Here are five tactics to reduce many of the more common risks of data loss at your practice. Make sure you're up to date.
Keeping your data safe can seem like a never-ending challenge. New breaches of health data seem to be announced almost daily, and organizations of all sizes - including the government - have fallen victim to data scams.
But there is good news on the data security front, too. The migration of many systems to the cloud means that much responsibility for security is now handled by true experts who focus on that task -rather than practice owners and managers who are overseeing a lot of other important priorities.
There are also a number of quick, easily implemented tactics for reducing many of the most common risks of data loss. Here are a few that I recommend your practice consider:
1. Is your hardware physically secure?
Managers and physicians often worry more about hacking, but physical loss of computers containing private health and financial information is the most common way data is lost or stolen. Make sure laptops and desktop computers in the office are secured to a fixture, such as with a cable and lock system, which will at least slow down a would-be thief. If you have an on-site server for your EHR or practice management system, consider further securing it within a locked room. Make sure anyone who takes a device containing valuable data offsite understands how important it is to keep the device itself secure (i.e., no leaving it in the car!).
Be sure to protect data against non-theft losses, too. Floods, fires, and other disasters can destroy computers and wipe out data. Simple measures like avoiding placing servers on the floor and setting up remote back-ups can help – but the physical risks to data are a good reason to consider a move to a cloud-based version of your practice EHR/practice management system.
2. Are physicians and staff trained to avoid phishing?
Have you noticed that some of the most newsworthy data breaches in the past year or two have involved phishing? For hackers, the strategy of luring users to give up their credentials willingly is straightforward and irresistible. It's up to you and your team to thwart them.
Make sure all of your employees know never to download any files or click on any links from users they don't know. None of your employees should be accessing personal email accounts or social media from their work computers. And even when a request to change a password or update other information seems legit, the only safe way to do it is to log in to the website directly from a browser to change your password - never to click on a link in an email.
These protections are easy to forge, so a quarterly refresher training session is a good idea.
3. Backups for data and personnel
Most practices know by now that a backup of your EHR and practice management data is essential. Make sure those backups are kept in a secure place, offsite, so that a physical threat to your original (like a fire or break-in) doesn't also imperil your backup.
Besides redundancy of your data, make sure you also have a backup for the personnel who take care of it. Smaller medical groups often rely on a single person (e.g., an external IT consultant) to manage their entire tech set-up. But what happens if that person leaves the industry or the area? Make sure you've got a "plan b" in case your service provider is no longer able to help you. Maintain physical documentation of your technology set-up, to allow a new technology manager to step in to quickly help you. And remember your internal controls - just as with your financial processes, you can reduce internal theft risk by avoiding giving a single individual complete control over your patient and billing data.
4. Keep software up to date
Conventional wisdom used to hold that it was smarter to delay upgrades to avoid the hassles of unreported bugs and the need relearn how to use key features. But these days, updates (e.g., patches) are often necessitated by security issues, putting them off for too long can dramatically increase your risk of a breach. And even major upgrades (such as to your operating systems) can be important for data safety, since older versions may no longer be supported or patched.
Name a tech liaison in your practice who will have responsibility for monitoring IT news from the vendors you work with, so that security-related updates to software and hardware are not missed. It's okay to wait a few weeks before major upgrades, to confirm no debilitating bugs have been found. For small updates via patches, make sure staff know they should download and install them when they become available.
5. Use encryption where appropriate and unique logins/passwords
If you're storing data on your own computers or a server in your office, encrypt those devices to minimize the possibility a thief can access the data on them. Remember, encrypting is much more secure than the basic locked screen - so store a written record of passwords in a safe place, in case retrieval is needed, such as if an employee leaves your practice and you need to regain access to their workstation.
Cloud-based systems reduce the need to encrypt devices, but you should still have an encrypted email option available for secure messaging. Keep in mind also that basic password hygiene means each person has a unique ID and login for any system they need to access. Insisting that staff use their own ID will allow you to check logs and track access to sensitive files in the event you are ever concerned that a data theft may have occurred.