Technology: Data Security for Non-Techies

November 1, 2007

You don’t have to be a computer scientist to keep your patient data away from prying eyes. Here are some simple, non-nerd-friendly ways to keep your information secure.

About 10 percent of the privacy violations tracked by consumer advocacy organization in 2005 occurred in healthcare organizations. That figure jumped to 16 percent in 2006, and should be up another 5 percent to 6 percent this year if trends continue, says M. Peter Adler, of Alexandria, Va.-based InfoCounsel, a consulting firm focused on the intersection of legal and technology issues.

Clearly, security is a significant and growing issue in healthcare. Trouble is, it’s hard to recognize possible breaches in your own office. You’re just doing business the best you can. When there is a hitch, it’s a surprise.

Preemptively shoring up your practice’s security protocols can seem daunting, especially considering the industry’s obsession with EMRs and all things electronic. It’s easy to focus on IT and forget about basic, mundane physical security, says physician Jeffrey Hertzberg, president of Medformatics, a Minneapolis-based consulting firm specializing in the design, implementation, and selection of healthcare information systems. But some of the more common - and easily addressed - security cracks in medical offices are in fact comparatively low-tech. At the very least, attend to these.

Get physical

Indeed, everyone worries about the security of EMRs, application service providers, and data on handheld devices. Meanwhile, the chart room door hangs open and unlocked, consulting reports arrive at front-desk fax machines, staffers strew charts all over workstations, and physicians routinely take charts home, leaving them in their unlocked cars when they stop to buy milk.

Take some time to review these basics:

  • Where are faxes printing out, and who can see them?

  • Who has access to paper charts? Who can get into the records room or see charts currently in use?

  • Is the record room locked when it’s not being used?

  • Do paper charts travel outside the office? What keeps them safe?

  • What happens to paper with patient information on it? Does it get thrown into the trash or is it shredded?

  • Do you replace the locks or change the alarm pass code when staff turns over?

  • Do you have written standards for staff to follow regarding patient privacy, and can you prove you’ve provided training on these standards?

It’s not just HIPAA

Certainly you do need to worry about complying with patient privacy regulations, although some practices remain unclear about just how to comply.

“I just talked to an office the other day where they were sending ordinary e-mail to patients and they didn’t realize it was a problem,” Hertzberg says. Everyone loved it, but any criminal interested enough to sort through voluminous Internet service provider records and piece together messages could see that a particular patient had a specific condition - a clear violation of HIPAA security regulations. Hertzberg advised the practice to switch to an encrypted e-mail model.

However, while HIPAA sets the standard for most security and privacy issues in physician practices, that’s not all you need to worry about. Thirty-nine states have “notice of security breach” laws that require practices (and other businesses, as well) to let individuals know if their names, Social Security numbers, credit card information, and other similar data may have been accessed improperly.

The laws are meant to give consumers a chance to protect themselves from identity theft. “So if there is a group that is taking credit card information or using Social Security numbers as identifiers on files” they need to be ready to comply, Adler stresses. “I don’t know many practices that have these policies in place. They need to look at the laws.” He encourages physicians to get away from relying on Social Security numbers, as far as possible, for this reason.

As for taking credit cards for payment, you must comply with privacy stipulations in the contract you have with your merchant as well as with the 2003 Fair and Accurate Credit Transactions Act, or FACTA. This law is the same one that lets you get a free credit report. But it also says credit and debit card receipts should not include more than the last five digits of the card number or the card’s expiration date.

While you are busy protecting your patients’ data, think about destroying some of your own. Businesses are increasingly setting rules regarding the destruction of electronic information and e-mails to avoid undue liability, Alder explains. This idea has merit. Look at how long you need to retain information for legal or business reasons; get rid of what you don’t need, he advises. If you have cleanup rules and follow them as a normal course of business - rather than in response to concerns about a specific case - you’ll be much better protected in the long run. There are now services that erase hard drives for you - which is harder than it sounds - and shred the hard drive itself into little metal nuggets.

Safe travel tips

You might have a firm policy prohibiting physicians from taking home paper charts. But how are staff and physicians using memory sticks - those handy little drives you stick into a USB port? Ross Duncan, vice president of channels for digital security firm Gemalto North America, worries about “the growing popularity of the use of memory sticks. Once [physicians put charts on one] they have probably violated half a dozen regulations.”

Most memory sticks have no protection whatsoever. If someone found the gadget, they could immediately access patients’ medical records. It’s better not to transfer data like that or to use a memory stick that requires a password or some other security.

Same thing goes for laptops and PDAs, which can be vulnerable to hacking. “Every time I put [my laptop] down in an airport, it leaves my sight. Anyone could steal it and break into it. So the information on my computer is encrypted,” says Robert M. Cothren, director for clinical information systems of Northrop Grumman’s health solutions division. What’s on the laptops and PDAs in use at your office? Make sure you regularly clean them and scrupulously protect the data.

What’s the password?

Of course the classic tools in digital security are user identifications and passwords. Effective? Yes, but only if used well.

“Physician practice groups often don’t have unique user IDs and passwords,” warns Adler. “They either share them or have one that everyone uses. If everyone is using the same password, it’s easier for someone to get into the system.”

Another mistake he sees: Practices continuing to use vendor-supplied user IDs and passwords long after they’ve implemented new software into their practice. Since it’s the same user ID and password every other practice initially gets, hackers will test to see if they’ve been reset or not.

If you are going to create new passwords, create good ones. “It can’t be a word,” says Cothren. “It has to have numbers and capital letters. The downside is that most people aren’t very good at remembering those so they tend to write them down.” And if the password expires every 90 days - another best practice - it’s even harder to remember and more tempting to write it down. Passwords on sticky notes pressed onto monitors defeat the purpose. Strive to balance password protection with the realities of adult memory capabilities.

Make sure, too, to have written policies you actually follow for “deprovisioning” passwords - that’s industry-speak for changing passwords when a staff person leaves your office.

In the near future, Cothren says, practices will be able to use two-factor authentication instead of passwords. That’s the technology you use for ATMs; you have a password (one factor) and a bankcard (the second factor). That’s the security gold standard. However, few computers in medical practices are set up with card scanners, and the biometric checks, which might provide an alternative, have so far proven too slow or awkward for medical use. “Finger-print readers can be hard to use if you have a glove on,” Duncan says. “People will crank down the sensitivity of the reader to speed up access, then break security rules.”

However, hospitals are experimenting with substitutes, such as sending physicians who log into a hospital system a second secret key via text message, for example, Cothren says.

Let the high-techies do their thing

You - and many physicians along with you - might focus on the safety of new-fangled, Web-based software and encrypted e-mail rather than actual physical protection, such as shredding sensitive papers or locking the chart room door. But be honest. Are you truly the best person for such high-tech concerns? Probably not. So let the experts handle it. You’ll find that an application service provider that lets you run, say, an EMR or practice management software over the Internet “can be more secure than the average paper-based office,” Duncan suggests.

Cothren agrees. Thankfully, this layman-level worry is slowly abating. “More and more people are becoming comfortable with the security level you can put on encrypted information you send over the Internet,” he says. “Most ASP vendors will have more secure systems than most physician offices.”

Just perform your due diligence and create a chain of trust or business associates agreement, Hertzberg suggests.

Running a more secure office takes awareness and endless scrutiny, and it’s not a once-and-done job. Take time to regularly look for holes.

Pamela L. Moore, PhD, is senior editor, practice management, for Physicians Practice. She can be reached at

This article originally appeared in the November 2007 issue of Physicians Practice.