When a company like Equifax is hacked, you can safely assume health clinics will also become targets at some point. Mining databases for personally identifiable customer information have become something of dark craft—and practitioners are more talented than ever. With that in mind: Is your allied health clinic keeping your patients' medical records safe?
Business insurance for allied healthcare practices will help after a compromising event like a natural disaster or device theft. But what are you doing to prevent files from being compromised in the first place?
These recommendations will guide you in keeping your patients' electronic medical records safe.
Educate Your Patients
This oft-overlooked concept is actually one of the most powerful protective tools you can wield. After all, if patients handle electronic medical records (EMRs) carelessly, data can easily fall into the hands of a perpetrator. If you're providing online access, impress upon them how sensitive this information is. Let patients know how their medical records can be exploited. Show them how hackers use personal and financial information to send people into financial ruin. Provide guidelines for setting strong passwords and keeping communications with your practice confidential by using a secure portal.
Store Backups Offline
This move will render backup EMRs inaccessible to interlopers while ensuring they're available if you're locked out of your system. Yes, locked out of your system. One of the neat new tricks cyber pirates have come up with is the ransomware attack. They will slip code into your network they can control remotely. Then, they use it to shut you down until you pay a fee. If your allied health clinic stores backups offline, you can ignore the criminals.
Just make sure your practice prioritizes the security of all devices containing sensitive information. Otherwise, a thief could physically swipe an external hard drive or laptop—or an employee could misplace one.
Insist on Strong Passwords
Remembering a multitude of different passwords for all the things we do online is a hassle. However, easy passwords make your system an easy target. Birthdays, anniversaries, and other personally associated information are the first things hackers will try. You have to go abstract to make EMRs difficult to access.
Further, EMRs should only be made available on a “need-to-access” basis. This keeps the pool of people capable of getting to them as small as possible, reducing risk. When file-privileged personnel leave your employ, always disable their passwords immediately. Install privacy screens on every monitor to prevent “visual eavesdropping” on passwords and patient information.
Employ Session Timeouts
Ideally, patients and staff access files, collect the needed information and sign out. Unfortunately, people sometimes walk away with patient records visible on a screen. Setting your system to "go dark" and require a password for re-entry after a period of time safeguards against this. Of course, everyone should also be trained to sign off when they finish using a file. But when they don't, this preventive step could save patient data from a breach.
With all of that said, today's hackers are good — very good. If a highly determined one decides to make infiltrating your network their life's mission, they will probably succeed, eventually.