Take precautions to keep your practice’s computer system safe
With a simple click of a mouse, computers and the Internet have allowed us to access almost anything we want. However, we must be careful when it comes to relying on the use of computers, because there is always the risk that the wrong click may result in a computer crash.
Cyber risks—certain Web sites; an improperly maintained operating system; or virus, spam, and hacker infiltration—may endanger the computer, its user’s finances and personal security, or the contact information stored in the computer. They may place the user’s identity at risk, expose the private information located in the computer, slow the computer’s speed, and ultimately crash it. Specifically, these risks may affect you, your patients, and your practice.
Fortunately, there are defense systems to help keep attacks at bay, keep patient information private, protect patient identities, and prevent computer crashes. No defense system is foolproof, but practicing due diligence by incorporating a defense-system strategy demonstrates your intent to protect your practice’s operating system and the privacy of your patients and staff. By using the right defense strategy in your practice, you may save your practice thousands of dollars.
Actual Case Scenarios
Case 1. Practice A hires a person who accesses its network. Within minutes of arriving at the network, the new hire copies every patient file. Then, without the practice’s knowledge, the person easily walks away with a host of information in a small storage container hidden inside his coat pocket.
Within a couple of weeks, the practice’s owner learns that the patient records were sold to a marketing firm and that the firm has begun to market to all of the patients. To make matters worse, 1 month later a hacker infiltrates the same office’s network and obtains access to the practice’s and the surgeon’s financial records.
Soon afterward, the identity theft is complete—causing the practice’s staff to spend endless hours repairing the damage at great expense. The results are a decreased profit margin and an open liability door.
Case 2. Practice B stores all of its patient and financial information on its internal network, believing that the network is protected against data loss. But the owner’s computer crashes and all of the information on the computer is lost.
The practice then spends $2,000 on a computer-repair person, but he cannot guarantee that the information can be restored. Instead, the repair person offers to take the computer apart and reassemble it, hoping that the data can be retrieved temporarily so that it can be transferred to a new hard drive.
In the end, some of the files—including the Microsoft Outlook® calendar and e-mails, and 4 years’ worth of Microsoft Word® documents—are not retrievable.
The Perpetrators
Technology has afforded us the luxury of having information available at our fingertips. Yet medical practices are at risk of being victims of identity theft and security issues as a result of viruses, spam, spyware, or hackers waiting to infect computers at every opportunity. In fact, spam, viruses, and spyware may slow a computer down and play a role in a computer crash.
The infiltration of deleterious influences has the potential to destroy a computer’s operating system. In fact, any tampering of a computer’s operating system can put the computer at risk for crashing.
Viruses, spam, and spyware. Viruses usually come disguised as e-mail attachments. Unknowingly, staff members activate the virus, which can infect the operating system, by opening the e-mail. To help prevent this, send e-mail alerts about any identified virus to all of your staff members. The alert should include proper steps to take should staff members receive an e-mail that likely contains a virus.
Antivirus software is designed to constantly scan a computer’s operating system for incoming viruses and eliminate them upon detection. Be certain that the antivirus software program you select has the capability to manage your needs.
As David W. Evans, PhD, MBA, founder of Ceatus Media Group (La Jolla, Calif), adds, “Computer viruses and e-mail spamming can be among the biggest contributors to low productivity in the office. The largest downfall of many antispam and antivirus programs is their incompatibility with the many e-mail programs that exist in the marketplace. It is important that the antispam or antivirus protection technology used in the practice is compatible with your e-mail program.”
Hacking and identity theft. Health Insurance Portability and Accountability Act of 1996 (HIPAA) requirements are in place to make sure medical practices protect patient privacy and security. However, they do not prevent a hacker from entering a practice’s computer system and obtaining access to virtually any patient record they want. In addition, hacking may result in a computer crash.
Many practices have designated a specific HIPAA staff member to be responsible for overseeing practice precautions and ensuring the highest possible level of patient privacy and security. However, this staff member may not be equipped with the knowledge of an information technology (IT) security team member.
Ryan Miller, founder and president of Etna Interactive (San Luis Obispo, Calif), warns, “As more people have become skilled with the know-how of accessing private patient and practice information, practices need to pay more attention to patient privacy and security. It is very simple for past employees, network users, or seemingly laypersons to walk away with all data surrounding the practice. For this reason, it is worthwhile to hire a local computer consultant to check and verify that all data surrounding the practice are secure.”
Practice Precautions
Precautions should be taken to ensure that your practice’s computer system does not become a victim of an e-mail virus or a computer hacker. Only networks whose operators take all of these precautions can be considered secure enough to ensure safe communication between patient and physician. If these measures are insufficient, then it becomes even more important for your practice to make use of software-tool precautions and employ “best HIPAA practices” to help limit exposure to liability.
Use the same network server. Be certain that all of your practice’s internal computer and software systems rely on the same network server and use the same e-mail program. If they do not, there is a risk that a hacker could intercept messages between servers, viruses and spam could infiltrate, or identity theft could take place.
When a patient sends an e-mail to a practice, he or she is obviously not using the same server, so it is virtually impossible to fully avoid the risk of a hacker intercepting the information or the e-mail being infected with a virus that will ultimately crash the practice’s computer. This makes additional IT precautions necessary.
Use authentication systems, firewalls, and intrusion-detection systems. Medical practices and hospitals are responsible for ensuring that their e-mails, forms, and patient-information storage areas are secure. Authentication systems, firewalls, and intrusion-detection systems are part of the patient-privacy and security precautions that work with network servers. They also help prevent computers from crashing as a result of hackers’ activities.
An authentication system acts like a security guard in that it checks identifications such as the username and password. Firewalls ensure that no unauthorized person can read confidential patient information.
Practices often use multiple firewall layers, equivalent to the firewall protection of a bank. After all, a practice’s financial records and patient information are just as valuable to you as client and financial information is to a bank. Yet, firewalls cannot necessarily protect against a person with access to the network, as demonstrated in Case 1 on the previous page.
Intrusion-detection systems identify hacking invaders before the perpetrators can gain access to the data. After identifying the hacker, the system delivers a message describing the hacker to an IT security point person. Once the notification is recognized as a security compromise, the system is locked to prevent unauthorized access to sensitive data.
Intrusion-detection systems are not foolproof, however. Sometimes the system may not recognize a security breach, or the IT point person may not be able to intercept the message. On other occasions, a point person may not be assigned 24 hours per day, giving a hacker a potential opportunity to break into the network.
Reduce liability through software and documentation. Because authentication systems, firewalls, and intrusion-detections systems are not the end-all or be-all, e-mail communication requires special protective consideration. Therefore, you should disclose your patient and practice privacy notices regarding e-mail communication, forms, and storage of patient information on your practice’s Web site.
Define the level of privacy protection for your patients before they begin communicating with you via e-mail. This can be accomplished through a “pop-up” window that appears whenever a visitor attempts to send information to your practice via your Web site.
The pop-up window contains the full text of the privacy notice and requires that the visitor select either “accept” or “decline” before being allowed to transmit information to you. The software then documents this information to give you a record of its attempt to ensure that all visitors who provided information to you were made aware of their privacy rights.
To help mask patient identity, some practices use a computer-generated ID number that is assigned at the time of the initial patient-information data entry.
Maintain a HIPAA journal to document IT HIPAA-compliance action plans and interaction with vendors who provide service to your computers or otherwise have access to the network. Be certain that your IT vendors are familiar with HIPAA-compliance issues.
Such vendors typically assume a shared risk with the practice and must therefore meet specific additional requirements. For example, these vendors are obligated to carry an insurance policy. You should also have a business-associates agreement in place between your practice and any vendor that works in the IT arena.
Limit computer-information access, and do not allow computers to be shared. Many practices set up different access levels for staff members to help reduce the risk of infiltration. Remote access is often given only to the physician and, perhaps, to the practice administrator. A quarterly review of your staff members’ computer-access levels may be appropriate.
Automatic alert software applications prompt computer users to change their password regularly. When the password-change deadline approaches, a reminder is automatically sent to users daily until the password is changed. If the password is not changed by the deadline, the software denies access to the computer user.
Many user-friendly software tools and applications may provide easier solutions to protect your practice from the liability of a harmful infiltration that may result in a computer crash, or the loss and misuse of information. Investigate all options that can simplify security management at low cost.
Properly maintain and back up your computers. Just like a car, a computer needs regular maintenance to run smoothly. All information on a computer is stored on a fragile hard drive inside the computer or on a network server typically located in the practice’s office.
A computer or network server can go haywire if dust gets inside it or if the hard drive is damaged. Data can be lost because of hard-drive failure. Despite the tools that your practice may employ to avoid a computer crash, the fact of the matter is that a crash can occur and valuable data can be lost should the hard drive in the computer or server fail.
In addition, the possibility that a fire, flood, or other disaster may occur in your practice makes it imperative that you back up your practice and patient information and store it in a safe location. Add this to possible virus, spam, and hacking infiltration, or the failure of a firewall or an intrusion-detection system, and it follows that additional IT measures are needed to protect your information.
Many practices use back-up tapes or purchase computers that have duplicate hard drives so that the information, often stored on the network server, can be mirrored from one hard drive to another. However, not all information is necessarily backed up by tapes or the practice’s network. In fact, it’s usually raw data, including patient information, that is stored on the network. And whereas software applications can always be reinstalled, Word documents, e-mails, and items located on the individual desktops are not necessarily backed up.
For these reasons, you may want to use a variety of tools to better protect your patients’ and practice’s information in case of a computer crash or infiltration by a hacker or a virus. Specific data may be stored on CDs in a separate, secure location to ensure that they cannot be scratched or broken.
Another option might be to purchase a separate flash drive and insert it into the computer processor through the USB port. An external hard drive may be purchased that can back up as much data as necessary, provided that the external hard drive has enough memory to store all the pertinent data.
If your practice operates on a network, you can use automatic back-up applications that can plug into every desktop computer, pull all information, and save it on a large disk. These systems cost $2,500 to $20,000—a small price to pay when compared to losing your calendar, e-mails, Word documents, and patient information. No matter what option you use, back up your information daily.
As Jack Pellman, founder of MedNet Technologies (Elmont, NY), explains, “If we were to imagine the result of losing information that is stored on every desktop in the office, including info that is not located on the desktops, the price to pay could be devastating. An evaluation of the importance and sensitivity of the information on each computer station must be done to determine the need for stronger solutions that will back up all information from every computer in the office. In the end, the cost of recovery and liability may be far greater than an investment in a comprehensive unit that backs up all data.”
Choose a vendor carefully. Vendor choice appears to be a multipronged approach that may involve a variety of key IT personnel. Demonstrations of various hardware and software applications, as well as networks and security or back-up units, can be made by visiting a practice that has the systems installed or by attending a trade show where on-site demonstrations may be performed.
It is important to rate the user-friendliness, compare the costs, and weigh the benefits of each system. References are crucial, and can be provided by the vendors themselves or may be obtained by posting an inquiry on organizations’ message boards.
It might be helpful to cite specifics about your practice, including its size, current level of computer integration and technology specifications, and focus (practice-reimbursed medicine or cash pay). You should also receive feedback regarding demonstrations from everyone in the practice who will be using the product.
Make a priority features list and identify the budget when investing in computer technology. Based on this analysis, you can address other concerns:
Is it necessary for the new purchase to replace all technology functions in the office, or is it better to replace certain functions now?
Will the technology be compatible with existing applications in the office?
What are the typical incompatibility issues?
What is the installation process and time commitment for all parties?
What are typical stumbling blocks that can be encountered during the installation?
Is the technology easy to operate?
If any, how much redundant data entry or hands-on back-up is required should the technology be purchased?
Based on practice focus, how expansive does the technology need to be?
What are the computer software and hardware requirements?
Will the new system work with the current hardware?
What is the cost to add new features?
What are installation and training costs?
What kind of software support is available?
Is the product HIPAA compliant?
Is there an indemnity clause to protect the practice from possible litigation?
Are there upgrades available that may be required for possible HIPAA updates or practice growth?
What kinds of technical support—user support, software support, or hardware support—are available?
Are there ongoing costs associated with this support?
What is the response time should the system crash?
Is there a remote back-up option available should the internal network or computers fail?
Do you have a business-associates agreement available?
Certainly, many more questions will come up along the way, especially those that will be very specific to the product purchase. In the end, the more questions, the better.
Final Thoughts on Cyber Risks
Many options are available today for turning your practice into the most secure environment possible. At the end of the day, though, you need a system that works for you. Whatever systems you end up choosing, they can go a long way to helping your bottom line.
This is true from the perspective of your patients, who will appreciate the modern conveniences you can provide and your dedication to protecting their sensitive information. They may acknowledge this gesture with more referral patients to your practice.
This is also true from the perspective of your office staff, who can now go to their desktops for all of their needs and answers knowing that security can be a hassle-free process. Maybe the best gift of investing in the ins and outs of avoiding a crash is the decreased liability potential and the saved expense that would result from a computer crash. Because in this busy and hectic world, easy safeguards can be worth a lot more than the safeguard itself!
Lesley Ranft is a contributing writer for Plastic Surgery Products.