New Web Series about HIPAA and Healthcare Data Security
We are pleased to announce our new web series about HIPAA and healthcare data security. This series is designed to provide education. We will talk about various risks that can affect healthcare. Topics will include HIPAA, threats, remediation, assessments and how they work. We are also available on most social media sites. Pay attention for new updates about upcoming events and security tips. Please subscribe and leave comments. We appreciate the input.
10 Free Steps
1. Create a unique user account for each employee
Having multiple employees use the same credentials can easily get overlooked as a security threat. It seems harmless enough. So why is it a security threat? When more than 1 person is using the same login credentials, the security audit trail is not going to provide the required level of detail and it would be unclear exactly who did what actions on the network or within programs. In addition, you are unable to have protected compartments of information that should be known only to certain individuals. If you want to pass an audit, every employee must have his/her own unique network account and unique login for all software applications used at your practice.
2. Enforce stronger passwords of at least 8 characters
Ok, so you increased the length of your password, and that’s fantastic. But don’t stop there. A strong password isn’t just about its number of characters. A strong password makes use of different types of characters, too, like uppercase and lowercase letters, numbers, and special characters – those other non alpha and non numeric values like punctuation characters. Most software passwords enable the use of special characters, basically any character not a number or letter. This little extra thought in creating passwords helps protect against brute force attacks on the network. For those of you not familiar with the term, a brute force network attack is an attempt to hack a network with an automated program that tries various combinations of characters to try to gain access by finding a password match for a network account.
3. Set screen savers to lock PC and require a password after 15 minutes of inactivity
Adjusting the security settings on workstations is quick and easy. This safeguard is a great automated action that covers you if you forget to lock your PC or Mac or don’t get a chance to before stepping away. It should be a part of your process to manually lock your workstation when stepping away, so the screen saver lock is for secondary protection.
4. Shut down PC’s every night
Some situations call for keeping machines on at night. And quite simply, a machine not live on the network is more secure than a live unattended machine on the network. Unattended machines can be susceptible to attack due to holes in software or middleware programming. So it just makes sense to minimize the places an attack could start if it was easy to do so. Taking machines offline when the practice is closed, that is, machines that aren’t needed for some critical business process like backups on the network, is a great habit to include in your process. And any machines that do need to be on at night, they of course need to be in a locked state.
5. Position monitors so they are not facing patient traffic
A lot of healthcare practitioners and staff are aware of the recommendation to position monitors to hide information from non-staff view. I have personally visited many practices and visually surveyed this guideline for myself. In many cases, those who did make an attempt to shield the screens did not have a secure enough position that actually prevented someone from looking onto the screen if they really wanted to. Let me give you an example. At one practice, by standing at the edge of the counter and leaning my body just slightly, I was able to get a visual on the screen and make out most of the wording – and I don’t have perfect vision. So I guess there’s a tip 5.1 — Don’t leave the front desk unattended if you can help it. I was able to see the screen at that one practice because no one was at the front desk. This also goes for any exam room PC’s. And do not leave them unattended. An exam room PC should be manually locked when a doctor or staff member is finished with it and certainly before stepping out of the room. And those machines can also be set up to auto lock with the screen saver after a period of inactivity, as we discussed in #3.
6. Avoid putting any PHI/ePHI on laptops and other removable devices
In line with the pattern you may have noticed, not putting any protected health information on devices that leave the office is the most secure. But being able to transfer and store PHI information and conversation data on laptops and other removable devices is becoming a necessity as a part of your plans to provide the best patient care and to be competitive in your market. For this you need to utilize secure software that encrypts the data both before it travels across the Internet and while it sits on a client endpoint like a laptop, mobile device, or tablet. If the data is not encrypted before it leaves your firewall, essentially your organization’s gatekeeper, it could be read if intercepted in transit. On the other hand, even if your email or file was somehow stolen or didn’t make it to its intended recipient, encryption prevents it from being read. This will also help if the device is lost or stolen. A good chunk of breaches occur when someone loses a laptop or phone. Keeping phi and ephi off those devices eliminates that threat.
7. Limit what internet sites you viti on practice PC’s
Credited websites like the major commerce and search engine sites and reputable businesses are less likely to cause any security issues. Entertainment websites have a higher likelihood to contain adware or malware that can download through website cookies or even get downloaded by you clicking links an unaware of the danger within. The best advice is to keep surfing to a minimum at work or not at all. A good rule of thumb is…If it isn’t a business related site, don’t visit it.
8. Don’t allow personal devices like phones on the practice network
Security risk increases with the number of devices connected to the network. And connecting personal devices introduces too many unknowns to keep it secure without a tremendous amount of overhead. When you don’t have administrative control over devices, they shouldn’t be on your network. If you want to offer wi-fi to patients, hook it up as an island that is unaware of other network devices, just a way for people to get out to the Internet.
9. Have staff accompany patients/visitors throughout the visit
Another guideline that I see practices fall short of time and time again is to make sure patients and visitors are accompanied throughout the visit. As a patient, most of the time this happens is when the visit is over and I return to the front desk to finalize anything or schedule a follow up or leave. When I exit the patient room, and no one is with me, I can decide where I want to go in the office. We are comfortable in our own offices and have a feeling of trust amongst those we work with. And that feeling of trust passes to the patients, especially since we know most of the ones that come through the doors. But this isn’t about how you feel or which patients you do or don’t know. This is about using the correct processes to make sure you are absolutely doing all you can to be safe and respectful of the responsibility bestowed through HIPAA rules that we all have to adhere to.
10. Keep an accurate and exclusive list of who has key/code access to your facility
In a breach situation, one of the first pieces of information you’ll want to know for investigative purposes is exactly who is granted facility access and in what capacity what roles. The more detail you can provide here in documentation the better. Keeping that list exclusive also limits the chances of unwanted access.