IT becomes a major practice player
Information technology staff protect eye-care practices from threats both foreign and domestic.
By René Luthe, Senior Editor
In less than 30 years, a category of employee that did not exist in medical practices has become indispensable. Albert Castillo, chief executive officer of San Antonio Eye Center, recalls a simpler time when the only electronic information database was a practice management system. But thanks to the advent of electronic medical records (EMR) and the Internet, information technology (IT) personnel have become practice VIPs, essential to protecting it from the many perils lurking in cyber space.
According to Mr. Castillo, most practices outsource their IT work — but don’t let the off-site nature of their work misguide you that their services are not critical. Whether you outsource or have IT employees on staff, they do a lot to protect your practice from both internal and external threats.
INTERNAL THREATS
Don’t lose anything
One major challenge is backing your system up and making sure you have adequate backups, according to Mr. Castillo.
Medical IT consultant Daniel Patterson concurs. “Making sure your data is constantly being backed up at an off-site location is critical. Losing either a small amount of patient data or even worse — your entire database — due to a virus/malware/attack would be crippling to a practice’s survival.”
Mr. Castillo’s practice backs up its data multiple times per day — the result of a hard lesson. The practice used to back up just once daily, but as the complications of constantly integrating EMR piled up, a crash occurred at one site. “You lose a whole day of work as a result, and it takes so long to restore.”
The human element
Guarding against the possibility of disgruntled employees also ranks high on IT personnel’s to-do list. This may include people who were let go or who have a conflict with another employee, says Alan Baker, Information Technology Manager with Oregon Eye Specialists in Eugene. To prevent trouble, his practice uses passwords that are reset every 60 to 90 days, as well as lockout times. A front-desk employee who works 8 to 5 is typically given access only for that time period.
“If that user tries to log on from home, or say after 6, that user is denied access to any systems, even to log on to the work station,” he explains. “We’ve implemented all the standard measures to prohibit those types of inadvertent internal threats that can grow from something simple to a major issue.”
EXTERNAL THREATS
It’s a wired world
Employees are often the weak point in defending against external threats — not out of malice, but out of lack of awareness. Social media sites, cloud servers and USB drives are often fraught with cyber peril. And there’s always the clever hacker.
“You wouldn’t believe how many colleagues I have who randomly get punched by some outside guy calling and saying, ‘Hey, I’m new in IT today; can I get your user name and password,’” says Steve Friedman, chief information officer at Ophthalmic Consultants of Long Island. While he says it doesn’t occur as often in health care as it does in finance, “It is a huge concern when it comes to security — that people can just talk their way into your network.”
Web-filtering software keeps staff from accessing potentially hazardous websites, though Mr. Friedman warns they may find ways to work around it (more on employee cooperation below).
Mr. Baker’s practice offers Wi-Fi for staff who want to access social media or shopping sites. “But they use their own tablets, their own phones,” he says. “That’s the only accessibility available in the building, and it does not go through our standard network; it’s a separate channel.”
Who’s watching?
The threat to patient information in the age of EMR and patient portals is another major concern. A common mistake Mr. Patterson sees is leaving patient data visible, such as when a staff member leaves a computer on. “That could enable an outside person to gain access to the network and steal patient data.”
Having careless staff isn’t the only danger. Practices that have patients check in on an iPad at a kiosk, Mr. Baker points out, must take precautions to keep information secure. “What if someone is looking over the shoulder of that patient who is checking in and sees that person’s social security number, name and phone number and address? That’s all standard, front-end part of the healthcare system with EMR.”
Make staff part of your defense
Not that installing Web-filtering software or timed lockouts is enough to protect your practice’s server. “They’ll find ways to get on the social media sites and the Dropboxes and other high-risk Internet sites and services,” Mr. Friedman warns. Enlisting staff in the practice’s cyber defense is crucial.
To outsource or not to outsource
Mr. Castillo outsourced the IT work for his 14-physician practice, a choice he’s never regretted. “We also started a billing and management company, where we put other practices on our EMR system and we do their billing for them. So I have a total of six practices on our servers.”
He believes the increasing complication of EMR makes outsourcing inevitable. “With the advent of the Affordable Care Act and all of the requirements that are coming down the pike, it makes sense for a third-party company to devise most of your IT support services.”
The advantages of outsourcing include receiving an in-depth analysis of your network’s vulnerabilities and access to many technicians with varying levels of expertise for the same amount of money it would cost a practice to hire maybe four employees. “We pay $200,000 a year for off-site support,” Mr. Castillo says. “I get access to 50 technicians with experience across all levels from one through four. Level one technicians handle small computer issues, level two handles computer and network issues, and level three and four handle server-related issues. You couldn’t hire the experience you would need to have good support internally for that price.”
Should you decide to outsource, Mr. Castillo recommends you keep two things in mind:
1. Check the prospective company’s response times for their clients. Look for a company that has tracking systems so they can show you reports on those times.
2. Iron out what circumstances qualify as an emergency and how quickly they are addressed. “With our current IT company, we have emergency and non-emergency items,” Mr. Castillo explains. “What we have agreed to classify as an emergency item, the company has agreed they will respond to within an hour. A non-emergency item is maybe a computer monitor goes out, and it’s not a computer monitor that is vital to patient care. Those get addressed in the four-hour window.”
Conversely, Mr. Baker says that having on-site IT staff offers distinct advantages. The complexity of EMRs means that having staff onsite to support every aspect of the product is a necessity — unless the particular EMR is hosted, he says, and most are not. Additionally, Mr. Baker says he speaks with practices that have gone the outsource route and found that their requests for service are not answered promptly.
“If you contact the managed services organization and the person who really knows your problem is unavailable because he is on a different project, you have to wait or rely on a second-tier type of technician to come onsite or connect and be able to understand the problem and resolve it,” he says. “And that can be more of a headache and more costly in the end.”
Ophthalmic Consultants of Long Island is starting an annual “IT State of the Union” address to achieve this. “We need to tell everyone what’s going on in network security, what our concerns are, what we are working on — they buy into it much more that way,” Mr. Friedman says. “It’s paramount that in an electronic world, staff understand the possible ramifications of thinking, ‘What’s this USB on the floor? I’ll stick it into the computer and find out.’”
It’s actually happened, Mr. Friedman says.
A technician had wanted to get an image from an OCT that was not networked to view it on another computer. “He took a USB drive from his pocket that he had with him, inserted it into the computer, uploaded a virus into the computer, then took out the USB drive and inserted it into his work station.” While the IT staff were alerted to the virus, they had to send the device to the manufacturer because the virus so damaged it that all the proprietary software had to be reloaded.
It’s one of the real-life examples Mr. Friedman uses to impress upon staff his vital IT security lessons. In a nutshell, they are: “Don’t bring things from home; don’t stick things in computers. When in doubt, call the IT people. Because these machines are expensive and we rely on them for patient care.” An incident like the example above will take a device out of service for days. “We have to reschedule patients and the doctor is angry.”
Also, Ophthalmic Consultants of Long Island create staff support by inviting select staff to join its IT Committee. “It’s comprised of the entire IT department, then we pick the more savvy staff from all of the departments and all of our sites,” Mr. Friedman explains. “I tell them all that they are an extension of the IT department.” The IT staff reviews current and upcoming projects and elicits feedback; committee members also get the first look at new technologies. Members then return to their respective departments and fill in their coworkers. “We’ve had a lot of success with that,” says Mr. Friedman. “You want the person in the file room as educated and invested in the protocols as the owners.”
The regulatory hurdles
While government programs such as Meaningful Use (MU) may not exactly qualify as external threats, ensuring the practice is complying with them is a major headache for the IT staff. “From my experience, everyone in the nation is struggling with MU for one reason or another,” Mr. Baker says. A big problem, he believes, is that CMS has not provided the resources and oversight necessary for vendors and practices to get their respective houses in order for the program.
Mr. Friedman agrees. “Those regulations are always changing. It’s a lot of last-minute stuff, so every year we’re adding new electronic processes, new products, new technologies. Then, we have to monitor the workflow throughout the year.” OM
![]({"src":"/media/ld3eyh1l/122015.jpg","focalPoint":null,"crops":[{"alias":"thumbnail","width":1110,"height":700,"coordinates":null}]})