As if the time needed to optimize your practice, hiring good help and ensuring all patients receive the optimal level of care isn’t enough to keep you up at night — today’s practice owners also have to worry about whether or not their patient data is secure. The healthcare industry is rife with information technology security concerns, and with a lack of adequate staffing in support departments the challenge can be even greater. Data security in a medical practice is a big concern for the owners and administrators since these breaches are costing millions of dollars each year, but there’s no need to feel completely powerless. Cyber criminals are smart, but they do tend to take advantage of known issues such as poor password hygiene and a lack of updates to critical systems.
Some business offices enjoy low turnover rates, committed long-term employees and a full IT staff. However, if you’re like thousands of other small to mid-size medical practice offices, you’re struggling with turnover and a limited technology staff. When employees are not fully briefed on the various reasons why security principles such as stringent passwords are important, they are much less likely to follow the guidelines — resulting in vulnerabilities within your information systems. You can combat this by creating a thorough on-boarding that encourages and continually reminds employees about the importance of security within the workplace. Topics could include:
- How to recognize phishing attacks and report them to the IT team (without being tempted to click!)
- Regularly update passwords, and recommendations for creating secure passwords
- Always locking workstations, even when you step away for a moment.
With the large number of individuals coming through your practice on a daily basis, it can be incredibly easy for someone to walk through and quickly grab a laptop, phone or other connected device — essentially giving them a front-door entry point to your sensitive customer data.
Practice owners may not realize, but the practice of BYOD (Bring Your Own Device) may in fact violate HIPPA security rules. Any devices that will be accessing PHI (Protected Health Information) should be fully compliant with HIPAA security standards — something that doctors in smaller practices that may not include a compliance officer often overlook for the sake of convenience. Even smaller practices are at risk of a data breach, making it critical to follow generally accepted security practices. This can start with working with a well-respected technology managed services provider to perform a security risk analysis to document details such as how often data is backed up (and how!), what the termination process is when an employee leaves, and ensuring that each employee has access only to the critical information that they need to perform their primary duties — and no more. Over-access to information for employees is cited often as a cause for data breaches in healthcare organizations.
Create a Response Plan
Setting secure passwords, ensuring that all of your endpoints and devices are secure and checking your backup strategy are all important tactics to mitigate the risk of a data breach. However, even the most well-prepared organizations can be hit with a cyber attack — what happens then? That’s when a well-prepared practice will quickly launch the first steps of their data breach response plan. The first step should be identifying and containing the breach. For instance, if you determine that an employee was the cause of the leak, immediately disconnect their access to critical data systems until security can be returned. Whether accidental or intentional, time is not on your side with a data breach. Know and document the specific actions that employees will take in the event of a breach, up to and including how patients should be notified of the breach if it affects more than 500 individuals.
Being the target of a data breach can be a scary situation, one that can make you feel powerless. When you’re working with partners who are fully secure, you can quickly identify points for action. Call M-Scribe today at 888-727-4234 or email email@example.com to learn more about our industry-leading security practices, and what makes us the right choice for all of your medical billing, coding and credentialing needs.