Most of us don’t consider the ramifications of a sensitive data breach until we’re forced to actively deal with one. In the healthcare industry, an out-of-sight / out-of-mind approach is simply unacceptable. The good news is that taking a proactive approach to securing your patients’ private health information can be done without consuming many resources or incurring much cost. The following often undervalued directives will help protect your patients and your practice while allowing your office to stay primarily focused on providing an excellent, engaging patient experience.
Vigilantly train yourself and your staff.
While difficult to admit, the human element is often the weakest link in the data security chain. Your office should already have a personnel training program under HIPAA guidelines, but I’ll wager it is due for a review and update. Physicians and clinic staff who are not trained on the latest security protocols can inadvertently cause gaping cyber security flaws. Spending a little time and / or resources now to update your training process could easily save your organization an exponential amount of both in the future. You can get started with a multitude of free, up-to date resources at HHS.gov.
Overcome your fear of updates.
Regardless of how they may affect other programs or your office workflow, ‘critical’ and ‘security’ updates absolutely must be applied to your software, operating systems, and networking hardware. Consider the last challenge you overcame – maybe it was a skill you perfected, a recipe you refined, or even a video game you completed. It likely took several attempts of modified methods or tactics to achieve success. That is precisely what hackers and cyber attackers do when they attempt to access secure data. By making sure your office has the latest updates installed and current networking hardware, the target that malicious attackers attempt to reach is constantly moving further away.
Backup, then backup your backup.
When we ask healthcare practice managers and medical IT professionals if they backup critical systems and PHI data, the answer is a proud “YES”. Unfortunately, the responses get fuzzy when we start talking about backup encryption, testing backup data, off-site backups, cloud utilization, and data recovery plans. It is no longer enough to have a data backup, or even redundant backups. Make certain you have encrypted on-site and remote backups. Schedule regular dates for your IT staff or contractors to test your backups. Finally, have an easy-to-follow plan in place for data recovery, and for dealing with potential fallout if an actual data breach ever occurs.
Stop using the same password.
This should be a no-brainer, a given. However, since we’re all only human and since most of us have a limited ability to remember multiple complex passwords, it is easy to neglect. Anyone in any facet of healthcare with access to systems that store and access PHI must have unique passwords for individual systems. Those passwords must all be changed regularly. In your office, these last two points must be non-negotiable if they are not already. Make it easier on yourself and your staff to comply by coaching easy methods of password memorization. Use the first letter of each word in a favorite quote or song lyric and include a memorable number. For example: the quote “May the Force be with you.” makes a strong password such as “MtFbwy27!” much easier to remember than a similar strong password that is not related to a mnemonic device.
Regularly seek out vulnerabilities.
Discovering a potential vulnerability in your layers of data security can be both frightening and potentially costly to resolve. Because of this, most organizations don’t actively search for chinks in their cyber security armor nearly enough. For care-provider organizations, this approach is truly dangerous. Clinics, offices, and hospitals are so full of changes in staff, protocols, standards, and regulations that vulnerabilities can easily occur without openly presenting themselves. By making a regular plan to review your data safeguards, you are more likely to find holes and decrease liability. The truth is that resolving discovered vulnerabilities is rarely too costly or time consuming, certainly less than if an attacker finds one first.
As you review and consider increasing your efforts in these five action items, your main takeaway should be that vigilance in patient data protection does not have to mean excessive cost and lopsided effort. Most of what we’ve talked about amounts in paying a little more stringent attention to your current plans and methods. For that touch of extra effort, you should be rewarded with greater confidence in your data security, and maybe even fewer restless nights.