Ensure Emergency Access for Your Practice's IT Systems

May 31, 2017

If your IT person leaves your practice, you need to be prepared to take over his duties and ensure things continue to run smoothly.

Call it what you like, whether it's your, "hit by a bus," "won the lottery," or even the "unfortunately I had to fire her" plan.  Personally, I take the old "In case of emergency, break glass" signs as my shorthand, dubbing it my "break the glass" access plan.  Because if you suddenly lose IT staff, you may end up in a world of hurt if you haven't set up emergency IT access. 

IT staff often control many systems essential to your practice's daily operations.  These include the servers, storage devices, internet connections, and firewalls in your offices.  Also keep in mind a variety of programs and systems such as your EHR, billing systems, HR systems, etc.  And, finally, there are issues involving access to vendors, technical support, and cloud services.  While many of these can hum along fine without immediate IT assistance, inevitably there will a need to fix a problem or make a change.  If your IT staff isn't available, these things can present big problems for you and your practice.

You can't yet clone your IT staff or automatically download their knowledge, so it's important that you have prepared and have documentation in place if they're not available. If this sounds like an awkward conversation with IT, approach it as a core piece of your disaster recovery / business continuity plan.  The plan is required to be completed and regularly updated by the HIPAA Security Rule.  

Where to start?  The truth is that you don't have to be an IT person to understand some reasonable measures to protect your practice. Here are a few key considerations to include in your discussion with your IT staff to get you started.

Administrator Accounts: Almost all tech products come with an administrator user account, responsible for management of the system.  The admin account has the ability to create, delete, and install things like programs and create, update, or delete user accounts.  In almost all cases, there can be multiple admin users and having them is an accepted best practice. 

Separate admin accounts for each authorized IT user also means that you can audit who made changes, an important accountability consideration.  And, of course, it also means that you can disable or suspend one user's admin account and still have another working admin account if you need it.  With only one admin account, you may not be able to control your systems (e.g., if the admin password is changed or simply not documented) - including limiting access by a former employee.  Indeed, part of my "break the glass" access plan includes an entirely separate emergency access admin account, with its login name and password kept in a secure, off-site location not accessible to IT staff.

Hardware and Network: Hardware and network equipment such as routers, switches, and firewalls will also have admin accounts.  In some cases these may not allow for multiple admin users, so it will be important to have those accounts and passwords documented in case your IT person is unavailable.  The best practice is to have this information securely stored offsite, e.g., in a practice-owned safe deposit box.

Applications: Whether on servers in your offices or at a cloud vendor, applications such as your EHR will have admin accounts.  Again, if possible, these should be assigned to more than one staff member.  Without this, you may not be able to add or remove accounts or make changes to the application (e.g., list items within menus, etc.)  If you're using a cloud vendor, ensure the vendor understands that the practice CEO should always be authorized to change key user permissions.    

Vendors and Service Providers: More than ever, the complexity of technology means that almost all practices rely on vendors to support key aspects of operations.  When a change is needed or a problem occurs, you don't want to hit a brick wall, not knowing who to contact to get things resolved.  Both a list of vendor contacts and ensuring that multiple staff are listed by the vendor as authorized contacts (e.g., the IT person and the practice CEO) will avoid many problems in the future. 

Website and Domain Registration: If you have a website, there are at least two things you'll want to have a handle on.  First, access to the website to update or make changes to it - whether this editing is done in-house or through a vendor.  Second, every website has a "domain name registration" record, which is important because if the registered "administrative contact" is an employee who leaves your practice, you may not receive notice to renew your domain registration.  If the registration expires without renewal, anyone can register your domain name, taking it away from you. One best practice to avoid this is to use a generic email address, such as domains @ mypractice.com, which can be forwarded to another employee if needed.  All website domain registrations are made and renewed through entities called "domain registrars," and you should ensure that login information for the account with the registrar is documented in case the IT person isn't.  Without these things in place, you may need to go through a sometimes burdensome process to prove to the registrar that you legitimately represent the domain name ownership.

Software Licensing: The typical practice has a lot of software, ranging from their EHR and billing systems, to software for HR - and even Microsoft Office.  All of this software is subject to licensing terms such as how many users or copies of the software are permitted, and these days most software is licensed for a specific period, rather than a "perpetual" license.  As with the web domain registration, if you don't have account information with the vendor documented, you may miss out on renewal notices.  You also may find that only named authorized users are permitted to access technical support in the event of a problem.