Your practice has implemented an EMR, and the software vendor has made it compatible with your practice management system. Maybe you even submit claims and receive lab results and EOBs electronically. And why shouldn’t you? It’s fast, easy, and automated.

It can also be dangerous.

In the rush to move practices into the 21st century, security is sometimes the first casualty. Every practice wants the electronic tools that will make it the most efficient, but — let’s be honest — most practice administrators and physicians don’t know much more about computers than how to plug them in.

“As more and more of us convert to the electronic environment, we’re really entering some unknown territory,” says Susan Miller, administrator for Family Practice Associates of Lexington, Ky. Miller, whose practice has been using electronic management tools since 1999, knows just how daunting a task Internet and computer security can be, but she also knows how important it is.

Under HIPAA regulations, every practice must take steps to protect the confidentiality of electronic patient information. Failure to take those steps not only exposes your patients to risk and potential fraud, but it can also result in some pretty steep penalties: Civil penalties for noncompliance can cost you $100 per violation (that’s per patient record!), or up to $25,000 per year; criminal penalties could cost you as much as $250,000 and ten years in prison!

The good news is that electronic security doesn’t have to be complicated. Follow these five easy steps, and you’ll be on your way to an efficient electronic environment that is safe for you and your patients.

1. Use a firewall
Most of us have probably heard this term, but how many really know what a “firewall” is? Yet in a busy medical practice running multiple workstations, “the basic foundation of a network is [having] a good firewall,” says Kyle Chang, manager of IT services with The Coker Group, a healthcare management consulting firm in Alpharetta, Ga.

Basically, a firewall is a software application that monitors information passing into and out of your network. Based on a set of rules that you define, your firewall determines whether certain network traffic is allowed to pass. If someone tries to access your network without a password or network key, the firewall stops them. If another program or application attempts to establish an unauthorized connection to your network, the firewall blocks that connection.

It can work in reverse, too. Say an employee tries to access a personal Web site during work hours. Or maybe he or she wants to download an instant messaging program to talk to friends. Depending on how your firewall is set up, you can restrict access to certain Web sites and prevent employees from downloading and installing specific programs on your office computers. Not only does that help keep employees focused on their work, it can also protect your computers from falling victim to incoming viruses that might disable your network completely.

Chang recommends that practices use some of the better-known firewall software packages from reputable manufacturers such as Cisco, 3Com, or SonicWALL. The important thing is to have a firewall that you know will work — and to use it.

And since we’re on the subject of viruses, make sure you run antivirus software on your system. “I don’t care if you have just one laptop, and you are a solo doc,” says Cynthia Dunn, senior consultant for the Medical Group Management Association Health Care Consulting Group. “That’s fine, but it better have antivirus software on it.”

The best antivirus software runs continuously and can automatically detect and download updates so your network is always protected against the latest viruses. Check out some of the more popular programs like McAfee VirusScan or Norton Internet Security to keep yourself safe.

2. Encrypt it
If you use e-mail, chances are that your practice is sending sensitive patient information electronically. The problem is that e-mail gets routed to a lot of different places before it travels from your practice to a patient’s inbox. Along the way, anyone could intercept that e-mail and read what you have written.

“You’re going to have to talk to a vendor about encryption if you’re going to send patient information,” says Dunn. “You are required to protect that e-mail if somebody else has the ability to get it.”

There are a number of programs you can use to encrypt e-mails. All of them involve the same basic principle: sharing a code with patients so that they can decipher the e-mail messages you send to them. If they send e-mails in return, then you also want to make sure they’re encrypting their own information. So not only will you need an encryption program for your e-mails, but you should also advise your patients to install one of their own so they can send and decipher e-mails from you. Once you set up the encryption program, it’s a good idea to give your patients written instructions or let them call with questions about how to download and install an encryption program on their personal computers …