Small or large, medical practices must take extraordinary measures to protect the confidentiality of patients. In a landscape defined by greater mobile access to information and increasing legal requirements for health care providers, implementing measures to help protect patient health information is a necessity. Department of Health and Human Services data shows that since 2009, medical information for more than 120 million people has been compromised in more than 1,100 individual breaches at organizations handling protected health data. Those breaches are not only dangerous for patients, but costly to practices. A recent study by the Ponemon Institute found that health care breaches are the most expensive of any type, with the average cost in the U.S. of $398 per exposed personally identifiable record. If you have 500 patients, that’s almost $200,000.
Fortunately, these seven easy-to-implement tips can significantly increase existing protections you may already have in place to secure your patient records — whether you have 50 patients or 5,000.
Use stronger passwords
A strong password can’t prevent the ill-intentioned from attempting to breach your network, but a strong one can deter many from succeeding in their efforts. Employees may be inclined to choose passwords that are easy to remember — real words, phrases with personal information like birth dates, or names — but these are the weakest type of password because they are the easiest to crack. Consider using these tips to create a safe but easy-to-remember password.
Install an anti-virus program
Viruses represent the primary way that hackers corrupt computers in the small office environment, therefore up-to-date anti-virus software — which can be purchased for an affordable price — is key to protecting your systems and networks. Don’t forget to remind staff to run updates when prompted to ensure that the most current protections are in place.
Create a firewall
Anti-virus programs remove viruses or other corrupted files on your server, but how to keep them out to begin with? By installing a firewall — in either software or hardware form — you can ensure that all incoming messages and files destined for your servers are inspected.
Pay attention to who has access to your practice’s physical files, file storage systems, and networks. Outsiders should not be able, for example, to access the wireless network that supports your office’s systems while sitting in the waiting room. If you want to offer Internet access to patients in your waiting room, consider a separate guest network for just that purpose.
Fortify internal IT systems with staff training
Many small practices rely on internal staff members for IT support — a wallet-friendly model that can work when things are running smoothly. But what about when they aren’t? Difficult moments like these can put undue pressure on staff. Small practices seeking an affordable alternative to hiring a dedicated, full-time IT person can invest a fraction of the cost by bringing in a contractor to train staff and evaluate existing systems for weaknesses.
Or, hire dedicated, outside IT support
For something as important as the protection of PHI, it can be worth considering outside IT support. A highly-recommended IT specialist can set up a secure network with tailored, anti-virus protection for new practices or audit existing systems in established ones. He or she can determine whether a breach has already occurred and/or whether any of the applications you’re currently using are at risk.
Use an excess of caution when using mobile devices to communicate patient information
One survey conducted earlier this year showed that 80 percent of responding doctors use mobile apps or mobile devices for work purposes. But just because our mobile devices canprocess large amounts of data doesn’t mean they should be used to do so. And while the financial implications of allowing staff to use their own mobile devices on the job can be a plus, there are both pros and cons to the idea. The best thing is to create a Bring Your Own Device (BYOD) policy for your office so that guidelines are clear on types of allowable devices, password best practices for mobile, and use of Wi-Fi, for example. For staff who do use a mobile device to access patient information, make sure you include appropriate training as well as a written policy.
When you implement these simple, often-invisible security measures, patient data not only stays safer, but your practice stays protected from potentially costly breaches.
For more information on how to improve your practice’s operations, visit the practice management section of our blog.