Do you share logins and passwords in your rheumatology office? Do you have strict—and enforceable—policies for protecting the information of patients with rheumatic diseases? Do you require staffers to refrain from using personal devices during work? Do you perform background checks on new employees?
If the answers to those questions make you cringe, your rheumatology practice might be in need of a security checkup. Auditing your health IT policies, safeguarding your hardware and educating your staff on the importance of data security should be routine, according to industry experts.
“You have to be very diligent,” says Salahuddin Kazi, MD, professor of medicine in the Division of Rheumatic Diseases at the University of Texas Southwest Medical Center in Dallas, and chair of the ACR’s Registry and Health IT Committee. “It is very costly when violations occur. Also, physicians need to realize that the vulnerability is not [just] you; it is your staff. … You must embrace data security.”
As witnessed by recent server outages and hacked emails, cyber security is a challenge at all levels of business. Medical practices are especially vulnerable, according to Lee Kim, director of privacy and security at HIMSS, the Healthcare Information Management Systems Society.
“No one, not even a physician practice with 1–10 doctors, is safe. You can’t just set it and forget it and assume that all your data [are] safe because your [electronic health records] vendor is taking care of that. Unfortunately, it is not true,” says Ms. Kim, who worked as a healthcare attorney for 10 years before joining HIMSS. “You need to be proactive about cyber security. Everyone, frankly, is a target.”
Here are six things experts say you should do—some right away and some as long-term policy—to safeguard your practice.
1. Protect Your Data
Every physician knows violations of the Health Insurance Portability and Accountability Act (HIPAA) come with potentially severe financial penalties. But Dr. Kazi says it still is routine for rheumatology practices to ask new patients to fill out intake forms with sensitive information (i.e., date of birth or Social Security number) and mail or email the forms to the office.
“It is very risky, and I think that it has to go away,” he says. “[Intake forms] must be done within a secure portal, or patients should bring the forms into the office.”
Ms. Kim says that although some people can detect a “phishing” email, no person is 100% immune to all the gimmickry and sneaky scams. She reminds rheumatologists it takes only one wrong click to introduce malware into your network.
“Unfortunately, there will always be people who will click on those links, or respond, or open up the poisoned attachment, unless they’re educated,” she says. “I’d like to think that 99.9% of the folks out there, they want to do the right thing. They want to protect their data. They want to protect their patients.”
Data security goes beyond patient health information, too. Most offices have applications for scheduling, email marketing, finance, etc.—and many times there are multiple cooks in those kitchens.
“Email is a huge risk, as is texting our patients,” Dr. Kazi says. “We have to be very careful. Use the patient portal as much as possible, and use the right technology to ensure that [data are] protected and encrypted.”
2. Protect Your Systems
Risk analysis and risk management must be periodically reviewed and updated in response to changes in the environment. Ms. Kim says that any change in personnel, technology acquisition/shuttering or an alteration of the processes around your data are “great times to call the consultant.
“Do you have an up-to-date firewall? Are you encrypting information you’re sending through the network, to and from? Are you encrypting information when it’s stored on your hard drive or stored on tape, so that if it’s ever stolen, no one unauthorized can get to it?” she asks.
If your practice experiences a data breach, or there is concern that the technology/systems in place are vulnerable, don’t hesitate to schedule an appointment.
“Ask [the consultant] how to close gaps, so you aren’t interrupted by cyber-events,” Ms. Kim says.
3. Don’t Share Passwords
“It should not occur,” Dr. Kazi says, noting he has from his own experience, and heard from colleagues, that such sharing happens in physician offices. “Nobody should ever sign on as you, the physician. I think that is one area rheumatologists make mistakes. It is just so problematic.”
4. Employ a Strong-But-Fair Policy for Personal Devices in the Workplace
It is fair to say the ship has sailed on this topic, because employees, even physicians, have a hard time putting down their phone nowadays.
“Everyone who works in the RISE server room has to leave their mobile phone outside and agree to have no access to personal email,” Dr. Kazi says. “I think that it is unlikely that practitioners and staff can do that on a daily basis. Everyone wants to stay in touch with their kids or spouse. This is more of a practice culture thing; an accountability thing.”
Ms. Kim agrees that rheumatologists should expect employees to use personal devices. Knowing that, she encourages safeguards around their security and usage.
“Securing mobile and other devices can be a problem,” she says. “Some devices are more secure than others. Make sure mobile phones have anti-virus software, and that you have an automatic lock out [a HIPAA rule].”
Ms. Kim says physician practices should also explore mobile device management software, so that “all the mobile devices in your practice are centrally managed.”
She also warns against application downloads from app stores, some of which contain malware. “Even though some mobile app stores have a screening process for applications, we still hear reports of malware-laden apps getting through,” Kim adds.
5. Use Background Checks to Weed Out Potentially Rogue Staff
Heard this story before? A new staffer uses a handheld credit-card device to steal nearly $50,000 in co-pays from patients. The staffer walked into exam rooms and just asked for the co-pay. No fuss, no muss.
“Turns out, she had been indicted for the same thing in another state,” Dr. Kazi says. “A decent background check would have caught that.”
Although not a solution for all of your staffing needs, background checks and personality tests can be effective.
“I think that is important,” he says. “There are companies that can do personality checks for you. They are easy and very reliable. … It is not a perfect method, but it can reduce your risk.”
6. Educate Employees About Cyber Security & Hold Them Accountable
Dr. Kazi says training a medical staff about cyber security can be difficult, often boring and redundant. However, it is vital, considering the risk to the physician and the practice.
“You really have to have honest discussions with your staff,” he says. “Talk about the negative impact [of security breaches]. Get peoples’ buy-in.”
One area of difficulty new to medicine is social media. Office staff, especially, must abide by strict guidelines with regard to posting or sharing. It seems like common sense, but it happens every day.
“The temptation is too much,” Dr. Kazi says. “You have to make sure [staff] understand that once posted, it is no longer private, even if you only shared with one person. [Safeguarding patient privacy] has to become second nature.”
No matter where your practice is on the cyber security spectrum, Dr. Kazi says your goal should be to strike the right balance in approach, education and systems.
“I think security and productivity are inversely related. If you completely tie things down, it can become a dis-satisfier to your people. You really have to seek effective, but seamless, solutions,” he says.
Richard Quinn is a freelance author in New Jersey.
How to Find a Cyber Security Consultant?
The ACR does not recommend cyber security vendors; however, Dr. Kazi says your ACR colleagues can be a great resource.
Ms. Kim says there is no golden rule to finding a credible cybersecurity vendor and suggests you employ due diligence. She says rheumatologists should consider the following questions for vendors:
- Who is the true owner, and how long have you been in business? Are you a startup, and will you be around in five years?
- How many healthcare clients do you have?
- What cyber security degrees or certificates do you have?
- What kind of experience, and how many years of experience do you have, in the cyber security field?
- Request two or three references from current clients, and/or ask your peers for a reference.