User login
While data protection is important in any industry, it is particularly critical in health care because in addition to the usual financial records, trade secrets, and other valuable data, confidential patient information is also at risk.
You may think that your computer vendor is responsible for safeguarding your data, but third parties can only do so much. And if your data is compromised, the ultimate responsibility is yours – not to mention the financial loss, and the damage to your practice’s reputation.
In addition to the security vulnerabilities inherent in any system, there are external vulnerabilities, such as weak passwords, viruses, and hacking (either externally or internally). And as hardware becomes more and more portable, there is the increasing risk of theft of platforms and storage media containing confidential data.
A close and ongoing relationship with your hardware and software vendors is essential to good data protection. Your office should have a permanent contact at each company, and you should talk to them regularly. Ask them what sort of firewalls, antivirus software, and other safeguards are in place to protect your system. Whenever they identify a bug or other vulnerability, you should know about it. They should tell you about each software update, what improvements it makes, and what defects it fixes. You should also know about any changes to your data encryption.
Encryption has become an essential component of data protection. It is especially important if you use portable devices such as laptops, pads, or smart phones to store and transport patient information. If you lose one of these devices, or a thumb drive or other storage media, HIPAA will probably not consider it a breach if the data it contains is encrypted.
Encryption isn’t perfect, of course. Log-in credentials can be stolen; and data that is stored in house is can be hacked with malware and phishing techniques, especially if the key to decryption is located on that server. And make sure that employees are not putting any medical data on their own private (unencrypted) devices.
Each employee should have his or her own password, and sharing should be strictly prohibited. Multifactor authentication is becoming increasingly popular for an extra level of security.
Your vendor should require you to change your passwords every few months. If it doesn’t, you need to establish a timetable to do it yourself. All passwords should be strong (no birthdays, pet names, etc.), and they shouldn’t be the same or similar to old passwords.
In some offices, I’ve been surprised to see that every employee has unrestricted access to all practice data. The vulnerabilities of such an arrangement are obvious. There is no reason why receptionists, for example, should have access to medical histories, and insurance people don’t need to know what medications a patient is on. Your vendor can help you design partitions that restrict each employee to only the information they need access to.
Ask if your vendor provides security training for employees. If not, look into hiring a security firm to do it. Regular security training can help employees to recognize data security attacks like phishing, and instills a heightened sense of security awareness and vigilance among staff. They will also gain a better understanding of the role they play in maintaining the overall security of your office.
It goes without saying that third parties, such as business vendors, payers, and managed care providers, should never have access to patient records or other personal health information.
Backing up data
I have written many times about the importance of regularly backing up your data. Industry statistics show that fully 10% of hard drives fail in any given year, and 43% of computer users lose one or more files every year in the form of clinical data, financial records, photos, email, documents, and other important information. Recovery of lost data, when it’s possible at all, can be very expensive.
Even if your EHR vendor backs up your data, you should consider making a separate backup of your own. Backup drives have been known to fail too; and if you decide to switch computer vendors, you don’t want to be at the mercy of the old company that might be reluctant to transfer your data without a hefty payment.
The first rule of backing up is to store your backup drives in a different location from your computers. Unfortunately, that’s a pain; and external drives can be lost or stolen, creating a HIPAA nightmare. So an increasingly popular alternative is automatic remote backup. Several companies offer that service, and the cost is very reasonable for individual computers. Backing up an entire office costs more, depending on how many computers and/or servers you have, but it’s still very reasonable and includes other services, such as operating system and network share support.
The procedure is simple: You create an account and tell the service which files you want copied. Your first backup can take a long time, often days, depending on how much data you are sending and how fast your Internet connection runs. After that the program runs in the background, copying only those files that have changed since the previous backup. Files are encrypted before leaving your computer, and they remain encrypted at the service’s data center, making them HIPAA compliant and, theoretically, only accessible by you.
Dr. Eastern practices dermatology and dermatologic surgery in Belleville, N.J. He is the author of numerous articles and textbook chapters, and is a longtime monthly columnist for Dermatology News. Write to him at dermnews@mdedge.com.
While data protection is important in any industry, it is particularly critical in health care because in addition to the usual financial records, trade secrets, and other valuable data, confidential patient information is also at risk.
You may think that your computer vendor is responsible for safeguarding your data, but third parties can only do so much. And if your data is compromised, the ultimate responsibility is yours – not to mention the financial loss, and the damage to your practice’s reputation.
In addition to the security vulnerabilities inherent in any system, there are external vulnerabilities, such as weak passwords, viruses, and hacking (either externally or internally). And as hardware becomes more and more portable, there is the increasing risk of theft of platforms and storage media containing confidential data.
A close and ongoing relationship with your hardware and software vendors is essential to good data protection. Your office should have a permanent contact at each company, and you should talk to them regularly. Ask them what sort of firewalls, antivirus software, and other safeguards are in place to protect your system. Whenever they identify a bug or other vulnerability, you should know about it. They should tell you about each software update, what improvements it makes, and what defects it fixes. You should also know about any changes to your data encryption.
Encryption has become an essential component of data protection. It is especially important if you use portable devices such as laptops, pads, or smart phones to store and transport patient information. If you lose one of these devices, or a thumb drive or other storage media, HIPAA will probably not consider it a breach if the data it contains is encrypted.
Encryption isn’t perfect, of course. Log-in credentials can be stolen; and data that is stored in house is can be hacked with malware and phishing techniques, especially if the key to decryption is located on that server. And make sure that employees are not putting any medical data on their own private (unencrypted) devices.
Each employee should have his or her own password, and sharing should be strictly prohibited. Multifactor authentication is becoming increasingly popular for an extra level of security.
Your vendor should require you to change your passwords every few months. If it doesn’t, you need to establish a timetable to do it yourself. All passwords should be strong (no birthdays, pet names, etc.), and they shouldn’t be the same or similar to old passwords.
In some offices, I’ve been surprised to see that every employee has unrestricted access to all practice data. The vulnerabilities of such an arrangement are obvious. There is no reason why receptionists, for example, should have access to medical histories, and insurance people don’t need to know what medications a patient is on. Your vendor can help you design partitions that restrict each employee to only the information they need access to.
Ask if your vendor provides security training for employees. If not, look into hiring a security firm to do it. Regular security training can help employees to recognize data security attacks like phishing, and instills a heightened sense of security awareness and vigilance among staff. They will also gain a better understanding of the role they play in maintaining the overall security of your office.
It goes without saying that third parties, such as business vendors, payers, and managed care providers, should never have access to patient records or other personal health information.
Backing up data
I have written many times about the importance of regularly backing up your data. Industry statistics show that fully 10% of hard drives fail in any given year, and 43% of computer users lose one or more files every year in the form of clinical data, financial records, photos, email, documents, and other important information. Recovery of lost data, when it’s possible at all, can be very expensive.
Even if your EHR vendor backs up your data, you should consider making a separate backup of your own. Backup drives have been known to fail too; and if you decide to switch computer vendors, you don’t want to be at the mercy of the old company that might be reluctant to transfer your data without a hefty payment.
The first rule of backing up is to store your backup drives in a different location from your computers. Unfortunately, that’s a pain; and external drives can be lost or stolen, creating a HIPAA nightmare. So an increasingly popular alternative is automatic remote backup. Several companies offer that service, and the cost is very reasonable for individual computers. Backing up an entire office costs more, depending on how many computers and/or servers you have, but it’s still very reasonable and includes other services, such as operating system and network share support.
The procedure is simple: You create an account and tell the service which files you want copied. Your first backup can take a long time, often days, depending on how much data you are sending and how fast your Internet connection runs. After that the program runs in the background, copying only those files that have changed since the previous backup. Files are encrypted before leaving your computer, and they remain encrypted at the service’s data center, making them HIPAA compliant and, theoretically, only accessible by you.
Dr. Eastern practices dermatology and dermatologic surgery in Belleville, N.J. He is the author of numerous articles and textbook chapters, and is a longtime monthly columnist for Dermatology News. Write to him at dermnews@mdedge.com.
While data protection is important in any industry, it is particularly critical in health care because in addition to the usual financial records, trade secrets, and other valuable data, confidential patient information is also at risk.
You may think that your computer vendor is responsible for safeguarding your data, but third parties can only do so much. And if your data is compromised, the ultimate responsibility is yours – not to mention the financial loss, and the damage to your practice’s reputation.
In addition to the security vulnerabilities inherent in any system, there are external vulnerabilities, such as weak passwords, viruses, and hacking (either externally or internally). And as hardware becomes more and more portable, there is the increasing risk of theft of platforms and storage media containing confidential data.
A close and ongoing relationship with your hardware and software vendors is essential to good data protection. Your office should have a permanent contact at each company, and you should talk to them regularly. Ask them what sort of firewalls, antivirus software, and other safeguards are in place to protect your system. Whenever they identify a bug or other vulnerability, you should know about it. They should tell you about each software update, what improvements it makes, and what defects it fixes. You should also know about any changes to your data encryption.
Encryption has become an essential component of data protection. It is especially important if you use portable devices such as laptops, pads, or smart phones to store and transport patient information. If you lose one of these devices, or a thumb drive or other storage media, HIPAA will probably not consider it a breach if the data it contains is encrypted.
Encryption isn’t perfect, of course. Log-in credentials can be stolen; and data that is stored in house is can be hacked with malware and phishing techniques, especially if the key to decryption is located on that server. And make sure that employees are not putting any medical data on their own private (unencrypted) devices.
Each employee should have his or her own password, and sharing should be strictly prohibited. Multifactor authentication is becoming increasingly popular for an extra level of security.
Your vendor should require you to change your passwords every few months. If it doesn’t, you need to establish a timetable to do it yourself. All passwords should be strong (no birthdays, pet names, etc.), and they shouldn’t be the same or similar to old passwords.
In some offices, I’ve been surprised to see that every employee has unrestricted access to all practice data. The vulnerabilities of such an arrangement are obvious. There is no reason why receptionists, for example, should have access to medical histories, and insurance people don’t need to know what medications a patient is on. Your vendor can help you design partitions that restrict each employee to only the information they need access to.
Ask if your vendor provides security training for employees. If not, look into hiring a security firm to do it. Regular security training can help employees to recognize data security attacks like phishing, and instills a heightened sense of security awareness and vigilance among staff. They will also gain a better understanding of the role they play in maintaining the overall security of your office.
It goes without saying that third parties, such as business vendors, payers, and managed care providers, should never have access to patient records or other personal health information.
Backing up data
I have written many times about the importance of regularly backing up your data. Industry statistics show that fully 10% of hard drives fail in any given year, and 43% of computer users lose one or more files every year in the form of clinical data, financial records, photos, email, documents, and other important information. Recovery of lost data, when it’s possible at all, can be very expensive.
Even if your EHR vendor backs up your data, you should consider making a separate backup of your own. Backup drives have been known to fail too; and if you decide to switch computer vendors, you don’t want to be at the mercy of the old company that might be reluctant to transfer your data without a hefty payment.
The first rule of backing up is to store your backup drives in a different location from your computers. Unfortunately, that’s a pain; and external drives can be lost or stolen, creating a HIPAA nightmare. So an increasingly popular alternative is automatic remote backup. Several companies offer that service, and the cost is very reasonable for individual computers. Backing up an entire office costs more, depending on how many computers and/or servers you have, but it’s still very reasonable and includes other services, such as operating system and network share support.
The procedure is simple: You create an account and tell the service which files you want copied. Your first backup can take a long time, often days, depending on how much data you are sending and how fast your Internet connection runs. After that the program runs in the background, copying only those files that have changed since the previous backup. Files are encrypted before leaving your computer, and they remain encrypted at the service’s data center, making them HIPAA compliant and, theoretically, only accessible by you.
Dr. Eastern practices dermatology and dermatologic surgery in Belleville, N.J. He is the author of numerous articles and textbook chapters, and is a longtime monthly columnist for Dermatology News. Write to him at dermnews@mdedge.com.
