The laws are meant to give consumers a chance to protect themselves from identity theft. “So if there is a group that is taking credit card information or using Social Security numbers as identifiers on files” they need to be ready to comply, Adler stresses. “I don’t know many practices that have these policies in place. They need to look at the laws.” He encourages physicians to get away from relying on Social Security numbers, as far as possible, for this reason.
As for taking credit cards for payment, you must comply with privacy stipulations in the contract you have with your merchant as well as with the 2003 Fair and Accurate Credit Transactions Act, or FACTA. This law is the same one that lets you get a free credit report. But it also says credit and debit card receipts should not include more than the last five digits of the card number or the card’s expiration date.
While you are busy protecting your patients’ data, think about destroying some of your own. Businesses are increasingly setting rules regarding the destruction of electronic information and e-mails to avoid undue liability, Alder explains. This idea has merit. Look at how long you need to retain information for legal or business reasons; get rid of what you don’t need, he advises. If you have cleanup rules and follow them as a normal course of business — rather than in response to concerns about a specific case — you’ll be much better protected in the long run. There are now services that erase hard drives for you — which is harder than it sounds — and shred the hard drive itself into little metal nuggets.
Safe travel tips
You might have a firm policy prohibiting physicians from taking home paper charts. But how are staff and physicians using memory sticks — those handy little drives you stick into a USB port? Ross Duncan, vice president of channels for digital security firm Gemalto North America, worries about “the growing popularity of the use of memory sticks. Once [physicians put charts on one] they have probably violated half a dozen regulations.”
Most memory sticks have no protection whatsoever. If someone found the gadget, they could immediately access patients’ medical records. It’s better not to transfer data like that or to use a memory stick that requires a password or some other security.
Same thing goes for laptops and PDAs, which can be vulnerable to hacking. “Every time I put [my laptop] down in an airport, it leaves my sight. Anyone could steal it and break into it. So the information on my computer is encrypted,” says Robert M. Cothren, director for clinical information systems of Northrop Grumman’s health solutions division. What’s on the laptops and PDAs in use at your office? Make sure you regularly clean them and scrupulously protect the data.
What’s the password?
Of course the classic tools in digital security are user identifications and passwords. Effective? Yes, but only if used well.
“Physician practice groups often don’t have unique user IDs and passwords,” warns Adler. “They either share them or have one that everyone uses. If everyone is using the same password, it’s easier for someone to get into the system.”
Another mistake he sees: Practices continuing to use vendor-supplied user IDs and passwords long after they’ve implemented new software into their practice. Since it’s the same user ID and password every other practice initially gets, hackers will test to see if they’ve been reset or not.
If you are going to create new passwords, create good ones. “It can’t be a word,” says Cothren. “It has to have numbers and capital letters. The downside is that most people aren’t very good at remembering those so they tend to write them down.” And if the password expires every 90 days — another best practice — it’s even harder to remember and more tempting to write it down. Passwords on sticky notes pressed onto monitors defeat the purpose. Strive to balance password protection with the realities of adult memory capabilities.
Make sure, too, to have written policies you actually follow for “deprovisioning” passwords — that’s industry-speak for changing passwords when a staff person leaves your office.
In the near future, Cothren says, practices will be able to use two-factor authentication instead of passwords. That’s the technology you use for ATMs; you have a password (one factor) and a bankcard (the second factor). That’s the security gold standard. However, few computers in medical practices are set up with card scanners, and the biometric checks, which might provide an alternative, have so far proven too slow or awkward for medical use. “Finger-print readers can be hard to use if you have a glove on,” Duncan says. “People will crank down the sensitivity of the reader to speed up access, then break security rules.”
However, hospitals are experimenting with substitutes, such as sending physicians who log into a hospital system a second secret key via text message, for example, Cothren says.
