Technology Risk Checklist for Your Practice
Archive Select Blog- Originally Published December 21, 2017
Keeping your data safe can seem like a never-ending challenge. New breaches of health data seem to be announced almost daily, and organizations of all sizes — including the government — have fallen victim to data scams.
But there is good news on the data security front, too. The migration of many systems to the cloud means that much responsibility for security is now handled by true experts who focus on that task —rather than practice owners and managers who are overseeing a lot of other important priorities.
There are also a number of quick, easily implemented tactics for reducing many of the most common risks of data loss. Here are a few for your practice to consider:
1. Is your hardware physically secure?
Managers and practitioners often worry about hacking, ransomware and other software attacks for good reason. At the same time though, the physical loss of computers and devices containing private health and financial information is still a common way data is lost or stolen. Phones and tablets are easily lost or stolen and should have a “remote wipe” capability if they are used to access your OPIE System. Make sure laptops and desktop computers in the office are secured to a fixture, such as with a cable and lock system, which will at least slow down a would-be thief. If you have an on-site server for your practice management system, consider securing it within a locked room. Make sure anyone who takes a device containing valuable data offsite understands how important it is to keep the device itself secure (i.e., no leaving it in the car!).
Be sure to protect data against non-theft losses, too. Floods, fires, and other disasters can destroy computers and wipe out data. Simple measures like avoiding placing servers on the floor and setting up remote back-ups can help – but the physical risks to data are a good reason to consider a move to a cloud-based version of your OPIE system.
2. Are practitioners and staff trained to avoid phishing?
Have you noticed that some of the most newsworthy data breaches in the past year or two have involved phishing? For hackers, the strategy of luring users to give up their credentials willingly is straightforward and irresistible. It’s up to you and your team to thwart them.
Make sure all of your employees know never to download any files or click on any links from users they don’t know. None of your employees should be accessing personal email accounts or social media from their work computers. And even when a request to change a password or update other information seems legit, the only safe way to do it is to log in to the website directly from a browser to change your password — never to click on a link in an email. These protections are easy to forge, so a quarterly refresher training session is a good idea.
3. Backups for data and personnel
Most practices know by now that a backup of your OPIE data is essential. Make sure those backups are kept in a secure place, offsite, so that a physical threat to your original (like a fire or break-in) doesn’t also impact your backup.
Besides the redundancy of your data, make sure you also have a backup for the personnel who take care of it. Smaller practices often rely on a single person (e.g., an external IT consultant) to manage their entire tech set-up. But what happens if that person goes out of business? Make sure you’ve got a “plan b” in case your “expert” is no longer able to help you. Maintain physical documentation of your technology set-up, to allow a new technology manager to step in to quickly help you. And remember your internal controls — just as with your financial processes, you can reduce internal theft risk by avoiding giving a single individual complete control over your patient and billing data.
4. Keep software up to date
Conventional wisdom used to hold that it was smarter to delay upgrades to avoid the hassles of unreported bugs and the need to relearn how to use key features. But these days, updates (e.g., patches) are often necessitated by security issues, putting them off for too long can dramatically increase your risk of a breach. And even major upgrades (such as to your operating systems) can be important for data safety, since older versions may no longer be supported or patched.
Name a tech liaison in your practice who will have responsibility for monitoring IT news from the vendors you work with, so that security-related updates to software and hardware are not missed. It’s okay to wait a few weeks before major upgrades, to confirm no debilitating bugs have been found. For small updates via patches, make sure staff know they should download and install them when they become available.
5. Use encryption where appropriate and unique logins/passwords
If you’re storing data on your own computers or a server in your office, encrypt those devices to minimize the possibility a thief can access the data on them. Remember, encrypting is much more secure than the basic locked screen — so store a written record of passwords in a safe place, in case retrieval is needed, such as if an employee leaves your practice and you need to regain access to their workstation.
Cloud-based systems reduce the need to encrypt devices, but you should still have an encrypted email option available for secure messaging. Keep in mind also that basic password hygiene means each person has a unique ID and login for any system they need to access. Insisting that staff use their own ID will allow you to check logs and track access to sensitive files in the event you are ever concerned that a data theft may have occurred.
Excerpted from Physician’s Practice