How to Secure Patient Information in a Medical Practice
Security seems to be the last thing on a doctor’s minds when they open and run a practice. Security goes hand in hand with liability and HIPAA rules. Failure to comply with HIPAA can result in the following:
– HIPAA allows both civil and criminal penalties, including fines and possible jail time.
– HIPAA allows fines of up to $100 for each violation of the law, to a limit of $25,000 per year for violations of the same requirement.
– Criminal sanctions for knowing misuse or disclosures carry fines of $50,000 to $250,000 and one to ten years imprisonment.
Having said that, there have been only a few fines actually imposed. The liability equation changes drastically depending on the types of patients you have. There are countless lawsuits where the staff is involved in leaking patient information to the media about celebrity patients.
Securing your office involves two main areas of focus: data that is paper based and data that is electronic. Paper based records need to be secured in locking storage rooms and or locking filing cabinets. All paper that contains patient information needs to be shredded. Unfortunately most practices that I perform an audit on do not shred their garbage where photocopies of patient IDs, credit cards, medical information end up when the printer, fax or copier do not perform properly. This is still the biggest threat and easiest to fix with a paper shredder.
EMR systems are great for office efficiencies but are more complex to secure.
The following is a basic outline to secure your medical practice and reduce your exposure to possible liabilities:
1. Determine all points of entry into your network (DSL, VPN, Dial-up modems).
2. Make sure all entry point devices have passwords and are not set to factory defaults.
3. Make sure you have a firewall installed between your network and the Internet. The firewall needs to also have a password that is not the factory default.
4. Make sure all wireless access points have encryption enabled.
5. Make sure all computers have screen savors with passwords. Also make sure the password is not taped to the screen! Still the most common breach.
Technical Guidelines (performed by a security expert)
1. Run a network scan to determine how many computers and network devices are attached to the network. Removed all non-approved devices.
2. Run a port scan on every network attached device to determine each device’s vulnerabilities. Close all non-required ports.
3. Run a port scan on the firewall from outside the office to indentify any unsecured ports. Close all non-required ports.
4. Review firewall logs for any intrusions. Reports any suspicious activity.
5. Review workflow and how staff handles patient records. Make recommendations.
6. Force staff to change passwords monthly. Don’t allow them to tape password to monitor.
7. Standardize the desktops. A typical audit returns computers with Windows 95, Windows 98, NT, XP and Vista. Migrate all computers to one standard operating system such as Windows XP or Vista.
8. Remove all non-work related software. Music and file sharing software pose risks.
9. Check for remote desktop access software that users install to bypass the firewall and gain access to their desktop. (LogMeIn.com, GoToMyPc.com, VNC)
10. Make sure computers have virus protection that is up to date.
11. Make sure computers have a firewall running.
12. Turn on the screen savor with password protection to protect against the cleaning staff.
13. Make sure all patient information that is thrown in the trash is shredded.
14. Create procedures to properly secure patient records. (Don’t leave a patient folder in an exam room. If you view patient records on a computer in the exam room, make sure you lock the screen when you step out. Don’t leave patient files in the back seat of your car.)
Once your network is secure, your attention needs to be focused on training and staff behavior. In just about every office I visit, the staff has downloaded music applications with some applications used to find music on the internet. What starts as a harmless act of simply trying to have music to pass the time on slow day’s turns into exposing the whole network to Trojans and Viruses. The computer is compromised even with the latest anti-virus software and firewall because the user was tricked into downloading harmless looking software bypassing all safeguards. The first thing the programs do is disable the anti-virus programs and Microsoft software updates. This leaves them free to propagate throughout the network.
Security is not a one time event. Security needs to be built into every process. I do a complete audit when I start a project and close all discovered vulnerabilities. Clients like a monthly or random security scan to discover if the new policies are being followed. You can always contact us and we will be happy to give you a free consultation and or point you in the right direction!