Medical practices are not only tasked with protecting their patient’s health but now are responsible for protecting their patient’s electronic information as well. Protecting data is probably something that most practice employees have not been trained to do nor are they familiar with best security practices. Data security is usually left to IT consultants who maintain and support their network. Here are 5 things that you and your IT consultants can do to ensure you are properly protecting patient data.
The reality of software is that most software has security vulnerabilities that allow hackers, viruses and spyware to exploit these vulnerabilities and compromise the security of a network. Software vulnerabilities are in Windows operating systems including desktops (Windows XP, Vista and 7) and servers (all versions). Software vulnerabilities are also in applications such as Adobe Acrobat, Microsoft Office, and Internet Browsers. In order to minimize the risk of software vulnerabilities, vendor security patches should be diligently applied. Microsoft issues patches at least once a month. These patches should be applied by your IT vendor. Desktops can be set to automatically update with no need for IT or user intervention. Employees should be trained to diligently update programs such as Adobe Acrobat and Flash, Java and Internet Browsers. An even better strategy is to invest in software that allows IT administrators to control the deployments of vendor security patches and software updates. Microsoft has free tools to control Microsoft specific security patches to be centrally deployed. Unfortunately the Microsoft tools do not take care of 3rd party applications. Additional tools will need to be purchased to address these 3rd party apps.
Ban USB drives
A majority of patient data security breaches are due to lost or stolen portable devices such as USB drives, smart phones and laptops. In order to reduce the risk of a data breach, I recommend that you set a policy to ban USB drives. If an employee absolutely needs to use a USB drive to perform their job function then invest in encrypted USB drives. I am a fan of the Kanguru encrypted drives. You can also get other encrypted drives here. Many people I talk to about data encryption admit to me that they really don’t understand the technology and are reluctant to use it because of this. Simply stated an encrypted USB drive secures the data on the drive and requires a password to read or write information to the drive. The technology is super easy to use. These drives cost more than unencrypted drives but the cost is not significant. For example an unencrypted 4GB drive might cost $10 and an encrypted drive might cost $35. The cost difference is nothing compared to the cost of a data breach.
As mentioned above, stolen or lost laptops are a leading cause of data breaches. All laptops should be encrypted. There are many types of encryption on the market. Some of these require IT support and installation. An encryption service that we started to work with called AlertBoot sells a very easy to use product that will encrypt a laptop’s disk drive. The service can be used with no IT support required. After AlertBoot encrypts the laptop’s disk drive, an employee simply enters the encryption password once each time they start the laptop. AlertBoot can help reset the encryption password if an employee forgets it so there are no worries about losing a password and being locked out of the laptop. At $12.95/mo. it is not the cheapest on the market but its ease of installation, minimal impact to a laptop’s performance and 7 x 24 hour support make it a great choice to protect each of your laptops.
One of the cheapest and most effective security steps that you can do is to implement passwords controls. Password controls include:
- Disabling a user account after a number of failed password attempts (think 5 failed passwords and your account is locked and can only be unlocked by your IT administrator)
- Require complex passwords. Simply stated, complex passwords require a user to set a password that is 6 -8 characters and must have letters, numbers, and special characters (! @ # $ % ^ & * + ). These prevent using easy to guess passwords.
- Force users to change passwords every 60-90 days. Unfortunately I can guarantee you that your employees will complain about this. It always amazes me how people hate to change their passwords. I guess with so many different passwords, changing one makes it even harder to remember them. As a note, security is a fine balance between protecting your network and making it easy for employees to perform their job function.
Each of these password controls can easily be set by your IT administrator using the tools that Microsoft provides to manage a Windows networks. At most this setup will take 1 or 2 hours of time.
Encrypt Backup Tapes
Backing up your data is very important and is a best practice to ensuring that you protect your patient’s information. If you backup your EMR on a nightly basis you will have all of your patient’s records on the backup tape. That can be 100, 1,000 or 100,000 patients depending on how much data is in your EMR. Now think about what would happen if that backup tape is lost or stolen. Having the tape lost or stolen is not that hard to imagine and could happen if someone breaks into your office or if an employee is responsible for taking the tape out of the office and has it stolen from their car. The good news is that most backup software has data encryption built into the software. All that has to be done is to configure the software to encrypt the data and set an encryption password. Unfortunately what I have seen is that the encryption setting is usually not set and the data is backed up to tape without encryption. Make sure your IT vendor has encryption enabled and that your tapes are encrypted.
If you follow these 5 steps to securing your patient’s data your will significantly increase your level of security. As I mentioned, none of these are very expensive and the expense is insignificant compared to the expense of a data breach. And as an added benefit, these will help you with your HIPAA security compliance as well.
Let me know if you already have implemented some of these security measures or if you have other examples of easy and cheap security protections.
Image: jscreationzs / FreeDigitalPhotos.net
Cross-posted at Entegration Blog
These are some great tips. In your section titled “Ban USB drives” you talk about using encrypted USB drives and not allowing standard USB drives. Historically this has been implemented in HIPAA compliant environments by creating written policies stating that you can’t use standard USB drives, but nothing was done to actually prevent people from using them.
Sofa King Software has a solution called SecureBus that is basically a USB firewall. When installed on a system you create a whitelist of supported USB devices and if a user ever plugs in a USB device that is not approved it simply won’t work. SecureBus will block the operating system from loading the driver for that unauthorized device.