You need to keep your patients’ electronic data secure to meet both HIPAA and Meaningful Use requirements, but of course beyond that, it is the right thing to do. Your patients entrust you with sensitive information that could be used by criminals to wreck their credit and to provide private medical information to employers or others that they didn’t want made public.
An objective for Meaningful Use requires doctors to protect electronic health information created or maintained by the certified EHR technology through the implementation of appropriate technical capabilities. They don’t specifically state what those “appropriate technical capabilities” are so that you can choose the appropriate ones for your practice now, and as technology changes, you can change with it.
The HIPAA Security Rule lists four types of safeguards you must implement. They are administrative safeguards, physical safeguards, organizational standards and policies and procedures. Part of the administrative safeguard is a security risk analysis. This isn’t something you do once and you’re done; it is ongoing and must be revisited at least annually. It isn’t something you can just delegate to your EHR vendor. You can find details in the Guide to Privacy and Security of Electronic Health Information from healthit.gov. Especially look at Chapter 4.
Cyber security, or security through the Internet, is an important part of mitigating risk. In order to send electronic claims, e-prescribe, send C-CDAs to your patients’ portals, and use the Infobutton to obtain educational material, Internet access is required.
Good hosting facilities protect your data with secure firewalls such as Cisco Adaptive Security Appliances (ASAs) and with Virtual Private Networks (VPNs). Safe practices include using anti-virus software and limiting the websites your staff members can access to only those that are necessary for the software to function and for claims to be sent. Good hosting facilities will load the latest software and firmware updates for all digital devices.
In your office potential threats can come from email and other websites onto your PCs and your server, if you host your own software. Email can carry viruses and phishing attempts. Phishing, according to TechTarget SearchSecurity, is “a form of fraud in which the attacker tries to learn information such as login credentials or account information by masquerading as a reputable entity or person in email, IM or other communication channels.” Ransomware can be hiding in a link or attachment in an email. Ransomware is malware that stops you from using your computer until you pay the ransom. It can encrypt files or stop certain applications from running. There is no guarantee that paying the ransom will correct the problems it created. Websites can be sources of viruses and other types of malware.
How can you avoid these threats? Teach your staff members not to click on anything that looks suspicious whether it is an attachment in an email or a link. Keep your anti-virus software up-to-date. Load updates to your operating system and to your firmware on digital devices. Give users only the access they need to do their work. Limit surfing the web and other non-work activities to keep your data, PCs and network safe.