Electronic Patient Information – Keep It Protected
The first thing many practices think about to protect electronic patient information is their firewall appliance. When it comes to perimeter security, the firewall is only the first line of defense and often other vulnerabilities may be forgotten. For example:
- Wireless networks
- Employees remotely accessing computers
- Mobile devices: laptops, tablets, iPad’s, smartphones
- Backup media storage from daily backup jobs
A short vulnerabilities assessment can prevent a major exposure, impacting a business for years.
- Default admin passwords must be changed and firewall and wireless network appliances should be secured with strong passwords
- The wireless access point should be invisible to the public
- If public internet access is provided in the waiting area, the wireless access point should not be shared unless a knowledgeable IT professional configures specific secured networks
- It’s important to buy the appliance manufacturer’s warranty for support and maintenance
- To reduce your exposure, limit who has access to the passwords of your firewall, router, and wireless devices. This could include internal IT resources or outside vendors.
- If there’s uncertainty about the current password protection, reset network appliances to the factory default and start over.
- It’s critical to maintain current documentation of all configurations and passwords. Keep this information locked away.
Maintaining secured access and confidentiality can be configured several ways; some can be potential breech points, if not property protected. An experienced IT firm, focusing on professional services clients, can set up appropriate solutions. Consider these solutions and their risks:
- Opening up Remote Desktop (RDP) to the internet – while this is an encrypted protocol, it is a common port for various attacks. There are several methods to limit port exposure.
- “GoToMyPC”, “PCAnywhere” or other VNC access – these are easy to use and convenient, but open to significant vulnerabilities, especially following an IT vendor transition.
- Client VPN installations are secured solutions, but can be cumbersome to manage when hardware is turned over, employees change, and newer versions of firewalls are installed.
- RSA (Remote Secured Access) works well, but can be costly to manage a dedicated server as well as key fobs, and phones as employees change.
Even though most EHR vendors provide patient portals, specific security measures are needed to ensure privacy. An experienced IT vendor can configure secured access through the firewall, establish SSL security (encryption), and isolate the web server away from the production database server.
Sending protected health information by regular email is not HIPAA compliant, but desktop email encryption solutions are becoming increasingly popular. These solutions allow practices to send patients emails that give them instructions to go to a secured site and retrieve the emailed information. IT companies that specialize in healthcare can offer assistance.
While cyber security is critical to safeguarding sensitive information, medical practices can have many other vulnerabilities. Mobile devices must be secured and password protected, and back up media protection. Prevention measures can offer peace of mind.