As pediatric practices continue to adapt and evolve to meet patients’ needs and desires for online connection nearly everywhere they go, one constant remains: data is one of a medical practice’s most valuable assets, and it must be protected. Luckily, there are steps practices can take straight away to make logging on, working remotely, connecting with patients, and sharing information both easier and more secure.
Under HIPAA, protected health information (PHI) is limited to authorized access, which means that certain data your practice stores is protected by federal law. According to the Department of Health & Human Services, “Each covered entity [pediatrician’s office] must maintain reasonable and appropriate administrative, technical, and physical safeguards to prevent intentional or unintentional use or disclosure of protected health information in violation of the Privacy Rule and to limit its incidental use and disclosure pursuant to otherwise permitted or required use or disclosure.”
Practices found non-compliant with HIPAA regulations, including appropriate and reasonable data security, can find themselves facing fines of $100 to $50,000 or more. Protecting patient and practice data is also an implicit but fundamental part of the services that medical professionals offer in order to protect families’ privacy, health outcomes, and trust in their healthcare teams.
Some of the most common risks for a pediatrician as far as cybersecurity may surprise you. They include:
Remember -- a security threat may very well begin with a simple user error by any physician, manager, colleague, or part-time employee. While your staff should undergo annual HIPAA training in order to adhere to its requirements, training in cybersecurity expands these protections to the tools an office uses every day, including email and document exchange. With sufficient training in both HIPAA safety and cybersecurity precautions, a pediatric practice can build a line of defense against even the most inadvertent cybersecurity errors.
According to the National Rural Health Resource Center, small healthcare organizations such as pediatric offices can be significantly disrupted by cybersecurity risks, both in performing day to day operations and in harm to the practice’s reputation. Many pediatricians hire IT support on an as-needed basis, offering limited support, but many may also find financial or logistical access to this support difficult. For all pediatricians, a significant breach could cause long term impacts in patient care, financial stability, and reputation. There are, however, solutions for practices of every size to remain secure and protected.
Whether your practice has in-house IT support or relies on contracted support as needed, the burden of risk often falls on the individual user to make informed precautions when using, sharing, and accessing data. Covered entities, including pediatric offices, need a designated security officer and privacy officer as part of their HIPAA security audit. Here are five security areas practices can review to best protect their data and patients. Different solutions will of course be appropriate for each individual practice. PCC clients can always contact PCC Support for assistance in choosing products and selecting systems that work for their needs.
Email phishing is a technique where criminals deliver malware that could harm, access, or lock your data disguised as benign business emails. Phishing also includes garnering information about individuals or business to be used in a subsequent attack. You may hear of phishing schemes as “social engineering” or “social hacking” attacks, which are essentially terms relating to the same principle: manipulative or deceitful attempts to prompt an action, such as downloading a file, that would result in negative consequences for your business. Whether or not you contact families via email, most offices use some sort of email system to communicate with employees, colleagues, and business associates.
According to the NRHR’s Practices for Small HCOs, important measures for your practice include these fundamental precautions:
Endpoints are the devices connected to your practice’s network, such as laptops, printers, faxes, mobile devices, and scanners. Protecting your endpoints protects your practice from vulnerabilities hackers may exploit. Here’s what to review:
Human error is a common but important risk for any security system. Keep your practice safe by implementing the following precautions to mitigate risks of the individuals using your network and data.
A pediatric office is focused on many tasks in a given day, so as important as it is to keep your digital systems and data secure, it is understandable if it doesn’t occur to you very often. This is where regular risk assessments and policies come in -- they set the boundaries for where your systems are secure and how users can access them, keeping the practice safe without undue worry.
Risk assessments such as the Security Risk Assessment Tool from The Office of the National Coordinator for Health Information Technology (ONC), in collaboration with the HHS Office for Civil Rights (OCR) are designed specifically for smaller healthcare organizations like pediatricians. The tool was built to help practices adhere to the HIPAA requirements to perform a risk assessment. This means that annual HIPAA training is the perfect time to consider cybersecurity as well as protecting PHI.
Successfully completing a risk assessment can help you see where your practice defenses could be stronger, and/or help you put in place policies that help you and your staff remain accountable and have clear guidelines on what is and is not appropriate data use.
How should you go about adding policies to your employee handbook, and what should you include? In a previous post, HR expert Michelle Richards explained that policies should be recorded in a print or digital format and available to all employees, updated annually, and should be written by managing partners with their organization in mind, not copied from other sources.
Some important policies to consider might be: acceptable use for business devices, password guidelines, disaster recovery, and remote access instructions. You can find information on disaster recovery in a previous post, as well as a guide to managing remote workers. PCC clients can learn how to connect securely from home here.
These are just a few areas to review to assess whether your practice is taking the necessary precautions to keep your data and patients’ information safe and protected. What do you think -- are you a security-whiz or do you need to brush up on a few items? If you want to perform a more thorough review of your practice’s security measures, be sure to visit PCC’s Top Ten Data Security Best Practices for a Small Pediatric Practice.
Peace of mind pays for itself. When you want expert advice, you might consult with an IT or technology advisor, such as PCC’s Technical Solutions or Support Team, or with a trusted vendor such as the Coker Group. Pediatricians care about their patients and their data, and protecting it needn’t be a daily worry, especially when you know that you’re prepared on every side. To learn more about how to keep your practice safe, don't miss Melissa Maldonado's course, available online as part of PCC's 2020 Users' Conference.