Risk management

Ounce of prevention: 5 steps to boosting your practice’s data security

Prep for natural disasters, teach staff to spot threats, and review activity in your electronic medical record system, DOs and security experts say.

The Health Information Portability and Accountability Act requires health care entities to put safeguards in place to protect patients’ health information. Many such precautions are fairly self-evident: Each staffer should have a unique, complex password, onsite servers should be in a locked area, and email systems and computers should be encrypted. Other protections are less obvious. Here are five frequently overlooked steps for improving information privacy and security in your practice.

1. Create a disaster recovery plan. Losing access to medical data could be even more damaging than a security breach, says David Holtzman, JD, a vice president at data security firm CynergisTek. To minimize the impact a power outage or natural disaster would have on your practice, make sure you’ve documented and tested your recovery plan and emergency operations procedures. Having an offsite backup of your practice data is also vital.

2. Train employees to spot potential threats. Hackers are increasingly targeting health care professionals with phishing emails, which typically request login credentials or attempt to access a system by providing a bogus link, says Holtzman. His counterstrategy is simple: “Just use common sense.” Remind team members not to interact with emails from unknown senders, and reiterate that login credentials should never be shared.

Vigilant staffers at the practice of family physician Linda F. Delo, DO, recently nabbed a would-be health insurance fraudster. The patient presented an insurance card but was unable to produce any identification, which indicated that the insurance card likely belonged to someone else. “Had staff not been paying attention, that could have been bad,” Dr. Delo says, who practices in Port St. Lucie, Florida, and notes that the patient was offered the option of paying cash for care.

3. Take a centralized approach to IT security. Gary Novotny, the systems manager at Dr. Delo’s practice, recommends using a centrally managed antivirus and anti-malware system, disabling nonessential USB ports and installing software that allows review of employees’ Internet activity. Using the most recent version of applications and operating systems is also important, as older versions may not support the latest updates and patches.

4. If patients’ loved ones are present, get permission before speaking frankly. Physicians may assume that if a patient has brought someone along to an appointment or to the emergency room, speaking openly in front of them is not a problem. That’s not always the case, says Mark A. Mitchell, DO, president of the American College of Osteopathic Emergency Physicians. “If it’s a sensitive topic,” Dr. Mitchell notes, “I’ll say, ‘May I talk about what’s going on in front of your family and friends here?'”

5. Conduct an electronic medical record system activity review. “You may realize that one employee is downloading 500 patient records a day while everyone else is accessing 20,” explains Art Gross, CEO of health IT consulting firm HIPAA Secure Now! Such a discrepancy could be a sign of an employee who’s engaging in medical record theft or inappropriately viewing patients’ data.