Electronic Patient Information – Keep It Protected
The first thing many practices think about to protect electronic patient information is their firewall appliance. When it comes to “perimeter” security, the firewall is only the first line of defense. many times practices forget about other vulnerabilities. For example:
- Wireless networks
- Employees remotely accessing computers
- Mobile devices: laptops, tablets, iPads, smartphones
- Backup media storage from daily backup jobs
Take this seriously. A short vulnerabilities assessment can prevent a major exposure, affecting a business for years.
- Default ADMIN passwords must be changed, and firewall and wireless network appliances should be secured with strong passwords.
- The wireless access point should be invisible to the public (hide the SSID).
- If public internet access is provided in the waiting area, the wireless access point should not be shared unless a knowledgeable IT professional configures specific secured networks.
- It’s important to buy the appliance manufacturer’s warranty for support and maintenance.
- To reduce your exposure, limit who has access to the passwords of your firewall, router, wireless devices, etc. This could include internal IT resources or outside vendors.
- If there’s uncertainty about the current password protection, reset network appliances to the factory default and start over.
- It’s critical to maintain current documentation of all configurations and passwords. Keep this information locked away.
Maintaining secured access and confidentiality can be configured several ways; some can be potential breech points, if not property protected. An experienced IT firm, focusing on “professional services” clients, can set up appropriate solutions. Consider these solutions and their risks:
- Opening up Remote Desktop (RDP) to the internet – while this is an encrypted protocol, it is a common port for various attacks. There are several methods to limit port exposure.
- “GoToMyPC”, “PCAnywhere” or other VNC access – easy to use and convenient, but open to significant vulnerabilities; especially following an IT vendor transition.
- Client VPN installations -secured solutions, but can be cumbersome to manage when hardware is turned over, employees change, and newer versions of firewalls are installed.
- RSA (Remote Secured Access) -works well, but can be costly to manage a dedicated server and key fobs/cards/phones as employees change.
Guide by professional IT counsel, practices often implement combinations of these solutions for the best workflow and security.
Even though most EHR vendors provide patient portals, specific security measures are needed to ensure privacy. An experienced IT vendor can configure secured access through the firewall, establish SSL security (encryption), and isolate the web server away from the production database server.
Sending protected health information by regular email is not HIPAA compliant, but desktop email encryption solutions are becoming increasingly popular. These solutions allow practices to send patients emails that give them instructions to go to a secured site and retrieve the emailed information. IT companies that specialize in healthcare can offer assistance.
While cyber-security is critical to safeguarding sensitive information, medical practices can have many other vulnerabilities. Mobile devices must be secured and password protected, and back up media locked away. Prevention measures can offer peace of mind.