurance Portability and Accountability Act (HIPAA).  A key stipulation of HIPAA is that all vendors that handle PHI must sign a Business Associates Agreement (BAA).  Pearly has a countersigned BAA with Google Cloud Platform, the highest level of BAA available. We also maintain BAAs with all third-party vendors that handle PHI on Pearly’s behalf.  In cases where data cannot be encrypted (e.g. SMS) we restrict access to PHI and limit information to that of the Responsible Party, specifically excluding Patient information.

SECURITY POLICY AND TEAM IDENTITY MANAGEMENT

Beyond the technical measures discussed above, Pearly maintains an Internal Security Policy that outlines the security practices, roles and responsibilities, and disciplinary measures in place to ensure team-member compliance with industry standards.  This policy is available on request to customers.

Internally, Pearly manages team member identity through a unified Single Sign On (SSO) platform that governs all access to third-party vendors as well as administrative access to Pearly systems.

FINANCIAL SECURITY

Pearly is Payment Card Industry Data Security Standard (PCI DSS v4.0) compliant. We use Stripe (an industry-standard payment processing company) to handle dental patient transactions. Pearly does not retain any patient credit card data, and relies on Stripe’s card data vault to securely use patient financial data.

It should be noted that Stripe’s systems, processes, and controls are regularly audited as part of their SOC 2 compliance program. You can learn more about Stripe’s security approach on their website.

SECURITY SCENARIOS

Scenario #1 - Pearly Default Operation

When a practice syncs their PMS data with Pearly, that data is normalized and stored in a data warehouse run within Pearly’s Google Cloud Platform VPC.

Text messages are sent using a 10 digit phone number that has been linked to a 10DLC campaign registered with the carrier networks. 

Text, email, and letter notifications all include a unique link to the responsible party’s secure payment portal.

During the patient payment process, Pearly refers all payment information to Stripe through a direct client-server connection with Stripe’s platform.

From here, payment is remitted to the practice directly from Stripe. Receipt from that transaction is recorded through Pearly and is re-synced with the practice PMS ledger.

Scenario #2 - Disaster Recovery

In the event of a natural disaster or cyber attack, one or multiple GCP regions may be temporarily inaccessible.

If the outage is short-lived, Pearly can immediately re-provision its infrastructure in its existing GCP region using the latest point-in-time backup.  If the outage is persistent, Pearly can re-provision its infrastructure in an alternative GCP region using the latest cold storage backup.

Our security doctrine emphasizes two principles: layers of redundancy, and secure cloud-based infrastructure. With this doctrine in mind, we provide peace of mind to our customers who want to ensure we are employing best practices regarding how and where we keep our PHI data.

We hope that this insight into our security practices answers your questions about how we handle sensitive information.

COMMON QUESTIONS

Are the billing notifications that Pearly sends patients considered personal health information (PHI)?

Because every notification template we offer is structured to address the guarantor and not the patient, the billing notifications are not considered PHI.  

Where can I view Pearly’s BAA?

To access Pearly’s BAA and other legal resources associated with Pearly’s compliance standards, please visit our Security page and our Legal page on our website.

Additional BAAs with our 3rd party vendors can be provided upon request.

‍