Do you have an security issues in your practice? Would you know if you did? Every time we do a security risk assessment, we find similar issues in each practice. This certainly is not from neglect. It is simply a matter of not realizing these things have to be buttoned up. Below are a few examples.
1. Disable inactive users – does you IT department or vendor go into the Active Directory each time an employee leaves or is terminated and disables their account? Does someone go into your EMR or other application and remove their user ID? An active account for an employee no longer working with you is a security risk.
2. Patches and updates not being performed on servers and workstations. I can’t stress enough how important it is to keep your servers and workstations patched and updated. Hackers target Internet Explorer and various Microsoft operating systems. This is why Microsoft comes out with these updates. Some of them are even labeled “critical security update.” Make sure you have some sort of patch management in place.
3. Antivirus/Antispyware – Do I even have to mention this? A lot of people think Antispyware and antivirus are just to protect them from viruses…period. It’s much more than protecting your computer from slowness. Hackers and thieves can enter your system and obtain sensitive data. Or, they can cause irreparable damage to your protected health information.
4. Wireless Networks – A lot of practices have wireless networks for their patients in the waiting room. Make sure this is a SEPARATE network from your patient health information. You certainly don’t want someone in the waiting room to be able to access your network, and obtain any of your files. Make sure your wireless network is secure and the password is changed on a regular basis.
5. Employee Training – Employees can really hurt you if they don’t understand security, or the HIPAA laws. Make sure you perform regular training, and they are aware of things like social media, and what they can and cannot do. They can’t post a picture of that cute baby on Facebook. Sometimes these violations are very innocent. Training will help with this.
For the most part, practices are very aware of HIPAA and are putting policies and procedures in place to keep the practice secure. Unfortunately, security is an on-going process. You can never really get comfortable. Hackers and thieves are constantly trying to get into your data. Especially now that most practices have gone electronic. Hackers are now aware that healthcare has some good data to resell.
If you would like Tier3MD to perform a security risk assessment for your practice, please contact us.