As pediatric practices continue to adapt and evolve to meet patients’ needs and desires for online connection nearly everywhere they go, one constant remains: data is one of a medical practice’s most valuable assets, and it must be protected. Luckily, there are steps practices can take straight away to make logging on, working remotely, connecting with patients, and sharing information both easier and more secure.
The Basics of Cybersecurity
Under HIPAA, protected health information (PHI) is limited to authorized access, which means that certain data your practice stores is protected by federal law. According to the Department of Health & Human Services, “Each covered entity [pediatrician’s office] must maintain reasonable and appropriate administrative, technical, and physical safeguards to prevent intentional or unintentional use or disclosure of protected health information in violation of the Privacy Rule and to limit its incidental use and disclosure pursuant to otherwise permitted or required use or disclosure.”
Practices found non-compliant with HIPAA regulations, including appropriate and reasonable data security, can find themselves facing fines of $100 to $50,000 or more. Protecting patient and practice data is also an implicit but fundamental part of the services that medical professionals offer in order to protect families’ privacy, health outcomes, and trust in their healthcare teams.
Some of the most common risks for a pediatrician as far as cybersecurity may surprise you. They include:
- Email phishing and other social hacking or social engineering tricks
- Insider accidental or intentional data loss
- Equipment loss or theft
- Attacks on medical devices
- Weak passwords
Remember -- a security threat may very well begin with a simple user error by any physician, manager, colleague, or part-time employee. While your staff should undergo annual HIPAA training in order to adhere to its requirements, training in cybersecurity expands these protections to the tools an office uses every day, including email and document exchange. With sufficient training in both HIPAA safety and cybersecurity precautions, a pediatric practice can build a line of defense against even the most inadvertent cybersecurity errors.
Strategies to Protect Your Practice: Phishing, Data Loss, and More
According to the National Rural Health Resource Center, small healthcare organizations such as pediatric offices can be significantly disrupted by cybersecurity risks, both in performing day to day operations and in harm to the practice’s reputation. Many pediatricians hire IT support on an as-needed basis, offering limited support, but many may also find financial or logistical access to this support difficult. For all pediatricians, a significant breach could cause long term impacts in patient care, financial stability, and reputation. There are, however, solutions for practices of every size to remain secure and protected.
Whether your practice has in-house IT support or relies on contracted support as needed, the burden of risk often falls on the individual user to make informed precautions when using, sharing, and accessing data. Covered entities, including pediatric offices, need a designated security officer and privacy officer as part of their HIPAA security audit. Here are five security areas practices can review to best protect their data and patients. Different solutions will of course be appropriate for each individual practice. PCC clients can always contact PCC Support for assistance in choosing products and selecting systems that work for their needs.
Email phishing is a technique where criminals deliver malware that could harm, access, or lock your data disguised as benign business emails. Phishing also includes garnering information about individuals or business to be used in a subsequent attack. You may hear of phishing schemes as “social engineering” or “social hacking” attacks, which are essentially terms relating to the same principle: manipulative or deceitful attempts to prompt an action, such as downloading a file, that would result in negative consequences for your business. Whether or not you contact families via email, most offices use some sort of email system to communicate with employees, colleagues, and business associates.
According to the NRHR’s Practices for Small HCOs, important measures for your practice include these fundamental precautions:
- Email system configuration. Spam and antivirus software can prevent some spam emails, and practices such as checking email addresses from external senders can help keep email secure.
- Education. Anti-phishing training for employees can help your office catch faulty links, PDFs, messages, even emails that appear to be from trusted sources but are forgeries. Even small annual reminders and free training, such as this quiz from Google, can help employees to remain vigilant about identifying and avoiding phishing attempts.
Endpoints are the devices connected to your practice’s network, such as laptops, printers, faxes, mobile devices, and scanners. Protecting your endpoints protects your practice from vulnerabilities hackers may exploit. Here’s what to review:
- System Admins. Not every user should be using desktops or laptops as an administrator. PCC EHR users, don’t forget that you can also restrict access to reports and user roles to make sure only authorized users can access them. To install PCC, you must be an administrator.
- Keep your devices updated. Sometimes patches and updates can be inconvenient, but they’re crucial to protect your devices. You can set desktops and laptops to update overnight to be ready to log in in the morning.
- Keep your EHR data safe. Your contract with your EHR provider should include agreements that data is encrypted. PCC servers employ full-disk encryption, and all data backups, both locally and in the cloud, are also encrypted.
- Manual security practices. Locking rooms where sensitive devices like desktops or servers are kept and using anti-theft cables can be practical to keep devices secure. (This step is required by HIPAA.)
Human error is a common but important risk for any security system. Keep your practice safe by implementing the following precautions to mitigate risks of the individuals using your network and data.
- Each user should have a unique email, account, and relevant username and passwords. This information should never be shared, and accounts for inactive users should be deactivated/removed by the administrator.
- PCC’s Lewis Holcroft of the Technical Solutions Team recommends a simple way to keep passwords complex (and much harder to guess): turn simple passwords into “passphrases”. For example, “Apple2” would become “Docs like apples!2”
- If you must use shared accounts for a system or device, limit it where you can. If you share a desktop, for example, remind colleagues they must log out after they’re done, or lock the device when they leave the desk.
- Schedule a periodic review to make sure that only people that should be accessing your EHR, email, and network are able to do so.
- Personal mobile devices may not be as secure, and legally, your practice is not allowed to demand information from an employee-owned device, even if they are performing work-related tasks on it. Therefore, restrict the use of mobile devices for storing data or email, sharing patient information, and even connecting to WiFi networks (guest WiFi networks keep guests and employees’ data separate from practice-related information on a private, encrypted network). Mobile devices must be encrypted and PHI should never be stored on a mobile device. Theft of mobile devices is the number one vector for data breaches.
A pediatric office is focused on many tasks in a given day, so as important as it is to keep your digital systems and data secure, it is understandable if it doesn’t occur to you very often. This is where regular risk assessments and policies come in -- they set the boundaries for where your systems are secure and how users can access them, keeping the practice safe without undue worry.
Risk assessments such as the Security Risk Assessment Tool from The Office of the National Coordinator for Health Information Technology (ONC), in collaboration with the HHS Office for Civil Rights (OCR) are designed specifically for smaller healthcare organizations like pediatricians. The tool was built to help practices adhere to the HIPAA requirements to perform a risk assessment. This means that annual HIPAA training is the perfect time to consider cybersecurity as well as protecting PHI.
Creating Security Policies
Successfully completing a risk assessment can help you see where your practice defenses could be stronger, and/or help you put in place policies that help you and your staff remain accountable and have clear guidelines on what is and is not appropriate data use.
How should you go about adding policies to your employee handbook, and what should you include? In a previous post, HR expert Michelle Richards explained that policies should be recorded in a print or digital format and available to all employees, updated annually, and should be written by managing partners with their organization in mind, not copied from other sources.
Some important policies to consider might be: acceptable use for business devices, password guidelines, disaster recovery, and remote access instructions. You can find information on disaster recovery in a previous post, as well as a guide to managing remote workers. PCC clients can learn how to connect securely from home here.
These are just a few areas to review to assess whether your practice is taking the necessary precautions to keep your data and patients’ information safe and protected. What do you think -- are you a security-whiz or do you need to brush up on a few items? If you want to perform a more thorough review of your practice’s security measures, be sure to visit PCC’s Top Ten Data Security Best Practices for a Small Pediatric Practice.
Peace of mind pays for itself. When you want expert advice, you might consult with an IT or technology advisor, such as PCC’s Technical Solutions or Support Team, or with a trusted vendor such as the Coker Group. Pediatricians care about their patients and their data, and protecting it needn’t be a daily worry, especially when you know that you’re prepared on every side. To learn more about how to keep your practice safe, don't miss Melissa Maldonado's course, available online as part of PCC's 2020 Users' Conference.