Technology: Do You Know Where Your Data Is?

Your practice has implemented an EMR, and the software vendor has made it compatible with your practice management system. Maybe you even submit claims and receive lab results and EOBs electronically. And why shouldn’t you? It’s fast, easy, and automated.

It can also be dangerous.

In the rush to move practices into the 21st century, security is sometimes the first casualty. Every practice wants the electronic tools that will make it the most efficient, but - let’s be honest - most practice administrators and physicians don’t know much more about computers than how to plug them in.

“As more and more of us convert to the electronic environment, we’re really entering some unknown territory,” says Susan Miller, administrator for Family Practice Associates of Lexington, Ky. Miller, whose practice has been using electronic management tools since 1999, knows just how daunting a task Internet and computer security can be, but she also knows how important it is.

Under HIPAA regulations, every practice must take steps to protect the confidentiality of electronic patient information. Failure to take those steps not only exposes your patients to risk and potential fraud, but it can also result in some pretty steep penalties: Civil penalties for noncompliance can cost you $100 per violation (that’s per patient record!), or up to $25,000 per year; criminal penalties could cost you as much as $250,000 and ten years in prison!

The good news is that electronic security doesn’t have to be complicated. Follow these five easy steps, and you’ll be on your way to an efficient electronic environment that is safe for you and your patients.

1. Use a firewall
Most of us have probably heard this term, but how many really know what a “firewall” is? Yet in a busy medical practice running multiple workstations, “the basic foundation of a network is [having] a good firewall,” says Kyle Chang, manager of IT services with The Coker Group, a healthcare management consulting firm in Alpharetta, Ga.

Basically, a firewall is a software application that monitors information passing into and out of your network. Based on a set of rules that you define, your firewall determines whether certain network traffic is allowed to pass. If someone tries to access your network without a password or network key, the firewall stops them. If another program or application attempts to establish an unauthorized connection to your network, the firewall blocks that connection.

It can work in reverse, too. Say an employee tries to access a personal Web site during work hours. Or maybe he or she wants to download an instant messaging program to talk to friends. Depending on how your firewall is set up, you can restrict access to certain Web sites and prevent employees from downloading and installing specific programs on your office computers. Not only does that help keep employees focused on their work, it can also protect your computers from falling victim to incoming viruses that might disable your network completely.

Chang recommends that practices use some of the better-known firewall software packages from reputable manufacturers such as Cisco, 3Com, or SonicWALL. The important thing is to have a firewall that you know will work - and to use it.

And since we’re on the subject of viruses, make sure you run antivirus software on your system. “I don’t care if you have just one laptop, and you are a solo doc,” says Cynthia Dunn, senior consultant for the Medical Group Management Association Health Care Consulting Group. “That’s fine, but it better have antivirus software on it.”

The best antivirus software runs continuously and can automatically detect and download updates so your network is always protected against the latest viruses. Check out some of the more popular programs like McAfee VirusScan or Norton Internet Security to keep yourself safe.

2. Encrypt it
If you use e-mail, chances are that your practice is sending sensitive patient information electronically. The problem is that e-mail gets routed to a lot of different places before it travels from your practice to a patient’s inbox. Along the way, anyone could intercept that e-mail and read what you have written.

“You’re going to have to talk to a vendor about encryption if you’re going to send patient information,” says Dunn. “You are required to protect that e-mail if somebody else has the ability to get it.”

There are a number of programs you can use to encrypt e-mails. All of them involve the same basic principle: sharing a code with patients so that they can decipher the e-mail messages you send to them. If they send e-mails in return, then you also want to make sure they’re encrypting their own information. So not only will you need an encryption program for your e-mails, but you should also advise your patients to install one of their own so they can send and decipher e-mails from you. Once you set up the encryption program, it’s a good idea to give your patients written instructions or let them call with questions about how to download and install an encryption program on their personal computers …

WAIT! STOP!

Getting a headache? No wonder. A medical practice shouldn’t have to double as an IT support company.

There’s an easier way. It’s called a patient portal, and it lets your practice keep physician-patient communications secure without being too complex or asking patients to download a single thing.

A patient portal is nothing more than a protected Web site that resides on your network server. To access the site, patients have to enter a username and password. Only then can they communicate with the practice or read messages from their physicians. By keeping the Web site on your server, you can make sure your communications remain private.

Family Practice Associates of Lexington uses a portal to communicate with their patients. “We accept requests for appointments, prescription refills, and some basic questions via the Web site in a secure environment,” says Miller.

Luckily, setting up a patient portal isn’t very difficult. In fact, says Dunn, many practice management programs already have some sort of portal component. She recommends using a patient portal over e-mail encryption. Talk to your practice management software vendor to evaluate what option is best for your needs.

3. Grill your vendors
In fact, you should talk to all of your software vendors about their security measures. Most people assume their EMR vendor has adequate security, but that may not be true.

“Don’t be satisfied with hearing, ‘Yes, we adhere to all HIPAA security rules and regulations,’” says Dunn. “Tell me what you mean by that. What ones are you referring to? And how do you adhere to them? Some people don’t even ask, so they don’t really know.”

Also, don’t be surprised if you get an answer you weren’t expecting. Security isn’t the highest priority for many EMR vendors, says Chang. Consequently, only the newest EMR vendors are very tight with security and encrypting user-to-network connections. In fact, Chang estimates that only one or two out of the approximately 300 EMR products on the market today incorporate the very highest level of encryption services.

For many practices, the best solution is to outsource security to people who understand networks and computers better than they do. That’s what Family Practice Associates of Lexington does. With 10 family physicians, two midlevel providers, and a family therapist on staff, the practice can’t afford to hire a full-time IT department for their needs - even if they do have more than 100 workstations!

“There are some of the larger practices with multiple locations that have in-house IT staff, but most of us in the small- to medium-sized group setting . . . tend to contract out the more demanding parts,” says Miller.

If you decide to use an outside company for your networking and security needs, Miller recommends locating a vendor specifically experienced with medical practices. “Not only from the standpoint of the extra security measures that need to go along with patient confidentiality, but also so that they understand the medical environment,” Miller says. “The bottom line is that I can’t be down in the middle of the day for three hours while we’re trying to see patients. It’s just absolutely impossible.”

4. Have a backup plan
Most people don’t think about backing up their data as a security measure, but an important part of HIPAA’s security requirements is data protection and recovery. HIPAA regulations require that your practice have a plan for backing up patient information, storing backups, and retrieving data in the case of an emergency. It’s also a good idea for your practice to have such a plan in place so it can continue operating if something happens to the network.

Family Practice Associates of Lexington has multiple redundancy measures in place when it comes to data protection. “We do have tape backups here on site. We back up on a nightly basis. We keep the tapes here in a fireproof safe, plus we take a copy off-site on a daily basis so that we don’t ever have all of our data in one place,” explains Miller. “More important, our practice management and our EMR are backed up remotely to our software vendor. Our network is backed up to our networking vendor. So we are backed up three or four different ways.”

And make sure that any data that leaves your practice is also protected. “One of the mistakes practices make is they make a backup tape, and they leave it off-site,” says Chang. “What if the tape was lost or stolen? I can grab that tape and stick it in any tape drive and be able to read your information.” Be sure to encrypt or password protect any of your backup tapes or network drives to avoid this scenario.

Of course, backup systems aren’t much good if you don’t know how to use them. Dunn recommends working with your vendor when installing the software. It’s best to schedule this task for a weekend, when you don’t have to worry about patients. Someone at the practice needs to familiarize herself with the installation procedure in case the software ever needs to be reinstalled.

5. Security starts with your staff
In this case, last is definitely not least. Everyone we talked to agreed this fifth step was the single-most important one for securing patient information.

“We have a saying here that it is 90 percent sociological and 10 percent technological,” says Chang. “You can have a practice built like Fort Knox in terms of technology and security, but if you’ve got someone who is giving out the keys to everybody, there is no point.”

Of course, no matter which technology your office implements, nothing can replace your employees’ good security practices. Dunn suggests identifying such employees during the interview process by performing background checks. Although most credit card information is encrypted on your practice management system, many employees still have access to vital information such as social security numbers and birth dates. Unscrupulous individuals don’t need much else to open credit accounts in your patients’ names.

Also be sure to limit access to specific parts of patient records. Everyone in your practice needn’t have access to test results, diagnoses, and other sensitive patient information. Most EMR systems have a rights management component that allows you to designate access by individual user account. Talk to your software vendor to find out how you can do this.

But sometimes the worst offenders are employees who never had any intention of doing your practice any harm. Someone who goes on the Internet and inadvertently downloads a virus while checking their private e-mail could incapacitate your network and put your practice out of business for the rest of the day. Both Chang and Dunn recommend establishing a policy for security and Internet usage for all employees. Family Practice Associates of Lexington has a strict policy - and they stick to it.

“There are hardly any exceptions to be made when an employee doesn’t follow our requirements with regards to security, and they expose us to that sort of a potential threat,” says Miller. “It’s a very difficult situation, and we have dismissed employees both for inappropriate use of the Internet as well as for inappropriately accessing medical records.”

Robert Anthony, a former associate editor for Physicians Practice, has written for the healthcare and practice management industries for six years. His work has appeared in Physicians Practice, edge, Humana’s Your Practice, and Publisher’s Weekly. He is based in Baltimore, Md., and can be reached via editor@physicianspractice.com.

This article originally appeared in the April 2008 issue of Physicians Practice.