Computer, HIPAA Security Issues for Medical Practices

Medical practices need to be concerned about computer and all related electronic security issues at year's end; including replacing old equipment, securing new equipment, and controlling peripheral devices.

A recent report from Canada illustrates how easily technology can allow huge amounts of patient data to be exposed. According to the CBC news report:

"Two weeks ago, a doctor was working on consult letters that contained medical advice for 52 patients. The physician copied the information onto a USB drive and planned to deliver it to someone who would put it into the health records system.

According to the hospital's top administrator, the physician did not know the drive also contained a database with the names, health-card numbers, and date of birth of 4,043 patients at the Stanton Medical Centre. The physician then lost the unencrypted drive and reported it missing on Nov. 13."

A statement from the hospital's CEO, who likely would have had some director's and officer's level liability in the United States, went on to say that the hospital was in the process of informing the patients, many who hadn't been seen in as much as five years, and that the physician had not followed the hospital's security policies that would have prevented or at least limited such a serious security breach. The thumb-drive was apparently not even password protected or encrypted - both easily done.

This situation is not unique and a bit of research quickly provided over a dozen high profile cases where similar issues had occurred around the United States, with similar reports in the news every year. This issue becomes even more onerous at year's end, as many practices routinely upgrade their computers, related hardware, software and peripheral equipment in an effort to take advantage of year-end deals and spend down cash that would otherwise be taxed. Here are the key points to remember before you acquire new technology:

• Old equipment must be disposed of in a secure way

Remember that even if you think you've "deleted" the contents of a computer hard drive, CPU, or removable thumb-type drive, the average 12-year-old with access to YouTube can probably recover it. These items should not be donatedor simply thrown away where they can be stolen from the trash. Your IT consultant should be able to provide resources for secure destruction or recycling, ideally not at home in their garage. I've provided detail on this issue previously, so please review the details and the list of other  high-risk electronic devices in your office that store sensitive information as well.

• New equipment must be properly installed and protected

After you've cataloged all outgoing devices (Easy list: what are we getting rid of and how are we getting rid of it?), and how they were securely disposed of, you and your staff are gong to be opening shiny new boxes like little kids on Christmas morning. Make sure all those devices are similarly cataloged and that some basic security procedures have been followed for each one:

1. Update all the installed software. Those boxes have likely been sitting for a while and updating all software is a really key, basic part of keeping your computers and devices safe. This includes the little things like Adobe and java too.

2. Activate, install and update antivirus software. This should be done before anyone uses the computer for anything else.

3. Password-protect any devices that allow you to do so. This means smart phones, tablets, laptops, hard dives, thumb drives, and many others.

4. Consider installing or turning on tracking software. Apple devices seem to largely come with "find my device" software and most other manufacturers now have some version of it too, in addition to "lo-jack" type software programs you can purchase.

Obviously the items listed above are a process, and you practice should have its own enforced process to manage the risk that our heavy, if not complete, reliance on technology now presents, as well as the specialty insurance for when it fails. This process should be followed through the year for all new disposals and purchases and polices should be regularly reviewed with employees and checked by a manager.