Under Australian law, your practice’s obligations to patient care extends further than your physical practice — it includes the way you care for their private information. Electronic health record security issues are a real problem for the industry and it’s important to implement reasonable measures for keeping everything and everyone safe.
When you think of data and security breaches, what often comes to mind are the malicious actions of crooks wanting to hack your systems and steal sensitive information. The truth is, however, data breaches may arise from other issues, such as internal errors and mishandling of information by staff. We’ve compiled simple and actionable ways to help your practice improve electronic health record data privacy, through approaching the most common causes of security issues: human error, system errors and information access.
Actionable ways to improve EHR security
1. Train your staff
Know the anatomy of a secure password
They’re the often overlooked security essential in a lot of offices, yet we use them everyday. The good old password of “password” just doesn’t cut it in today’s healthcare landscape, especially when sensitive patient information is on the line.
Best practice for passwords is to think of them as “passphrases” — a memorable phrase is far easier to remember than a string of nonsensical numbers and letters. Ensure all passwords include:
- Uppercase and lowercase letters
- Special symbols
- Minimum of 8 characters
Practice management software like Clinic to Cloud also offer you the ability to enable two factor authentication meaning that aside from your username and password, users will also need to enter a code to access patient information.
Set up a security breach response plan
Even with the greatest efforts, security breaches unfortunately still happen. In the case they do occur, the way your team handles the issues is crucial — do you have a plan for the worst case scenario?
Set up a security breach response plan for your practice and ensure each team member is trained to follow guidelines. A good plan will require a specialised security professional (whether outsourced or inhouse) and an alert system. A typical procedure would involve a “find, localise, lock, assess” approach, for example:
- Finding where the breach is from
- Determining what information is being accessed
- Locking down access from that point (usually through identifying an IP address location)
- Assessing potential damage
Having a dedicated IT professional, team or outsourced team on call is also essential — no matter how large or small your practice is. The right professionals will be able to familiarise themselves with your systems for faster turnaround, train your staff for better security and set up your systems the right way for optimal breach prevention.
2. Restrict information access where possible
Manage information transfer from paper to electronic systems
In situations where paper and electronic systems are used in tandem, ensure the transfer of information and documents is streamlined and secure. Do you have the same person/s handling patient forms and information? Are private patient documents stored securely? Are electronic health records accessed on desktop and mobile devices with appropriate antivirus software?
Identifying and documenting the processes early will develop a better information access policy around the tiers of access for all clinicians and staff. For a smoother patient experience in larger practices, using practice management software which allows for multi user access is beneficial.
3. Secure your systems
Update wireless networks regularly
Much of the work to minimise security breaches is in the setup. Have you setup your router and WiFi correctly? First and foremost, your WiFi needs to be password protected, using a rock solid password. However, there are additional security measures you can take:
- Turn off your WiFi at the end of the day
- Change your password on a regular basis
- Don’t broadcast your WiFi, so it doesn’t appear automatically
Encrypt all devices
Encryption is essential for all portable devices, with sensitive information — everything from laptops and tablets to USBs and hard drives. Lost or stolen devices are a serious privacy if no security measures are taken. Furthermore, it’s useful to implement a strict policy on carrying private patient information on unencrypted and unprotected personal devices.
Over to you
Ensuring patient satisfaction, safety and privacy is hard enough, let alone managing the intricacies of running a thriving practice. There’s a lot of blood, sweat and tears that goes into it — every medical practitioner will tell you! Make sure you take the steps to secure your practice and make the most of the digital tools available. For any further questions on running a practice and better security, feel free to contact us here.