Cyber security, loosely defined as the protection of systems and data transmitted within networks using the Internet, is a hot topic. Neither government agencies such as the VA nor large corporations like Sony Entertainment are immune to hackers’ accessing thousands of files including social security numbers and other sensitive information, resulting in financial and legal headaches for the victims and organizations alike. While the media focus seems to be on the big guys, is a smaller medical practice less likely to be compromised?
If a criminal wants to hack into someone’s data, he’s going to look for the easiest way in. That means that medical practices regardless of size are vulnerable if using outdated anti-virus software, firewall protection or password protections. medical providers are also increasingly likely to be targeted due the growing number of practices using EHR. Many smaller practices use outdated or ineffective software as well as fail to take commonsense measures to reduce the incidence of hacking.
According to the U.S. Department of Health and Human Services (HHS) via the Office of the National Coordinator (ONC) for Health Information Technology, cyber security lapses by practices can have severe legal and financial consequences including loss of patient trust and business, fines, lawsuits or loss of the practice.
Common cyber-security mistakes medical practices make:
Weak unsecured passwords – Strong passwords are at least eight characters long, using a combination of upper and lower case letters with at least one number. Avoid using common words, family or pet names, birth dates. Change passwords on a regular basis, especially if an authorized user leaves the practice.
Discourage users from writing down passwords by either assigning password recovery to one or two senior staff authorized to reset, delete and modify passwords; alternatively, employ software with password-recovery features.
Careless access to EHR data – This includes the devices such as computers, as well as designated authorized personnel. The most common way for patient data to be compromised is through the loss of the devices themselves, either accidentally or by theft. These include:
- Mobile phones, laptops and similar devices
- Portable storage devices, such as flash drives
- CDs and DVD disks
- Hard drives removed from computers
In addition, restrict use to as few staffers as possible and discourage casual file sharing, especially with anyone outside of the practice.
Failure to upgrade security software on a regular basis – Viruses and other constantly-changing forms of compromise are created with outdated security systems the prime targets of criminals.
Failure to install or maintain an effective firewall – An anti-virus program is important to effectively deal with viruses that do manage to slip into a system; an effective firewall, whether in the form of software or a hardware device if using a local area network (LAN), will be designed to prevent that access in the first place.
Failing to have a plan in place to deal with security breaches – Even the best systems and procedures may fall victim to a security breach, either accidentally or through criminal activity. Plan on who will be responsible for the following:
- Identify the source of the breach and how to close it
- Notify the practice’s legal team, law enforcement agencies, software and hardware vendors
- Notify patients, if their data was accessed or is vulnerable
Be sure to hold “breach drills’ periodically, especially following any changes in personnel or systems.
Practices concerned about transmitting data to medical billing services will be reassured to know that M-Scribe Technologies, LLC’s secure servers ensure that transmitted EHR data remains secure and the practice compliant with HIPAA regulations. Contact them today for a complimentary analysis of your practice’s billing, coding and revenue management needs and learn how to increase reimbursement while keeping administrative costs down.