Worried about hackers from faraway countries breaking into your medical practice’s computer systems?
The risk may be a lot closer to home. In fact, the risk may even be in your office.
Cell phones and personal technology pose a greater security risk than you imagine.
HIPAA ISP and Meaningful Use both require that your practice ensure EHR security in order to meet set guidelines. If it is demonstrable that your practice allowed a breach of confidential information through some form of negligence, you may be liable to a fine of up to $50,000 per violation.
However, a far worse outcome is the loss of patient trust and faith. So, what do you do in an age where smartphones and personal tech is in the hands of virtually every patient and employee?
Consider the following risks that that personal technology may pose to your practice:
Scenario One: A very charming patient comes in and builds a great rapport with your practice staff. They love her and she loves them. When she’s about to leave, one of your enthusiastic staff members decides to take a selfie with her and post it to Instagram with the hashtag “#bestpatientever.” This is a seemingly innocuous circumstance but unbeknown to the staff member, they have just violated HIPAA’s Personal Identification Information rules. These rules prohibit a practice from sharing information that can uniquely identify a patient in the public domain without their express consent. In this case, the patient could sue your practice for this privacy breach, even though they happily participated in the picture.
Your practice uses a web-based EHR system
and one of your staff decides to use his personal computer to log in and get some work done from home. Since this computer does not have a strong credentialing system, he leaves the next day for work without logging out and a neighbor who is visiting gets access to the system. The neighbor then starts perusing the health records of all the people she knows resulting in a significant data breach and possible lawsuits. In this case, it is considered a failure in access controls and protocols. It’s important to ensure that staff who access practice systems from home meet certain requirements.
Scenario Three: A staff member is in the habit of using her iPad to access the system and work while on the move.Unfortunately, one day her car is burgled and the iPad is stolen. Because the device did not have any login credentials or encryption tools, all the data becomes available to the third party who stole the device. To avoid this, have a strong policy in place for device passwords and encryption.
These are just three scenarios where consumer technology could jeopardize your practice security.
If these scenarios scare you - good. Review the security measures of your own practice. Make sure your staff knows the rules and follow them.
Now that you realize the potential problems, you’ll never look at a patient waiting with a cell phone the same way again.