10 Common Medical Practice Security Mistakes

While the entire medical community focuses on EMR software implementation to meet Meaningful Use requirements, a darker side of Meaningful Use threatens to play a larger role than your software.

Tucked away in Subtitle D of the HITECH Act (passed in 2008 as part of the federal stimulus) are significant changes to the potential liability of anyone involved with protected health information (PHI). Specifically, medical practices, their owners and their employees, can be fined and imprisoned for HIPAA violations. Fines to practices and others can now reach $1.5 million. And to show how serious the government is taking this, it has increased the budget for the enforcement arm of the Department of Health and Human Services (HHS) by several million dollars in 2011, specifically for enforcement personnel.

Still not enough to get your attention?

Consider that at least one physician (a cardiologist) and a number of other medical staff workers have been imprisoned since the passage of these new laws for security violations. What constitutes a security violation? It can be as subtle as an overhead conversation or even an errant fax. With patients now able to request detailed access reports on their medical records, these new laws increase patient awareness and add yet another significant liability to your practice. Without question, becoming HIPAA compliant is more critical than ever, but meeting all of the requirements can prove a daunting task. There are several steps, however, you can take now to increase your level of security.

We queried the staff at Acentec, Inc., to compile a list of the most common security issues they encounter. Acentec, an Irvine, CA -based provider of technology services to medical practices nationwide, has a unique vantage point into how many practices treat their PHI. Below is the list they created, grouped by category:

The first category involves employee- and staff-related behaviors and practices. These problems can typically be modified with training and greater awareness.

Category 1 - Employee Related Issues

1. Sharing of usernames and passwords – Most often done out of convenience, the personal liability employees now face should motivate employees to change this behavior.
2. Not logging out before leaving a workstation – Again, primarily a matter of convenience, this creates a serious concern. An unattended workstation with access to PHI is a clear HIPAA violation.
3. Passwords are too easy – In most cases this can be prevented in the EMR as well as in the operating system, but if enhanced password settings aren’t being used, most users revert to overly basic passwords that are easily hacked. Your employees should be encouraged to use passwords that, at the very least, include Capital letters and numbers.
4. Discussing clinical conditions within earshot of others – Keeping the conversation anonymous does not prevent this from being a potential violation. Care should be given when conversing with co-workers about a patient’s condition when in walkways and hallways, for example. The second category addresses the technical issues we encounter. Identifying and correcting these problems may require outside expertise, but there are certain things you can do that do not require technical skills.

Category 2 – Technical Related Issues

5. Inadequate firewalls – In most cases, firewalls designed for home use do not meet the security and configuration requirements HIPAA calls for.
6. Improperly configured firewalls – Simply having a firewall doesn’t guarantee it’s configured securely. Managing
traffic appropriately at the firewall level is essential to keeping your electronic patient records safe.
7. Lack of intrusion prevention - Unlike most firewalls, intrusion prevention devices or software use regularly updated intrusion definition databases to assist them in keeping your network locked down from the outside world.
8. No antivirus, or expired antivirus – Keeping your antivirus definitions database up to date is as important as having it in the first place. The easiest way to manage the antivirus software in your practice is to use a centrally managed solution. Popular programs like AVG include network manageable antivirus software.
9. Weak wireless encryption – In most cases, gaining wireless access to your network is the equivalent of giving a hacker a seat in front of your server. Older wireless devices that only support WEP encryption should be upgraded to devices that support newer, higher level encryption algorithms. Although any encryption is better than nothing, if you are not using the Advanced Encryption Standard (AES), you may not meet HIPAA standards for PHI.                                                                                                                                                                                                      10. Software patches not being installed – Microsoft issues software updates on the second Tuesday of each month (known as Patch Tuesday). Critical updates may be released anytime. Many of these updates are security related. Not keeping your server and your workstations up to date unnecessarily exposes your entire network. Although most programs can be configured to download and install updates automatically, we recommend automatic download with manual installation of the updates, at least on your server.

Sadly, this is far from a comprehensive list. The good news, however, is the bulk of privacy concerns we encounter occur at the human level, and we humans can (at times) be trainable.

This year we will all hear about more fines being levied against medical practices and medical personnel. Taking a few basic steps could prevent you from making that dubious list. So while you focus on the steps necessary to reach Meaningful Use, don’t overlook Subtitle D. Passing a Meaningful Use audit may depend on it.

Jeff Mongelli is the CEO of Acentec, Inc., a healthcare technology company that provides products and services to medical practices nationwide.

More information on HIPAA Compliance can be found at http://www.nist.gov/ healthcare/security/hipaasecurity.cfm and http://www.thehipaainstitute.org.