Electronic health records (EHR) let you store and use a wealth of health-related data.
Your medical practice and your patients value this information. So do the unauthorized users and hackers who also want to access it.
But you can prevent illegal usage and keep information safe by taking a few actions.
Ensure the safety of your paper documentation
Although you’re eager to keep your office’s electronic documentation safe, you should also consider the safety of your paper documents that contain sensitive information.
Remind your staff members to close files, remove records from well-traveled areas when they’re done using them, and keep documents away from patients’ eyes. Remind yourself to do the same.
Store these paper documents in a restricted area that only a few employees can access. A restricted area could be a locked cabinet or room or even a secure storage facility off-site.
Making information difficult to reach could also make it more difficult to misuse.
Limit who sees your records
Restricting access to storage areas could enhance security. It’s also good to restrict access to any physical or electronic files themselves.
For one, don’t let newer employees near sensitive information, at least until they’ve completed a probationary period.
Even if they’ve been working in your office for some time, some staff members might not need access to patients’ records. They might not need full access to every part of a patient’s record.
Depending on the electronic health record or practice management software system, you might be able to adjust just how much protected health information a certain employee can view (or, more accurately, can’t view).
Train your staff on security measures
Informing your staff about security measures could come during training sessions.
Because medicine and health care technology both frequently change, you’ll probably hold multiple training sessions. One or more sessions could occur when you implement a new electronic health record (EHR) or practice management PM system. They could also happen when you’re training a new staff member about this technology.
Also consider holding other sessions if other medical practices have experienced data breaches and you feel you might be at risk yourself. Or, if staff members are encountering problems with your software systems and have ideas about how to improve them, you might want to offer training and brainstorming sessions then.
Are you short of time or aren’t confident that you could lead such training sessions? Contact the manufacturers or vendors of your PM or EHR systems. There’s a good chance they’ll be able to offer online support or even dispatch people to assist you in person.
Conduct risk assessments
Conducting risk assessments is another way to prevent security issues.
When you conduct a risk assessment, you’re looking for things that could hurt you. In a health care office, these assessments could help you learn if your EHR or PM systems and the information they contain are vulnerable to outside attacks.
Risk assessments aren’t just nice things to do, they’re mandatory. The Health Insurance Portability and Accountability Act of 1996 (HIPAA) requires medical practices and related businesses to perform these procedures.
Do you need help with your practice’s risk assessment? Consider talking with a trusted IT professional. You could also download the U.S. federal government’s Security Risk Assessment (SRA) Tool to help you find vulnerabilities and follow regulations.
Encrypt your data
Are you sharing health information with other medical practices? You might want to encrypt your office’s data.
Encrypting data means changing readable information into an unreadable code consisting of letters and numbers. You’ll send this code when you’re sharing sensitive health-related information with others.
People who receive this coded encrypted data are able to translate it using a special key.
Without the key, the text looks like gibberish, preventing unauthorized users from knowing what it really means.
Examine and track your practice’s devices
For additional security, pay attention to your office’s hardware as well as its software.
Create a record of all the devices that are allowed to access your electronic health record and practice management systems. This record could include information about which employees have which device and the level of access they have.
Encourage employees to use this hardware, not their personal devices, for work-related business. This could better help you control and secure what happens.
Losing one such device could endanger your practice’s security because you don’t know who could see (and possibly use) your patients’ protected health information.
Protect your digital endpoints
On a related note, it’s also good to secure your office’s digital endpoints.
Endpoints are places where people access information, such as through personal computers, laptops, smartphones, and other devices.
Making whitelists could help you provide this security. When you create a whitelist, you determine in advance which actions a person using a specific device could take. If someone tries to do something else with the device, they may be trying to compromise your system.
It’s also a good idea to use antivirus and antimalware solutions to protect your system and update these solutions.
Secure your wireless systems
How safe are the wireless systems in your medical office?
It’s a question you need to ask and answer. If you offer a messaging system and in-office Wi-Fi, your patients will appreciate the convenience, but more users could make your practice’s software systems more vulnerable.
To prevent such issues, keep your software systems updated. Use tools that spot malware. Malware is malicious software such as viruses. It also includes ransomware, software that illegally captures innocent software and keeps people from using the innocent software unless they meet their demands.
Develop a plan that outlines what you’ll do if you find such malware or encounter other problems. If problems occur, you could contact the Federal Bureau of Investigation (FBI) and IT professionals for assistance.
Dispose of records properly
What if you no longer need to save data stored in electronic or paper files? If that’s the case, dispose of this information.
According to HIPAA regulations, medical practices that no longer want sensitive information should:
- Use software or hardware to
- Clear data, that is, replace sensitive data with less sensitive information.
- Purge data by eliminating its magnetism.
- Destroy unwanted media.
- Place protected health information and prescription bottles with labels in containers people can’t see through, store these containers in secure areas, and shred or destroy these items in other ways.
- Shred, pulverize, burn, or pulp (use water to soak documents, then grind them into pulp) paper records so people can’t reconstruct them or decipher any information on them.
Similarly, if you’re getting rid of computers, laptops, or other hardware you’ve been using in your office, make sure you eliminate any sensitive health data stored on them.