Remote access to your practice's electronic systems has gone from being a "nice to have" to a "must have" over the past few years. We love our mobile devices and the freedom to access information whether in the office, at home, or on the road. Part of the credit for this is the rise of cloud-based practice management (PM) and EHR systems. With cloud services, all of your practice's users, in the office or not, have "remote access" through the internet.
These cloud systems relieve you of the responsibility to setup and administer encryption and security for remote access on the server side. In almost all cases, leaving this to an experienced cloud vendor will improve operational security, as they have specialized staff and tools for management processes.
However, even if you have moved your PM/EHR to the cloud, you are still responsible for your practice's devices and confidential data transmitted over the public internet. And while out-sourcing the security risks of hosting your data to professionals, remote access to data remains among the most risky aspects of securing your data, avoiding a data breach or a HIPAA violation. Of course, if you're hosting your own servers, you own the entire responsibility for protecting your data.
If you have IT staff, they can provide guidance on how to keep things as secure as possible. Listen to and follow that advice! You will need a HIPAA Security Risk Assessment for your practice, and how you secure remote access is a vital piece of that puzzle. Even if your systems are in the cloud, you need to attend to four important elements.
1. Secure your devices
2. Secure your network connection
3. Secure your data
4. Follow safe computing practices
Secure Your Devices:
Even if all else is perfectly secure, it may not matter if your device isn't. Ensure that you apply all software updates, including regularly updated anti-virus and anti-malware software. Use good passwords, don't make it too easy for a bad guy to get into your device. Enable encryption of the device itself and its storage, this can easily be done on iOS, Android, macOS, and Windows. In the real world --- and in the eyes of HIPAA enforcers – an encrypted device is at very low risk of data loss. Set your device to lock (go to a password-protected screensaver) after a short period of non-use. And, finally, don't neglect physical security, especially when travelling with a mobile device.
Secure Your Connection:
Data travelling across the internet is not encrypted and susceptible to being copied and read by others. If you access your data through a web browser, ensure that the connection is encrypted, look for the https:// in the browser address bar. But realize that this doesn't protect non-browser data (e.g., email or other stand-alone apps for messaging and social networking). The best security is provided by a VPN service, which encrypts all data coming into and out of your device. This is especially important if you use public WiFi, since other devices in that coffee shop or hotel lobby may be able to connect directly to your device and hack it. The best choice is to purchase and use a cellular WiFi hotspot or tethering from your cellphone.
Secure Your Data:
It's always best to work with data stored in a secure cloud service. Don't download or copy data to your device's local storage. An Excel spreadsheet with confidential data stored on your laptop is a data breach waiting to happen. Realize that "regular" email is NOT secure, and if you access secure email, do so only through a secure web browser connection (i.e., encrypted and the email data stays in the cloud.) NEVER put confidential data on an unencrypted flash drive or portable hard drive. Even if you're accessing data via an https:// encrypted connection, it's a good idea to change your browser settings so the browser's data cache (stored data from your session) is wiped each time the browser is closed.
Follow Safe Computing Practices:
Most of us are aware of safe computing practices, but a lot of us trade off short-term convenience for security. Just like eating more fruits and vegetables, we all know what we should do and sometimes even follow it. Don't use trivially easy-to-guess passwords and don't use the same password on multiple websites or systems. Don't click on links in phishing emails. Don't share your password with others — or if you have to, change it immediately afterwards. Never leave your laptop or phone visible in a locked car, put it in the trunk or glove box, or better yet take it with you. Yes, you really DO need to eat that broccoli!
Securing remote access (whether at home or on the road) is an important component of your HIPAA compliance and ensuring the confidentiality of sensitive patient and business information for your practice. And, of course, securing this confidential data is just the right thing to do.