While data protection is important in any industry, it is particularly critical in health care because in addition to the usual financial records, trade secrets, and other valuable data, confidential patient information is also at risk.
You may think that your computer vendor is responsible for safeguarding your data, but third parties can only do so much. And if your data is compromised, the ultimate responsibility is yours – not to mention the financial loss, and the damage to your practice’s reputation.
Dr. Joseph S. Eastern
In addition to the security vulnerabilities inherent in any system, there are external vulnerabilities, such as weak passwords, viruses, and hacking (either externally or internally). And as hardware becomes more and more portable, there is the increasing risk of theft of platforms and storage media containing confidential data.
A close and ongoing relationship with your hardware and software vendors is essential to good data protection. Your office should have a permanent contact at each company, and you should talk to them regularly. Ask them what sort of firewalls, antivirus software, and other safeguards are in place to protect your system. Whenever they identify a bug or other vulnerability, you should know about it. They should tell you about each software update, what improvements it makes, and what defects it fixes. You should also know about any changes to your data encryption.
Encryption has become an essential component of data protection. It is especially important if you use portable devices such as laptops, pads, or smart phones to store and transport patient information. If you lose one of these devices, or a thumb drive or other storage media, HIPAA will probably not consider it a breach if the data it contains is encrypted.
Encryption isn’t perfect, of course. Log-in credentials can be stolen; and data that is stored in house is can be hacked with malware and phishing techniques, especially if the key to decryption is located on that server. And make sure that employees are not putting any medical data on their own private (unencrypted) devices.
Each employee should have his or her own password, and sharing should be strictly prohibited. Multifactor authentication is becoming increasingly popular for an extra level of security.
Your vendor should require you to change your passwords every few months. If it doesn’t, you need to establish a timetable to do it yourself. All passwords should be strong (no birthdays, pet names, etc.), and they shouldn’t be the same or similar to old passwords.
In some offices, I’ve been surprised to see that every employee has unrestricted access to all practice data. The vulnerabilities of such an arrangement are obvious. There is no reason why receptionists, for example, should have access to medical histories, and insurance people don’t need to know what medications a patient is on. Your vendor can help you design partitions that restrict each employee to only the information they need access to.
Ask if your vendor provides security training for employees. If not, look into hiring a security firm to do it. Regular security training can help employees to recognize data security attacks like phishing, and instills a heightened sense of security awareness and vigilance among staff. They will also gain a better understanding of the role they play in maintaining the overall security of your office.
It goes without saying that third parties, such as business vendors, payers, and managed care providers, should never have access to patient records or other personal health information.