Sadly, some docs still believe that so long as their systems have firewalls and password-protection, they’re safe. Practices can create undue risk by maintaining poor standards around their day-to-day use.
HIMSS and the ONC have risk-assessment checklists that every practice should run through (in addition to investing in end-to-end security audits annually). But common-sense security checks are important too! By asking yourself and your team the following five questions, you can quickly get a sense of whether your technology – or the way you use it – is leaving you more vulnerable than you need to be.
Do your systems require complex passwords & regular password changes?
A 2016 report from Keeper Security found that more than 50% of people use the top 25 most common passwords, which include gems such as “111111” and “123456” and, of course, “password.”
Enterprise software solutions typically have stronger requirements than that – demanding upper-case letters, special characters, and so on– but you should review them to make sure (and require your employees to use different, complex passwords for every login. And especially if you use legacy non-cloud software or free tech tools like Google Docs or Dropbox, check how often password changes are required… or create bi-annual, mandatory “password change periods” of your own.
Are you monitoring who accesses what systems (and how)?
If you license any of your software solutions with per-user subscriptions, you may be tempted to let multiple folks sign in with a single email and password. Don’t do it!
Shared log-ins are a massive security risk. The more people know a given password, the easier it is for them to ignore password-change best practices (or give the login details to a nefarious party). In the event that data or PHI are misused under shared credentials, you’ll also have limited or no ability to know who is responsible.
How much are you downloading from your tech platforms?
Whether it’s billing details or EHR information, your data should be impossible to access outside a protected environment. In 2018, there’s no excuse for ever using thumb drives, CDs, or printed spreadsheets to handle PHI (or any other sensitive financial or practice data, for that matter).
Make sure you bring-your-own-device policies allow for access through password-protected apps only, and ensure your IT systems prevent administrative employees or doctors from circumventing policies to access or download sensitive information.
How are you backing up data (and how often)?
Unless you want to lose your data in the event of a natural disaster, power outage, or data breach, you should be restoring it regularly under well-defined protocols. The more frequently, the better.
One of those protocols, obviously, is encryption. Back-ups are meant to protect you from unforeseen events, but sending “straight” data to an external hard drive puts you at a huge risk for a breach. Make sure your encrypted data is backed up offsite, in the cloud, by a provider with malware protection.
Are there audit control mechanisms in place?
To some degree, your tech should be self-regulating. If your solutions do not monitor, record, and examine information system activity and provide usage and access reports for review, it could take longer than necessary for you to spot unauthorized use or troubling security vulnerabilities.
Yet you can’t rely on in-system notifications alone. Make sure you have a security “czar” on your IT team who is capable of policing your control mechanisms, training staff on best practices, and consistently monitoring for suspicious activity. But make your czar doesn’t work in a vacuum: No single individual should ever have end-to-end control over your security; it only takes single bad actor to disrupt your data, and your practice’s “secure” reputation, permanently.
...and if you need help from a medical billing company...