Protecting your practice management software
Protecting your software against a data breach is essential for not only your patients but for your practice.
The first thing to remember is that protection of the software is not just the job of your IT department or occasional oversight. Protecting information is the responsibility of every employee.
Today's use of mobile devices in healthcare environments does increase the risk of protected health information going where it shouldn't. We've heard it all before: lost phone, missing laptop, use of mobile devices to deal with practice management tasks without proper encryption, viral, or malware protection.
Take proactive steps to protect your data - and your practice
To reduce the risk, educate and train your employees regarding protection of sensitive patient data. In addition to training employees about the importance of adhering to HIPAA regulations and data security, develop a strategy with your HR department regarding policies and procedures for accessing, viewing, and storing data on numerous devices.
Today's healthcare environment is demanding interoperability, but with that comes new challenges of protecting patient care data. Vigilance is key. So too is:
Conduct periodic assessments. When did your practice last conduct a risk assessment and identify areas of risk not only through the use of internal auditing practice management but from a third party resource?
Stay up-to-date with security software patches or updates. It may take the time to do this, but it's time well spent. Develop protocols and practices regarding guidance, responsibility, and documentation to ensure that such practices are followed.
Protect all mobile devices. Every mobile device used by the practice should be assessed for authentication and enable access control. Every laptop and desktop device should be password protected and so to should handheld mobile devices whenever possible.
Any mobile device used to transfer or access protected health information data should be encrypted.
Set guidelines and policies (and enforce them) defining the use of or the removal of mobile devices from the practice environment. Every staff member must be educated regarding mobile device use and agree to follow mobile device policies and procedures. Mobile devices used within the practice environment should be configured to prevent unauthorized access.
Any authorized mobile device that connects to an EHR or practice management software system must also be encrypted.
Do not allow transmission of unencrypted health information across a public network including WiFi or internet.
Bottom line: it's not enough to encrypt data. It's a front-line defense, but it's not the last step when it comes to protection of your practice management against breaches. Cybersecurity relies on human interaction and proactive practices and behaviors just as much as it does on your IT system.