Is It Time for a Data Security Checkup in Your Medical Practice?
As the amount of patient information stored online increases, your patients depend on you to keep their data secure. Protecting sensitive information can be a daunting task, but there are many steps you can take to ensure the information you store is safe.
Getting Started
Suppose you’ve done some initial investigation into system security and privacy best practices. In that case, you might have questions such as, “What is SSL?” and “Do I need to teach all my employees about data security?” It’s a good idea to start by breaking down security practices into two categories: protecting your system and safeguarding against insider threats.
Protecting Your System
One primary but often overlooked method of data protection is keeping your software up to date. Periodically, your system software and application manufacturers will issue updates. In many cases, you can opt to receive notifications when it’s time to update the software manually, or you can choose automatic updates. They can take time to install, and it’s easy to postpone them if you don’t want the interruption. The updates, however, often contain security patches. Schedule updates for the times your system is least active. It’s also good to install anti-virus software on your system and keep it updated.
Encryption should be part of your data protection strategy. The HIPAA Security Rule states that encryption is a “safe harbor.” What does this mean for your practice? If an encrypted device is stolen or lost, you won’t need to notify patients or report the breach.
You probably use mobile devices, such as tablets, phones, USB drives and laptops. These devices should be encrypted and password-protected to protect your data if the devices get into the wrong hands. Workstations and desktop computers should also be password-protected and encrypted. While they aren’t considered mobile, sensitive information can be compromised if someone breaks into your building.
As you protect the devices in your office, you’ll need to protect communication as well. If your staff sends text messages to patients, you can install a secure texting application to encrypt data. Email messages can also be encrypted to safeguard correspondence containing private information.
Some practices provide Wi-Fi access as a convenience to patients. If you want to allow guests to access Wi-Fi in your office, set up a separate network for them and use different passwords.
Safeguarding Against Insider Threats
No doctor wants to think they have staff members who would compromise a medical practice’s integrity. However, it does happen. Most insider data breaches result from employee error. Intentional theft, while less common, is an unfortunate reality.
It’s a good idea to set up an auditing system on your network. An auditing system will allow you to view who accessed patient records, which records were accessed and what patient information was viewed. Let your employees know you have an auditing system in place, and you will be checking reports from time to time. Finally, follow through and review the auditing logs on occasion. It’s easy to postpone this step when you have a high degree of confidence in your staff. However, you don’t want to be caught unaware if a data breach occurs.
One way to avoid an unnecessary data breach is to give contractors and staff members only the level of access they need to perform their jobs — no more, no less. Conduct a review of access levels from time to time. As employees leave or change roles, it’s easy for access creep to take over. Access or privilege creep happens when an employee maintains privileges they no longer need.
Finally, a basic but critical method of data protection is to use secure passwords on all devices. A secure password contains numbers, letters and symbols and does not appear in the dictionary. Instruct staff members not to store passwords in the open — for example, on a note taped to the monitor.
As a doctor, you know the value of protecting your patients. Taking the necessary steps to secure their data is part of a solid plan for your practice.
