11 Easy to Implement Data Security Tips for Medical Practices – Part 1
Not a day goes by when there isn’t news of hackers targeting a company or a business experiencing several days of downtime due to a computer virus. For medical practices, preventing data breaches is especially important because of patient confidentiality.
There are new cyber threats every day and it is difficult to know where to begin in terms of data security. Here’s a list of 11 tips that are easy to implement and will establish good security for data at your physician practice.
Nobody likes to remember dozens of passwords but using the same password for multiple locations or not changing your password for a long period of time is an invitation to get hacked. At your medical practice, it is a good idea to have a policy that requires a strong password and a change of password every 90 days. This can be enforced by the IT administrator. Strong passwords include a mix of numbers, special characters, and upper and lowercase letters. Of course, it is not a good idea to write down passwords on Post-It notes and stick them to computer monitors!
- Social Media
Employees may be tempted to log in to Facebook and other social media platforms or their personal web-based e-mail accounts on office computers. This puts the practice at risk of hacking and virus attacks because the likelihood of clicking on a bad link increases if this is permitted. To reduce your vulnerability to cyberattacks, your practice should have a policy that work computers cannot be used for personal browsing. This is even more important given that work computers contain confidential patient health information. Only approved applications should be installed on practice computers, such as EHR, practice management software, and accounting software. Employees should be prohibited from downloading any applications or programs that are not authorized.
A specialist in IT security can help your practice get set up so that daily backups are taken. One approach is to use cloud technology to maintain a backup of your practice data and applications. Regular updates to this backup ensure you have something to fall back on in case of a breakdown or breach. Physical backups to disks or USB drives should be stored off-site, for example, in a fire-safe safety deposit box. The whole purpose of the backup is lost if the device is sitting in your practice in a desk drawer!
- Malware and Anti-Virus
Every practice computer should have malware and anti-virus software installed on it with coverage for the e-mail service. It is a good idea to maintain consistency and install software from the same manufacturer on all computer systems. Also, all software must be up-to-date on licenses. Setting up an automatic renewal is a time-saving method that ensures you are never without virus protection. The virus detection program should be in automatic update mode to obtain coverage from new viruses. Employees should not be able to suspend the anti-virus program under any circumstances. It is also a good idea to run updates on the operating system and applications because they often include security patches.
- Filing Cabinets and PCs
Medical practices handle a great deal of confidential patient health information. This includes the patient’s name, date of birth, medical history, and financial statements. Hard copies of patient records should be stored in secure filing cabinets and should be put away as soon as they are no longer required. Files should not be left outside locked filing cabinets overnight unless there are authorized exceptional circumstances.
Employees should be directed to lock down their PCs before stepping away for a cup of coffee or a bathroom break. At the end of the day, the PC must be turned off. Most computers have the option to go into sleep mode or be powered off after a period of inactivity. The IT administrator should set up the systems so that a login and password is required upon resuming work.
- Ongoing Education
Ongoing staff training is essential to stay on top of data security risks. Employees must be educated on the steps necessary to protect practice data. In addition, they must remain vigilant in keeping sensitive information out of bounds for visitors, including patients, pharmaceutical reps, laboratory staff, and cleaning staff.
A dedicated trainer should conduct regular data security education with annual updates. Training materials should be current to include the most recent threats as well as compliance with HIPAA. A data security expert can evaluate your practice team and direct you towards the training necessary to get everyone up-to-date on the most current security protocols.