Skip to main content

Why Your Patients' Data May Not Be Safe: 5 Steps to Protect It: Five Steps to Prevent Privacy Breaches

1. Develop a strict-but-realistic security policy

Your practice should take basic security measures, if it hasn't already done so. Antivirus, antispam, intrusion detection, and firewall software should be installed, Patel says. Because a hacker online or a thief in your office is more apt to seek patients' financial information rather than health data, do not use Social Security numbers as unique patient identifiers, she cautions.

Once you have an EHR, you'll need to anticipate common but potentially insecure scenarios and devise a policy for how to respond to them. Todd Chambers, Chief Marketing Officer at Courion Corp., a Westborough, Massachusetts-based identity and access management provider, cites a few issues to address:

  • Which staffers can access the EHR?
  • Will passwords be used? How strong will they be? How often will they be changed?
  • How will confidential data be shared with others?
  • Should encryption be used?
  • Is it permissible for mobile devices such as laptops, PDAs, or smartphones to be used to transport patient data? Under what circumstances? With what protections in place?

The policy needs to balance security concerns with the need for doctors and staff to do their work. Johnson believes the large number of security breaches experienced by health insurers, hospitals, and physician practices occur less because security controls aren't in place and more because doctors and staff find the ones in place overly onerous to follow, so they don't.

"When security interferes with productivity, everyone starts using workarounds," Johnson says. "Why remember a complicated password to log into the EHR when you can simply dump data into an insecure Excel spreadsheet?"

An EHR vendor, practice management consultant, privacy expert, or healthcare attorney can help a physician practice design a policy that balances security and staff needs and meets HIPAA and HITECH standards, as well as train doctors and staff to adhere to the new rules. In addition, federally funded regional extension centers will help EHR users achieve meaningful-use targets, including security targets, at no charge. These centers can be found by going to: http://healthit.hhs.gov/portal/server.pt?open=512&objID=1495&mode=2

2. Control access to patient data

Staffers do not all need equal access to your entire EHR. Chambers recommends adopting a policy of "access assurance," that is, "assuring that only the right people have access to the right data and that the data are used appropriately." This is based on the principle of "least-privileged access" or "giving a staffer the least amount of access needed to do his or her job. A receptionist, for example, should not have access to confidential patient information."

To this end, EHRs typically offer an option to control who can access what information, based on title, job description, name, or some other identifier. This is called "role-based access." "A front-office staffer has no need to view a doctor's progress notes, because that role only requires the use of such practice management tools as scheduling," says Patel. "An EHR lets you block access to certain types of patient data based on an individual's ID. You can designate that without the proper ID, diagnoses, test results, and other confidential data cannot be accessed."

The risk for unauthorized access can be further reduced by requiring doctors and staff with EHR privileges to log out each time they leave their computers, says Patel. EHR access can also be automated: after a certain period of inactivity that you designate -- say, 10 minutes -- access is terminated. An individual then needs to reenter his or her credentials and password to regain access.

3. Monitor EHR activity

Choose an EHR that records all system activity on a user-by-user basis. This "audit trail" feature is equipped with "detective controls" and "forensic capabilities." Detective controls can be set to alert you when the EHR is accessed under certain circumstances that you designate, says Chambers. For example, if someone logs in at an unusual hour, say 2 AM, you receive an alert. An audit trail's forensic capabilities help you determine who did the accessing and why.

"Audit trails let you see everything," says Patel, "which user ID was used to access patient information, which records were accessed, whether a file was changed in any way, the date and time it was done, the IP [Internet Protocol] address from which it was done, all the information connected with accessing that patient record is recorded. It can be a little unnerving."

Unnerving, perhaps, but periodically monitoring EHR use for suspicious activity goes with the territory. "We recommend that audit trails be checked at least twice a year," says Patel. "But the more often they are checked, the better."

4. Require more complex passwords

In an EHR world, password protection is a key line of defense. "You need a password policy," says Chambers. "You don't want people who have unlimited access to your EHR using, for example, their children's names as passwords. That would be very easy for others to guess."

Doctors and staff should have unique passwords required for EHR log-in. Number of characters, whether passwords should include numbers as well as letters, and whether recognizable words are okay to use, as opposed to randomly generated strings of characters, are up to you to decide. Chambers thinks an 8-character password containing letters and numbers that isn't a recognizable word is probably secure enough and shouldn't interfere with staff productivity.

Doctors and staff should be instructed not to share passwords. As a further precaution, passwords should be changed on a regular basis. Chambers recommends every 3 months. "This way, if a password is breached, it will only be for a minimal amount of time before it gets reset," he says. Passwords should be kept in a secure place, not jotted on a sticky note and stuck on a monitor, under a keyboard, or in an unlocked desk drawer.

Former employees should be a concern, too. In a 2009 survey of 945 adults who were laid off, fired, or changed jobs in the previous 12 months, 61% of the respondents said they took paper documents or hard files immediately after leaving their firms, 53% downloaded information onto a CD or DVD, and 42% downloaded information onto a USB memory stick.

EHR access for former employees should be terminated immediately by cancelling passwords and other log-in credentials, says Patel. Audit trails of their EHR activity should be reviewed for improprieties. Moreover, she says, when someone leaves the practice, the passwords of all remaining doctors and staff should be changed as standard procedure to ensure that shared passwords or those that may have been stolen from former colleagues can no longer be used.

5. Encrypt all outgoing files

Laptops, tablet personal computers, PDAs, flash drives, smartphones, iPads™, Kindles™, and DVDs make it easy to transport thousands of digitized patient records off-site. These devices, however, are easily lost or stolen. A 2008 survey by Dallas-based Credant Technologies, which specializes in mobile data protection, found that almost 31,544 mobile phones were left in New York Yellow Cabs in the previous 6 months alone. According to Credant calculations, a mobile phone could potentially hold 10,000 text documents, 11,000 pictures, 500,000 contact details, or 1.1 million emails.

To keep patient data from falling into the wrong hands, all mobile devices permitted in your practice should, at minimum, be password protected, says Patel. In addition, all confidential files copied onto a mobile device should be encrypted. EHRs often have encryption capability. Third-party software that is readily available online can do the job as well. The process renders readable data unreadable until a password you designate is entered and readability is restored.

Emails containing confidential information should be encrypted, too. Last August, a study by Lexington, Massachusetts-based Ipswitch File Transfer, a managed file transfer solutions firm, found that 69% of the respondents (Internet technology professionals, whom you'd think would know better) admitted that they sent classified information -- payroll, customer, and financial data -- via unsecure email at least once a month; 34% admitted to doing it on a daily basis. "Regardless of the motive," says Hugh Garber, Senior Product Manager at Ipswitch, "sending confidential files through unsecure email is putting your organization at risk for a breach."

Encrypting confidential information before it leaves your practice not only protects patient data, it also protects you. "If you have an unauthorized disclosure of a confidential document that has been encrypted," says Yaffe, "that is not considered a breach under HIPAA rules."

All this is admittedly more complicated than security for paper charts. Once you go electronic, however, you're expected to know the risks and take steps to address them. When the confidential health records of Maria Shriver, Britney Spears, and George Clooney are breached -- by a surgeon, no less -- as happened in 2008, it would be hubris to think that once your patient data are digitized and vulnerable, the same thing couldn't occur in your practice.

Comments

Post a Comment

Popular posts from this blog

Yellow Fever Vaccination is given only between 10 am and 4 pm everyday. Appointment necessary!

Vaccination Appointment for International Travelers (VAIT) Yellow Fever Vaccination is given only between 10 am and 4 pm everyday. Mail a copy of your passport to info@hopehospital.com before your appointment date. Yellow fever : ·        Mandatory vaccination against yellow fever is carried out to prevent the importation of yellow fever virus into vulnerable countries. These are countries where yellow fever does not occur but where the mosquito vector and non-human primate hosts are present. Importation of the virus by an infected traveller could potentially lead to the establishment of infection in mosquitoes and primates, with a consequent risk of infection for the local population. In such cases, vaccination is an entry requirement for all travellers arriving from countries, including airport transit, where there is a risk of yellow fever transmission. If yellow fever vaccination is contraindicated for medical reasons, a medical certificate is required for
Read more

PROTECT your joints now, or pay later.

See the full gallery on Posterous That’s the message of today’s article, which could be headlined Joint Economics. If you are one of the more than 400,000 people a year who have already had one or more hips or knees replaced — or someone who already has no choice but to consider joining their ranks — we offer our sympathies or encouragement or even congratulations, depending on how you are faring. But this column is for people who are not yet destined to necessarily become part of those statistics. Although the human body has an amazing capacity to repair itself, our joints are surprisingly fragile. When the cartilage that cushions bones wears away, it does not grow back. Thinning cartilage contributes to   osteoarthritis , also known as degenerative   arthritis , a painful and often debilitating condition. Over time, arthritic joints can become so sore and inflamed that they need to be replaced with mechanical substitutes. A result: more pain, at least in the short
Post a Comment
Read more

Today is World Kindness Day!

Today is World Kindness Day! - why not use spare time to send a handwritten letter to someone? someone who is sick or in hospital. someone who is old and lonely. Can be an admirer, friend, neighbor, or perhaps a stranger (like somebody serving in the military). #WorldKindnessDay
Post a Comment
Read more