Most primary care doctors advise patients to have an annual physical, even if they are feeling fine. This way they can be screened and problems can be caught before they become a major concern. Many medical issues are much easier to treat if caught early. IT issues are very similar. It is far better to find a problem and fix it before it causes a major headache. That’s why physicians should give their practice a periodic IT health check. An ounce of prevention, as they say. Here are a few areas to examine.
I love the way that HealthIT.gov puts it,
“Good patient care means safe record-keeping practices. Never forget that the electronic health record (EHR) represents a unique and valuable human being: it is not just a collection of data that you are guarding. It is a life.”
Passwords are the first line of defense when it comes to data protection, yet many people use weak passwords, don’t protect them properly, or don’t change them often enough. Here are some password best practices:
- Use strong passwords. Password strength is impacted by three factors: Length – Longer passwords are simply more difficult to crack. Width – Width refers to the different types of characters that are being used. Adding characters outside of the alphabet, such as numbers and special characters like #, $ and %, makes life more difficult for hackers. Depth – Passwords with depth have a meaning that is not easily guessable.
- Passphrases help make passwords memorable. You pick a memorable phrase, such as, “I love video visits with Chrion Health,” and then set a password that is the first letter of each word, in this case, “ilvvwch.” Because that collection of characters is not a word, brute force and guessing attacks are far more difficult. Change one of the v’s to an ^ and you’ve created an extremely strong password that you can remember. (Please don’t actually use this one.)
- Don’t use the same password for every application. This can vastly increase the pain if your password is cracked.
- Don’t use any personal information, such as family names, birthdates, addresses or ID numbers.
- Avoid words that appear in the dictionary, they are far more prone to cracking by brute force.
- Avoid sending passwords via email.
- Try not to write passwords down. If you must, be sure they are in a secure location.
- Change your passwords frequently. How often should depend on the sensitivity of the application. You may not care too much if someone hacks your Twitter feed, but securing your EHR and telehealth systems is worth additional effort.
- Require that the new password be different from previously used passwords
Unless your practice uses an EHR and other systems that are totally disconnected from the internet, you should have a firewall to protect your systems from intrusion. Anti-virus software is not a firewall, it is designed to find and remove malicious software that has already made its way into your systems. A firewall, on the other hand is designed to prevent this from happening in the first place.
There are both software and hardware firewalls on the market. Both inspect all data coming into the system from the internet or from a local network and determine whether the information should be let in. While hardware firewalls usually require the assistance of technical experts to set up, there are software ones that have been pre-configured and are easily deployed.
In the same way that your patients can become ill if they don’t attend to basic hygiene, your IT systems need maintenance as well. Over time, software tends to collect old information and settings. Make sure that:
- User accounts for former employees are immediately disabled. If an employee is to be involuntarily separated, the account should be disabled before the employee is notified.
- Any device that has data such as a computer, mobile device, router, even a copy machine, pretty much anything with an on/off switch should be “sanitized” before disposal. Even if you believe all the data has been deleted, it can still be recovered with commonly available tools.
- Old data files should be archived for storage if needed, or cleaned off the system if not needed.
- Software that is no longer used should be completely uninstalled, including trial software and outdated versions.
- Data entry rules should be consistent and staff should be trained on how information should be entered into each system.
- Steps should be put into place to avoid duplicate data and a check for duplicate data should be completed on a regular basis.
Mobile devices including laptops, tablets, and smartphones are extremely convenient and allow providers and staff to untether from the desktop. But mobile devices represent a unique threat to privacy and security. They are inherently more likely than desktop devices to be lost or stolen and they are prone to electro-magnetic interference that can be emitted by medical devices. Make sure you have policies and procedures in place to minimize the chance of a mobile device related data breach. Including:
- When mobile devices are used in public spaces, great care should be exercised to ensure that unauthorized people don’t see patient health information.
- Extra steps should be taken to ensure strong authentication and access controls. Laptops should have extremely strong passwords, and handheld devices should be configured with password or biometric protection.
- Unless it is absolutely necessary, patient health information should not be stored on a mobile device. When it is necessary, such data should be encrypted.
Practices should have a disaster recovery plan that addresses both short-term inconveniences, like weather events or power outages, and bigger disasters such as floods or fires. Keep in mind that having a plan is not enough. Every employee should be trained and occasional practice drills or at least refresher discussions should be held. Make sure you have the following items covered:
- Data protection – All data should be backed up and stored off-site, whether that be in the cloud, or a physical data storage facility.
- Data access – Every HIPAA covered entity must have a contingency plan in place to ensure continued access to electronic protected health information in the event of a system failure. Cloud-based EHR and telehealth systems are one way to achieve this.
- Communication – There should be a solution in place to communicate with employees and patients even if you and your staff can’t make it into the office. Hosted phone systems, web portals, and instant messaging tools can help.
Every physician does not need to become an IT guru. But responsible practice managers take technology very seriously and work to keep it in tip-top shape. Think of these IT maintenance best practices as the “eat right and exercise” of your technical infrastructure and you’ll enjoy the benefits of lasting health.