In the old days, your patients' medical records were as safe as the physical security of your office. Today, practices have phased out paper records in favor of electronic record-keeping systems, which have quickly become prime targets for hackers and other criminals who broker data illegally. This presents myriad new challenges for the medical community in the area of patient data security.
The Dangers of Data Breaches
Data breaches are costly for both private practitioners and their patients. Patient records are often stolen and sold to facilitate identity theft, since medical records contain almost every piece of information necessary to open credit card accounts, access bank accounts and otherwise wreak havoc on one's financial reputation.
While electronic medical records (EMRs) are convenient and easily shareable between specialists and primary care providers, some physicians are having second thoughts about their data security — and with good reason. A 2016 study by the Ponemon Institute revealed that approximately half of healthcare organizations had experienced a data breach due to a cyberattack. Meanwhile, 13 percent had been breached by malicious insiders — trusted employees who intentionally compromised sensitive data for personal gain. The report also noted that ransomware, malware and distributed denial-of-service (DDoS) attacks represent the greatest security threats to the healthcare industry.
Improving Your Patient Data Security Posture
The requirements for medical record documentation are easy to find. Agencies such as the Center for Medicare and Medicaid Services (CMS) and the U.S. Department of Health and Human Services (HHS) make their documentation requirements available to the public. These guides inform medical practices about what must be done, but they do not explain how. That part is left to individual medical practices since many variables, such as practice size and budget, factor into this equation.
Below are four steps to help you ensure that your patient data security posture is strong and tailored to the unique needs of your practice.
1. Have a Policy
Your patient data security policy should be clearly documented, and every employee at your practice should be familiar with it. In fact, you will need multiple policies to cover the many aspects of data security — everything from what training is required for new employees to which employees will have access to what systems. Your documentation should also address your expectations for privacy on social media, which is a real risk. If you will allow employees to access your network with their own devices, you need a policy to govern how these devices are protected.
2. Tailor Your Security Access to Your Practice
Individuals' access must be limited according to their jobs. Computers should use strong passwords, and mobile devices, including laptops, cellphones and thumb drives, should be encrypted and protected with two-factor authentication. Computer screens should also lock after a period of inactivity to prevent unauthorized persons from accessing them.
You can start tailoring your access controls by assessing your security risk. HealthIT offers a security risk assessment tool that can help small and midsized practices understand where their risks lie and what questions they need to answer to be more secure.
3. Invest in Systems That Integrate With Existing Infrastructure
Any new medical technology should seamlessly integrate with your existing computer systems and EMRs. Cloud-based image management systems should also communicate effortlessly with other systems and deliver the security required to transfer images and access them remotely. These systems should be set up to automatically save data to a specific place and to log all access of patient records.
4. Monitor Your Email, Data Security and Network Traffic
Your email system should filter incoming messages to stop phishing attempts before they reach employees. If the filter fails to capture these messages, employees should know how to recognize them. Also, your internet firewall should block access to websites that are known to be malicious or have expired certificates.
All the security protocols in the world will be worthless if a data breach goes undetected. Hackers or individuals with unauthorized access could continue to infiltrate the network as long as their activity goes unchecked. If your practice experiences a breach, your staff should know the protocol for what to do next, who to notify and how to separate compromised machines from the network.
Completing these four steps is no small task, but the process will help you ensure that your gynecology practice is compliant with federal standards. Patient data security is covered under the law, but your patients will also feel more secure vising your office if they know that you are safeguarding their private information.
