The following material was digested from an article in the March 17, 2006 edition of Medical Economics.
The health industry is under attack by electronic thieves. Just recently Wilcox Memorial Hospital in Hawaii lost a thumb-sized data drive with information on 130,000 former and current patients. Thieves stole back-up tapes with information on 57,000 enrollees of Blue Cross/Blue Shield of Arizona. (The data was stolen in a burglary of a managed care company that worked for BC/BS.) A hacker grabbed 42,000 patient records from the health center at Colorado University in Boulder. Kaiser was fined $200,000 by the state of California for posting information about 150 patients, without their permission, on a public website. It is believed that hundreds, if not thousands, of other hacking incidents go unreported.
Here are 9 tips to help you safeguard your data:
1. Lock the room where you keep your network server and limit access to specific people.
2. Position desktop monitors so that patients and visitors cannot easily read them. Some innovative thieves even use picture phones to photograph a monitor screen.
3. Install a firewall and/or router with firewall and keep it updated regularly.
4. Password protect all laptops, tablets, PDAs and computers.
5. Replace patient-sensitive e-mail with secure messaging that is encrypted and password-protected. Wireless transmissions inside the office also require encryption.
6. Regularly audit who sees what is in your EHR. Adopt policies, including dismissal, for anyone who accesses records without authority.
7. Destroy the hard drive of any computer that is being thrown away. Deleted files can be easily recovered. Special "data-wiping" software is required to truly obliterate any and all files.
8. Forbid sharing of passwords or writing them on paper. Too many offices have passwords on sticky notes on the monitor or desktop.
9. Due your due diligence on any outside vendor that may handle your practice's data, like billing companies or transcription services.
These tips are only the "tip" of the iceberg. Every practice should appoint at least one person to become knowledgeable in IT security at least to the point where they can manage the activities of internal IT staff or outside vendors. Aside from good business practices, security is required under HIPAA regulations.
Posts
