Top 10 Computer Security List for Medical Practices

Physician practices have become more reliant on computer technology, the internet has connected most computers, and small mobile devices are everywhere. The net result is that practices are more exposed to computer security problems than ever before.  With a small or medium sized practice’s limited resources, what are the most important computer security steps to take? Here is the top 10 computer security list for medical practices.

Consider the following:

• Security breaches are in the news routinely, such as the VA computer system breach exposing the records of over 20 million vets. Closer to home, we have had large breaches at Cleveland State University, Ohio University and the State of Ohio,
• Practices, especially smaller ones, fail to back up their computer data and suffer huge losses when these systems fail,
• The federal incentives for electronic records will likely require compliance with HIPAA security standards as part of the “meaningful use” mandate

In early 2002, physician practices made changes to comply with the HIPAA Privacy regulations. The next year they invested in computer software upgrades for the HIPAA Electronic Transaction changes. After this, many developed “HIPAA fatigue” — and simply ignored the 3^rd HIPAA wave – the HIPAA Security rule.

The HIPAA Security rule is based on widely accepted standards for computer security. It includes 42 standards – 20 that are required, and another 22 that apply based on the size and complexity of the practice. Some of these requirements are more important than others. Here is Eagle Consulting’s Top 10:

1. Offsite Backup. If you do nothing else, invest in a review of your backup procedures. Think through the systems you use – billing, electronic records, correspondence, financial records, email, spreadsheets. Make sure that everything that is important is backed up, and use the encryption feature that most backup software offers. Keep a recent backup copy off the premises. Have a staff person verify that the backup runs on a daily basis. On a quarterly basis, check that you can restore files from your backup.
2. Physical Security. If your office layout allows, store your computer server and/or your paper records in locked room. There is a saying, if you can touch it, you can own it. Limit physical access to your server and records. Consider an alarm system for fire and intrusion detection.
3. Wireless Security. Don’t broadcast all of your patient data throughout the neighborhood. If you employ a wireless network, configure it for security. Get technical help if necessary to enable these security features on your wireless router or access point:
   • Disable Beacon
   • Change SSID
   • Enable WEP
   • Use MAC filtering
4. Computer Inventory. One of the largest causes of data breaches last year is the loss or theft of a laptop computer. Keep track of your computer equipment, especially the portable ones. Maintain an inventory, including description and location for:
   • Servers
   • Desktop computers
   • Laptops, tablets, smartphones and other portable computers
     

     Do not dispose of old computers without reformatting.

   • External Disk Drives and flash drives
5. Media Disposal. Don’t give away old computers or throw away media without taking precautions:
   • For hard disks or floppy disks, reformat
   • For CDs, DVDs and Tapes, use a service for certified destruction
6. Use Software Audit Control features. Any medical software built for compliance with HIPAA security standards includes audit control capabilities. Windows and other operating systems also includes this capability. Enable these features which will keep a record of who does what when. Review the audit logs that are created and take action when unauthorized or inappropriate access is made to patient data. Make sure staff knows that you are watching who accesses what information.
7. Access Control. Control who can access what and keep track. Set up your software so that people have access to the data they need and not more. Maintain an inventory of users. Set each user up with their own User ID (don’t share a single user ID!). Each person should also have their own password. When a person leaves, disable their access.
8. Encrypt. Use encryption for data transmitted on networks and for data stored on mobile devices and backup tapes. Most practices do not encrypt email – which is OK as long as you don’t use it to transmit patient data. For your laptops and smartphones that store patient data, hire a vendor to select and implement an appropriate encryption solution.
9. Keep Operating System, especially Windows, updated. For any operating system software, but especially the security-flawed Microsoft Windows, make sure that it is updated on a regular basis. Unless your computer support organization recommends against it, use the Windows automatic update features.
10. Use Firewall / anti-virus / anti-spyware software. Use a reputable vendor of security software and enable firewall software and set this for automatic update.

These top recommendations will give you a good start on your computer security. For additional guidance on computer security, consult https://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/securityruleguidance.html which includes introductory tutorials, complete details on the HIPAA Security regulations, advice for small practices, and other technical materials. All practices should review this site because the federal stimulus bill included over 20 pages of changes to the HIPAA regulations, some of which have already gone into effect! Because of the technical nature of this subject, many practices will benefit from expert advice and should consider a consultant or other technical advisor.

The benefits of an investment in computer security include the privacy of your patient data, the availability of information when you need it for patient care, and in some cases, the survival of the practice itself.