Steps to Security
Operational and technical tips to help keep information secure.
Experts agree that protecting patient data should be every employee's job. When securing protected health information (PHI), says Scott Schober, "One of the most effective things that people overlook is that the weakest link is often people. People are part of the problem, and part of the solution." Schober is CEO of Berkeley Varitronics Systems.
"Your first line of defense is your employees," adds Jennifer Searfoss, Esq. She is chief solutions strategist for healthcare consulting firm SCG Health.
To shore up your people and policies, consider these operational and technical tips:
Make it personal. At a recent training session, Ms. Searfoss showed her employees compromising pictures of nursing-home patients that had been posted online by their caregivers.1 "I had all the employees bring in pictures of their grandparents and place them next to these pictures." Once the employees realized how they'd feel if their
grandparents had been thusly betrayed, "They understood their role – protecting our patients."
Never give your own personal information unless absolutely necessary. Medical practices do not need patients' Social Security numbers to provide care, says Mr. Schober, and they can't deny care to people who won't provide them. "What happens when you write that down? That paper is photocopied; one copy is placed in a folder, the other goes into a file cabinet. A staffer takes that information home and enters it from a remote computer attached to the practice's server. Your Social Security number is everywhere."
Get hip to the Health Insurance Portability and Accountability Act (HIPAA). Jules Lipoff, M.D., says, "Doctors don't necessarily understand what is considered identifiable. HIPAA specifies 18 points of information, from name, date of birth and appointment dates to any unique features by which a reasonable person could identify someone."
Pick HIPAA-compliant apps and software. "Telemedicine is a great way to expand access to care," says Dr. Lipoff, "but Skype is not secure enough for patient encounters, as far as HIPAA is concerned." Secure communication systems usually store data not on portable devices, but in a cloud location that requires authentication for access, he says.
Use long, strong passwords. This means at least 12 characters, including uppercase, lowercase, numbers and symbols, says Mr. Schober. Additionally, "Don't write your password down and post a sticky note on your computer or under your desk."
Use multi-factor authentication. "At the login point," says Mr. Schober, "enter your username, your long and strong password, and then there's a third step – your authentication source sends a one-time short numeric code to your mobile device." If the user fails to enter that code within the allotted time, the authenticator erases it. This capability is available on most popular e-mail and social media platforms, he says. "However, many people don't use this because they're lazy, they don't know it's available or they don't have the time," which he says is perhaps 20 well-spent seconds. He also recommends minimizing the number of people and devices that can remotely access your network.