To keep patient information safe, experts recommend using cutting-edge hardware and software, personalizing the challenge for employees and reminding them of data-hygiene basics. An information technology partner that will manage your on-site systems and perform updates on a regular basis is as important as your insurance provider is to your practice.
Experts agree that protecting patient data should be every employee's job. When securing protected health information (PHI), says Scott Schober, "One of the most effective things that people overlook is that the weakest link is often people. People are part of the problem, and part of the solution." Schober is CEO of Berkeley Varitronics Systems.
Ms. Searfoss"Your first line of defense is your employees," adds Jennifer Searfoss, Esq. She is chief solutions strategist for healthcare consulting firm SCG Health.
To shore up your people and policies, consider these operational and technical tips:
Make it personal. At a recent training session, Ms. Searfoss showed her employees compromising pictures of nursing-home patients that had been posted online by their caregivers.1 "I had all the employees bring in pictures of their grandparents and place them next to these pictures." Once the employees realized how they'd feel if their
grandparents had been thusly betrayed, "They understood their role – protecting our patients."
Never give your own personal information unless absolutely necessary. Medical practices do not need patients' Social Security numbers to provide care, says Mr. Schober, and they can't deny care to people who won't provide them. "What happens when you write that down? That paper is photocopied; one copy is placed in a folder, the other goes into a file cabinet. A staffer takes that information home and enters it from a remote computer attached to the practice's server. Your Social Security number is everywhere."
Get hip to the Health Insurance Portability and Accountability Act (HIPAA). Jules Lipoff, M.D., says, "Doctors don't necessarily understand what is considered identifiable. HIPAA specifies 18 points of information, from name, date of birth and appointment dates to any unique features by which a reasonable person could identify someone."
Dr. LipoffPick HIPAA-compliant apps and software. "Telemedicine is a great way to expand access to care," says Dr. Lipoff, "but Skype is not secure enough for patient encounters, as far as HIPAA is concerned." Secure communication systems usually store data not on portable devices, but in a cloud location that requires authentication for access, he says.
Use long, strong passwords. This means at least 12 characters, including uppercase, lowercase, numbers and symbols, says Mr. Schober. Additionally, "Don't write your password down and post a sticky note on your computer or under your desk."
Use multi-factor authentication. "At the login point," says Mr. Schober, "enter your username, your long and strong password, and then there's a third step – your authentication source sends a one-time short numeric code to your mobile device." If the user fails to enter that code within the allotted time, the authenticator erases it. This capability is available on most popular e-mail and social media platforms, he says. "However, many people don't use this because they're lazy, they don't know it's available or they don't have the time," which he says is perhaps 20 well-spent seconds. He also recommends minimizing the number of people and devices that can remotely access your network.
Keep your IT ship-shape. Any business that accepts credit cards must have a valued IT partner who regularly inspects systems on-site and performs updates as needed, says Ms. Searfoss. "Many of the practices I work with, that's one of the areas they've cut," often for financial reasons. She likens this to practicing without insurance. "If you don't have those people, you have no one else to call" when trouble strikes.
Mr. SchoberPractice proper PHI hygiene. Some employees forget the basics, says Mr. Schober. For example, never click attachments or links from unknown sources, no matter how legit they look. You may be downloading malware or ransomware which quickly encrypts all your data and demands payment to decrypt it. To thwart ransomware, Mr. Schober suggests using "whitelist" software, which lets users greenlight normal data sources and patterns (versus blocking everything that may look suspicious, which can cripple the network).
Layer up. "You can also use hardware and software to minimize the amount of spam that enters through your servers," Mr. Schober says. "We use (special) hardware which stops a lot of the spam. Then we have a second layer, a high-speed field-programmable gate array (FPGA) black box (between his server and firewall) to stop any threats that get past the first layer." This hardware can cost $5,000 to $10,000, he says, or $300 to $400 monthly if leased. "Then we have our junk-filter software. It takes multiple layers to minimize the junk, spam and malware that come into your computer."
Use secure portable storage devices – or none at all. Ms. Searfoss says, "We try to minimize the use of thumb drives and external drives." These devices usually cannot be remotely wiped, she says, but current technologies including encryption can render them useless in the wrong hands. Mr. Schober adds that hackers often load malware onto a USB drive, slap on a target company's logo and/or a tempting title such as "Payroll," and drop it in a parking lot, hoping someone will use it. To transfer sensitive data between computing platforms, "I use a secure USB stick," which costs about $70, including an access code and government-level 256-bit encryption.
Backup your data regularly. Most enterprises don't do this often enough, says Mr. Schober. "Just as you might wash your car every two weeks, backup your data every two weeks. Get something on your calendar." He also recommends disconnecting this gear from your computer when you're not backing up data because any infection can easily spread from the PC into the backup files.
Go above and beyond. Dr. Lipoff says, "Most problems can be avoided by being smart and respectful of patients' privacy. Use a standard above what is necessary. Certain non-identifiable information can be shared on public or unsecured systems. But by using a higher standard, we won't make mistakes. We must always put patient privacy first. If we lose the patient's trust in doctor-patient confidentiality, that can erode trust in the medical profession as a whole."
Dr. Lipoff reports no relevant financial interests.
Mr. Schober is the author of Hacked Again.
Ms. Searfoss is chief solutions strategist for SCG Health.
1. Charles Ornstein. Nursing homeworkers share explicit photos of residents on Snapchat. Https://www.propublica.org/article/nursing-home-workers-share-explicit-photos-of-residents-on-snapchat. December 21, 2015. Accessed November 11, 2016.