“Unfortunately, there will always be people who will click on those links, or respond, or open up the poisoned attachment, unless they’re educated,” she says. “I’d like to think that 99.9% of the folks out there, they want to do the right thing. They want to protect their data. They want to protect their patients.”
Data security goes beyond patient health information, too. Most offices have applications for scheduling, email marketing, finance, etc.—and many times there are multiple cooks in those kitchens.
“Email is a huge risk, as is texting our patients,” Dr. Kazi says. “We have to be very careful. Use the patient portal as much as possible, and use the right technology to ensure that [data are] protected and encrypted.”
2. Protect Your Systems
Risk analysis and risk management must be periodically reviewed and updated in response to changes in the environment. Ms. Kim says that any change in personnel, technology acquisition/shuttering or an alteration of the processes around your data are “great times to call the consultant.
“Do you have an up-to-date firewall? Are you encrypting information you’re sending through the network, to and from? Are you encrypting information when it’s stored on your hard drive or stored on tape, so that if it’s ever stolen, no one unauthorized can get to it?” she asks.
If your practice experiences a data breach, or there is concern that the technology/systems in place are vulnerable, don’t hesitate to schedule an appointment.
“Ask [the consultant] how to close gaps, so you aren’t interrupted by cyber-events,” Ms. Kim says.
3. Don’t Share Passwords
“It should not occur,” Dr. Kazi says, noting he has from his own experience, and heard from colleagues, that such sharing happens in physician offices. “Nobody should ever sign on as you, the physician. I think that is one area rheumatologists make mistakes. It is just so problematic.”
4. Employ a Strong-But-Fair Policy for Personal Devices in the Workplace
It is fair to say the ship has sailed on this topic, because employees, even physicians, have a hard time putting down their phone nowadays.
“Everyone who works in the RISE server room has to leave their mobile phone outside and agree to have no access to personal email,” Dr. Kazi says. “I think that it is unlikely that practitioners and staff can do that on a daily basis. Everyone wants to stay in touch with their kids or spouse. This is more of a practice culture thing; an accountability thing.”