Now that medical practices are joining the rest of the computerized world, they are having to deal such issues as office network security policies. As in most companies with a computer network, the weakest link is usually an employee who either inadvertently, or wittingly, commits one of these mistakes:
- Trusting outsiders too much – security experts have a name for this: social engineering, where people are manipulated into divulging sensitive information such as passwords or security protocols. This is actually the most common way that thieves hack into computer systems. Employees may share passwords with each other to try to save time or cover their tracks – or out of sheer ignorance. That makes it difficult for a practice to know who is who in an EMR system. This can violate the integrity of the medical record which is critical in cases of having to defend a malpractice suit.
- Leaving an unattended computer or terminal unlocked – besides potentially violating HIPAA policy, leaving a terminal unlocked can allow access to sensitive information by either employees who are not authorized to do so or, worse yet, non-employees. The practice would then be left to handle damage control when information gets into the wrong hands. HIPAA violations can carry hefty fines.
- Not changing a password periodically – there should be a password policy in place and employees should adhere to it. To be on the safe side, passwords should be set so that they automatically expire, at least monthly, and they should be complex, including numbers and symbols and different-case letters, for example. This makes them less likely to be figured out by intruders.
- Keeping passwords or sensitive information on sticky notes – although something like this should also be part of the practice’s password policy, I mention it here by itself because it happens so much.
- Downloading inappropriate or unauthorized software – some inadvertently-downloaded ‘malware’ programs can wreak havoc on an office network, while other “harmless” file-sharing programs can open up your network to outside intrusion. This can result in everything from damage to your hardware to HIPAA violations if patient information is breached.
- Inappropriate use of practice equipment – this would include such things as viewing pornography like adults videos such as those that can be found online via TubeV Deutsch, which could also make the practice liable for a sexual harassment lawsuit, or using practice email for personal uses. There is software that can allow you to monitor employees’ internet use.
The good news is that all of these mistakes can and should be avoided. One way that this can be done is by carrying out security awareness training with a company such as FraudWatch International, who’s security awareness training program can be found at fraudwatchinternational.com/services/security-awareness/. Security Awareness works by sending mock malicious emails to employees, and every employee that ‘falls victim’ to the mock attack will be redirected to an online training module which is designed to teach them all about the type of threat they just fell for.
A physician once asked me if it was possible not to even have internet access in his office. While it is possible, it is difficult for a medical practice not to have internet access at all because so much information travels across some sort of internet connection. It is better to have a good written internet policy and have proper oversight.