Docs Must Evaluate New Technology’s Security Risks

When physicians are forced to weigh the necessity of technology against the financial cost associated with it, there is an understandable temptation to cut corners in order to save money. This mindset is laced with risk, says Greg Scott, owner and operator at Infrasupport Corporation, an IT consulting firm in Eagan, Minn. "There's no such thing as being sure that anything is secure," says Scott. "Security is always, always, always about playing probabilities, whether using proprietary or open tools. Lots of people want to take shortcuts - that's why we see all the headlines around data breaches."

While practices need to make smart financial decisions when selecting technology, they need to evaluate their information security risk in order to select the most affordable solutions that address the biggest of those risks, says Phil Hagen, a certified instructor for the SANS Institute, an information security training institute based out of Bethesda, Md., and an employee at Red Canary, a managed threat detection company in Denver.

Medical practices need to determine what the most important data sources may be, such as patient records and payment processing information, Hagen says, and then they need to determine the appropriate mix of "prevention" and "detection" technology that is necessary. "Many small offices may fall into the 'prevention-only' way of thinking, but this is no more viable for information security than for disease or sickness," he says. As such, the best information security technology and procedures are a mix between prevention, such as through the use of anti-virus programs and employee training, and rapid detection using continuous monitoring and visibility, Hagen says.

Physicians should have a concrete compliance plan in place that incorporates regular planned audits to identify significant operating and legal risks. They should also have a detailed plan for how to promptly respond with corrective actions should a violation be detected. Moreover, it is essential that physicians work with IT support that specializes in the medical industry.

Kyle Wailes, senior vice president of physician services at Ft. Lauderdale, Fla.-based technology solutions provider, Intermedix, notes that many physicians pay big bucks for in-office technology and then try to save money on support and maintenance by hiring local IT vendors who do not specialize in HIPAA and HITECH compliance. "I also recommend to the doctors I work with to look for tech vendors that ensure HIPAA/HITECH compliant IT support is included with all services so there is no need to pay for additional compliance maintenance," Wailes says.

The costs associated with purchasing a system that balances reasonable prevention and rapid detection along with a compliance plan varies, but practices with a healthy vendor relationship are often able to save money on legal and security experts by working with their technology vendors, who have experts on staff, Wailes says. "Time and effort is a small price to pay when compared with the cost of a federal fine."

JoAnna Haugenis a Las Vegas-based freelance writer and editor with work published in dozens of print and online publications both in the U.S. and internationally. She can be contacted at editor@physicianspractice.com.