Let the high-techies do their thing
You — and many physicians along with you — might focus on the safety of new-fangled, Web-based software and encrypted e-mail rather than actual physical protection, such as shredding sensitive papers or locking the chart room door. But be honest. Are you truly the best person for such high-tech concerns? Probably not. So let the experts handle it. You’ll find that an application service provider that lets you run, say, an EMR or practice management software over the Internet “can be more secure than the average paper-based office,” Duncan suggests.
Cothren agrees. Thankfully, this layman-level worry is slowly abating. “More and more people are becoming comfortable with the security level you can put on encrypted information you send over the Internet,” he says. “Most ASP vendors will have more secure systems than most physician offices.”
Just perform your due diligence and create a chain of trust or business associates agreement, Hertzberg suggests.
Running a more secure office takes awareness and endless scrutiny, and it’s not a once-and-done job. Take time to regularly look for holes.
Top Five Recommendations for Securing Patient Data Take Windows seriously: No one seems to remember that in order to get to sensitive patient information, the system that will be hacked first (if necessary) is the Windows platform it runs on. Without the desire for security on the part of the practice owner, there will be no implementation of security. “Password” is not an acceptable password: While an outpatient office can be small, it needs to deal with passwords like a major hospital would, requiring separate user accounts with complex passwords (using a combination of mixed-case letters, numbers and special characters) and requiring that passwords change periodically. Protect against malicious software: Microsoft’s Windows Update can be set to look for patches daily, although Microsoft has a designated “Patch Tuesday” for critical patches and updates to ensure each Windows computer is up to date and able to fend off any known vulnerabilities. Additionally, anti-spyware and anti-virus solutions should be employed to fend off anything that patches don’t cover. While a hacker may not be looking to access your protected health information (PHI), they certainly will take advantage of the situation should they be able to gain administrative control over one of your Windows desktops. Social Security numbers are very appetizing these days. Automatically lock your PC: When an employee of the office steps away from their PC, after a period of inactivity, Windows can kick in a screensaver that requires a password. This is critical; how many times a day does a physician or nurse step out of a room and leave a PC unattended? Where in the network is your PHI? Most practice owners think that their sensitive data only resides in the practice software application. But how about that letter to the insurance company that was written about Mr. Smith’s condition? Or the spreadsheet that contains patient addresses, Social Security numbers, and other information? These files are a necessary evil to keep an office running, but those documents also need to be secured. This means the location in which they are stored (whether local on a single PC or on a common server in the office) needs to be established, potentially sensitive documents need to be placed in that location, and that location needs to be secured to ensure only appropriate access. Source: Nick Cavalancia, vice president of marketing, ScriptLogic Corporation, Boca Raton, Fla. |
Pamela L. Moore, PhD, is senior editor, practice management, for Physicians Practice. She can be reached at pmoore@physicianspractice.com.
This article originally appeared in the November 2007 issue of Physicians Practice.
