By Peter J. Cass, OD
April 3, 2019
In today’s environment of privacy concerns, data breaches, and ransomware and burdensome HIPAA regulation, ODs need to be extra vigilant in protecting data.
As a consultant with Practice Compliance Solutions (PCS), I use these approaches myself to safeguard my practice, and recommend other practices do the same.
There are several keys to protecting your practice’s data:
- Analysis of the practice
- Proper network setup
- Data protection
- Staff training
So let’s look at each of these topics
Analysis of the Practice
Securing data in your practice involves a full Security Risk Analysis. Providers must objectively examine all aspects of their practice from locks, to employees, to computers, to data encryption, and look for potential areas of vulnerability to data breaches. There are guides that can help with this like the PCS app. Providers must also familiarize themselves with the HIPAA rules and regulations and set up policies and manuals for their office.
Other Pieces to Explore
Proper Network Setup
Proper network setup includes:
a. As much hard-wiring as possible. WiFi is nice, but not as reliable, fast or secure. We use a mix of both in my office, but I try to plug in as many devices as possible.
b. A good commercial grade router (SonicWall makes some good ones). The cheaper small office/home ones are riskier and less reliable.
c. A separate and segregated WiFi for patients
d. VPN certificates for secure remote access for doctors and key staff.
Data protection includes:
Hard Drive Encryption – Windows 10 Pro has a full hard-drive encryption option integrated with the OS called BitLocker. It is a “must have” for patient data to be encrypted. In the event of a breach, doctors who do not have the data encrypted will be held responsible.
Strong Passwords – The server operating system should also be protected, and only allow users with a password to log in.
Antivirus Software – another “must have.”
Firewalls – Windows (and most antivirus programs) provide decent firewall protection, but having a good IT company configure the firewall on the router adds an extra layer of security.
Workstations – I recommend installing as few programs on workstations as possible. As a rule, only install the EHR client and antivirus software on the workstation PCs. When one breaks, or begins to function poorly, you can order an inexpensive replacement online. If the workstations have no patient data and few programs, they can be changed out rapidly and don’t require high-end specifications.
Servers – should be kept up to date. It is the core of our EHR system, and any issues with it can shut the entire office down quickly. I recommend a high-end machine from a manufacturer with a good reputation. It needs to run smoothly at all times. At the first sign of trouble it should be replaced. I do not recommend trying to repair a server. Instead, replace it with a better machine.
Software – should be kept up to date, especially operating system, antivirus, firewall protection and EHR. Not keeping those things current increases the risk of a breach.
Employees should be trained to:
Use secure passwords
Never share their passwords
Never install any software without doctor or IT company approval (including screen savers)
Never check personal e-mail, or social media, on company devices
Never download any attachments to e-mails, unless they were expecting the attachment.
Training should be updated annually.
Many doctors will need help with at least some of the recommendations I have made, such as conducting a security risk analysis, so it is a good idea to have a relationship with an IT company. Most doctors do not have the expertise to set up commercial routers and firewalls properly. Doctors can ask around or check out the ratings of local IT companies.
Peter J. Cass, OD, is the owner of Beaumont Family Eye Care in Beaumont, Texas, and past president of the Texas Optometric Association. You can learn more about securing data at https://practicecompliancesolutions.com/ or by e-mailing me at email@example.com.