Do you share logins and passwords in your rheumatology office? Do you have strict—and enforceable—policies for protecting the information of patients with rheumatic diseases? Do you require staffers to refrain from using personal devices during work? Do you perform background checks on new employees?
If the answers to those questions make you cringe, your rheumatology practice might be in need of a security checkup. Auditing your health IT policies, safeguarding your hardware and educating your staff on the importance of data security should be routine, according to industry experts.
“You have to be very diligent,” says Salahuddin Kazi, MD, professor of medicine in the Division of Rheumatic Diseases at the University of Texas Southwest Medical Center in Dallas, and chair of the ACR’s Registry and Health IT Committee. “It is very costly when violations occur. Also, physicians need to realize that the vulnerability is not [just] you; it is your staff. … You must embrace data security.”
As witnessed by recent server outages and hacked emails, cyber security is a challenge at all levels of business. Medical practices are especially vulnerable, according to Lee Kim, director of privacy and security at HIMSS, the Healthcare Information Management Systems Society.
“No one, not even a physician practice with 1–10 doctors, is safe. You can’t just set it and forget it and assume that all your data [are] safe because your [electronic health records] vendor is taking care of that. Unfortunately, it is not true,” says Ms. Kim, who worked as a healthcare attorney for 10 years before joining HIMSS. “You need to be proactive about cyber security. Everyone, frankly, is a target.”
Here are six things experts say you should do—some right away and some as long-term policy—to safeguard your practice.
1. Protect Your Data
Every physician knows violations of the Health Insurance Portability and Accountability Act (HIPAA) come with potentially severe financial penalties. But Dr. Kazi says it still is routine for rheumatology practices to ask new patients to fill out intake forms with sensitive information (i.e., date of birth or Social Security number) and mail or email the forms to the office.
“It is very risky, and I think that it has to go away,” he says. “[Intake forms] must be done within a secure portal, or patients should bring the forms into the office.”
Ms. Kim says that although some people can detect a “phishing” email, no person is 100% immune to all the gimmickry and sneaky scams. She reminds rheumatologists it takes only one wrong click to introduce malware into your network.