Ms. Kim agrees that rheumatologists should expect employees to use personal devices. Knowing that, she encourages safeguards around their security and usage.
“Securing mobile and other devices can be a problem,” she says. “Some devices are more secure than others. Make sure mobile phones have anti-virus software, and that you have an automatic lock out [a HIPAA rule].”
Ms. Kim says physician practices should also explore mobile device management software, so that “all the mobile devices in your practice are centrally managed.”
She also warns against application downloads from app stores, some of which contain malware. “Even though some mobile app stores have a screening process for applications, we still hear reports of malware-laden apps getting through,” Kim adds.
5. Use Background Checks to Weed Out Potentially Rogue Staff
Heard this story before? A new staffer uses a handheld credit-card device to steal nearly $50,000 in co-pays from patients. The staffer walked into exam rooms and just asked for the co-pay. No fuss, no muss.
“Turns out, she had been indicted for the same thing in another state,” Dr. Kazi says. “A decent background check would have caught that.”
Although not a solution for all of your staffing needs, background checks and personality tests can be effective.
“I think that is important,” he says. “There are companies that can do personality checks for you. They are easy and very reliable. … It is not a perfect method, but it can reduce your risk.”
6. Educate Employees About Cyber Security & Hold Them Accountable
Dr. Kazi says training a medical staff about cyber security can be difficult, often boring and redundant. However, it is vital, considering the risk to the physician and the practice.
“You really have to have honest discussions with your staff,” he says. “Talk about the negative impact [of security breaches]. Get peoples’ buy-in.”
One area of difficulty new to medicine is social media. Office staff, especially, must abide by strict guidelines with regard to posting or sharing. It seems like common sense, but it happens every day.
“The temptation is too much,” Dr. Kazi says. “You have to make sure [staff] understand that once posted, it is no longer private, even if you only shared with one person. [Safeguarding patient privacy] has to become second nature.”
No matter where your practice is on the cyber security spectrum, Dr. Kazi says your goal should be to strike the right balance in approach, education and systems.