Data Security 101 for Physician Practices

When it comes to securing data, high-tech encryption software, password-protected EHRs, and swapping e-mail for patient portal messaging are a few of the things that come to mind at most practices.

But for John Lin, the sole physician and owner of Sunrise Urology, his six-employee, Gilbert, Ariz., practice, securing data starts with employees.

"The weakest link in security is employees, or personnel," says Lin. "You have to make sure everyone knows the basics."

After doing thorough pre-employment background checks, Lin makes sure all of his employees are well-versed on data-security policies from Day One. For example, staff members are not allowed to take flash drives out of the office unless data is encrypted.

"If you want access to patient data, you have to remotely log [into the system]" says Lin.

Additionally, employees are required to change their passwords every three months, and his EHR is set up to enforce that rule. Passwords must also meet certain criteria to be valid, namely that they can't be too easily guessed. If a password fails three times, the individual attempting to log in is automatically locked out.

And those are just the first of many steps Lin takes on a regular basis to ensure the data that resides in his EHR and accompanying technology systems is safe.

Taking protective measures will only become more important to practices, as technology evolves and threats to data security increase. A practice that fails to secure its data, or at least fails to make an effort to secure it, could face some serious consequences: A growing number of medical practices and hospitals are being fined hundreds of thousands of dollars and seeing their organizations' reputations ruined as a result of not taking adequate measures to secure their data. If that's not enough, practices face less-serious consequences, such as being stalled in the process of attesting for Stage 2 of CMS' meaningful use EHR incentive program.

But protecting data isn't just about avoiding consequences. It can also help your practice build a better relationship with patients.

Ready to go into data-protection mode now? We bet!

How data is vulnerable

All patient information, whether it's on paper or in a digital file, is vulnerable to multiple catastrophes; from fire and flood to e-mail hacking and medical-identity theft. Not only that, the use of portable devices - not just media tablets and smartphones, but laptops as well - has only increased the likelihood of data getting into the wrong hands.

According to Verizon Business' annual Data Breach Investigations Report, released in March and based on analysis of more than 650 data breaches, external attacks from outside sources continue to rise: Ninety-two percent of attacks are external in origin, and hacking and malware pose a huge threat.

Data that isn't secured by a practice is more likely to be breached by an outside party. And if that happens, a practice could be subject to penalties. A few years ago, HHS updated HIPAA to include a security rule laced with required and recommended actions to ensure the security of protected patient health information. Additionally, the Health Information Technology for Economic and Clinical Health (HITECH) Act, part of the American Recovery and Reinvestment Act of 2009, supports HIPAA by imposing stiff penalties on healthcare organizations found guilty of data breaches. Among the penalties: fines up to $1.5 million and the burden of notifying the media (as well as patients) if the breach involves more than 500 records.

The Ponemon Institute conducted a study (commissioned by Symantec), of 51 company breaches that revealed the cost per compromised record (a data breach involving a malicious or criminal act) averaged $318 in 2010, up $103 from 2009.

Fortunately, there is a lot your practice can do to make data less vulnerable, says Lisa Gallagher, senior director of privacy and security at the Health Information and Management Systems Society.

"I think the vulnerabilities are broken into two categories," she says. "One is vulnerabilities with the actual technology they have deployed. And another is the policies and procedures and actual performance against those by practice employees. And I find that with the latter category, there's a lot a physicians' practice can do to train their employees, and monitor [if] they are complying with [those policies]."

Protection basics

Like Lin's, your practice should cover the basics, with data-protection policies that are followed by employees, before turning to technology.

For starters, lay down ground rules. For example, don't leave CDs or unencrypted flash drives lying around the office.

Next, make sure passwords are hard to crack, and used for everything. In addition, follow Lin's example of setting passwords to change every three months, and discourage employees from using weak passwords that can be easily figured out.

"The whole idea of encryption and security can be [thwarted] by someone putting a password taped to a monitor besides the laptop," says Jim Leonard, vice president of IT consulting for Quorum Health Resources. "I never recommend anyone write down a password. Make it something someone can remember, with punctuation, letters, and numbers."

Also keep tabs on who has access to protected health information, and when and where they have access to it.

"In addition to deploying an office space system, like an EHR, we also see rapid deployment of mobile devices, whether it be a laptop or a smartphone," says Gallagher. "For convenience reasons, folks are looking to connect those to the network. They're being deployed before the organization considers a policy for how they will be deployed …"

Specifically, says Gallagher, practices need to consider whether employees are allowed to download practice data onto their smartphones and whether there a need for the employee to do that, as far as work flow goes.

Next tech steps

After conducting a basic audit of your policies and making necessary adjustments, it's time to make some heftier, tech-related changes. First, assess your existing technology where data resides (not just laptops, but smartphones and portable media, too), and note where data vulnerabilities exist.

Many practices overlook text messaging, a popular tech communication method, as risky, says Sheldon Hebert, Motorola Mobility's senior director of enterprise solutions, who oversees the company's work with the healthcare industry.

"SMS (short message service) in general is not necessarily the most secure method of transmitting data," says Hebert. Many product lines offer encryption of data that resides on the device and in third-party clients (such as an e-mail client), but that doesn't necessarily protect text messages.
In lieu of texting, Hebert recommends using applications that "mimic" text-messaging capabilities, such as pager-replacement applications and encrypted e-mail. Just make sure e-mail messages are encrypted or sent via a secure hub, such as a patient portal.

Hebert also notes that mobile devices, which are being used more and more to access and store protected health information, are especially vulnerable to security breaches due to the possibility of being lost or stolen.

"Larger practices might want to have an IT person issue a policy on a password, or a smaller practice can make sure the device has dual authentication for the password," he says. "That means if you access health information via Citrix or the Web portal, there's a password requirement."

Hebert strongly suggests purchasing a remote-wiping application or having your IT consultant establish remote-wiping capabilities for portable technology so "if you lose your device, you can send a wipe command that will wipe all the data." Additionally, accessing information via Citrix or a Web portal that requires additional authentication can assist in protecting data as well, he says.

It's important to remember, however, that security precautions don't just apply to data in transit. Whether it resides on a desktop computer or a mobile phone, data at rest - that's any data that isn't being transmitted, such as e-mail or text messages - must be properly protected. Not doing so could put a practice in violation of the aforementioned laws as well as hinder its chances of successfully attesting for Stage 2 of CMS' meaningful use EHR incentive program, says Gallagher. Should the proposed Stage 2 core objectives remain intact, providers will be required to address encryption of data "at rest."

But although certified EHRs are armed with a certain minimum level of data-encryption and security capabilities, if you don't turn those features on upon installation, they're as good as null.

"The rub is, the EHR systems are certified, and ONC requires EHRs to have certain features, but when the EHRs are turned on, they need to be configured," says Gallagher. "But you can turn those off, and then you're not complying with the requirements."

Back it up

Even if you protect your practice against breaches, if your data isn't backed up adequately, say, to encrypted tapes or cloud-based storage systems, it could be as good as gone in a catastrophe.

Kim Burch, former practice manager and current owner of Ideal Billing, an Estes Springs, Tenn.-based billing and consulting company that serves physician practices and ultrasound providers, is lucky she didn't rely on fire-proof boxes for paper files when her company burnt to the ground. Instead, because most of her data was stored in a secure, cloud-based system, it was accessible within one day of the fire.

"I was a practice manager for 13 years," says Burch. "I never dreamed of any of this."

Unfortunately for Burch, a significant number of charred-but-intact old files, including patient insurance data, had to be shredded to avoid HIPAA security violations.

Had all of the data been secured electronically via the cloud or put onto secured, portable backup tapes, she might have been able to retain it.

Many practices don't spend enough time looking at their backup strategies, says Leonard, adding that even those who do back up their data aren't using the best tape-rotation system.

"Most practices tend to do backups on the same tape every day, which is definitely problematic," says Leonard. "We recommend a practice have at least a full week's worth of backups, and many auditors require you to have a year's worth of monthly backups."

Having 12 monthly tapes for an entire year stored away (which you can overwrite after one year), will protect you from saving the same corrupted file over and over again.

Leonard offers an example of what can go wrong: "Let's say you update a spreadsheet every month, and a power outage happens and it corrupted that file. Next month you go into that file, you might find it's corrupted."

In addition to monthly backups, Leonard recommends picking a random file each month and attempting to restore it from a backup tape to make sure the process works.

If you use cloud providers or are considering one, Leonard suggests asking vendors whether they're FAS 70 certified. This certification ensures an independent auditor has assessed the cloud provider's data center for specific security and reliability measures.

He also suggests seeking cloud service providers that use multiple data centers that replicate data. This will ensure you can access data in the event of a data center's downtime.

Finally, Burch says it also helps to have a relationship with a healthcare organization or other nearby business that will let you use its physical space and Internet connection in the event of an emergency.

"We were able to access data at one of our clients' office," says Burch. "We were able to get on the Internet on laptops and continue with our business."

Marisa Torrieri is an associate editor at Physicians Practice. She can be reached at marisa.torrieri@ubm.com.

This article originally appeared in the June 2012 issue of Physicians Practice.