THE DIGITAL PRACTICE

How secure is your office network?

By Peter J. Polack, MD, FACS

As more medical practices move toward EMR and become reliant on electronic technology, digital security becomes increasingly important. But just how much security do you need? Think of it as a risk management exercise — how much risk are you willing to take? Increased security means more cost; less cost means more risk.

Two security experts — Mike Meikle, CEO of Hawkthorne Group and Chris Johnson, CEO of Untangled Solutions — spoke to me about the vulnerabilities of medical practices.

SOFTWARE

Both experts say that practices must be diligent in keeping their software “patching” current — whether PC or Mac desktops or mobile devices. Mr. Meikle adds that an IT services company can do that for you (known as managed services). Some EMR software might not be based on the latest operating system, so patching may “break” your environment. And make sure they have anti-virus protection (yes, even Macs); enterprise-level software helps manage all devices and is more cost-effective.

OUTSIDE THREATS

Mr. Johnson says that firewalls, intrusion detection and prevention and email gateways (for spam protection) are must-have weapons to keep the constant threat of hacking at bay.

INSIDE THREATS

If you have a wireless network in your office, says Mr. Johnson, make sure you have a guest network and that your office network is isolated from it. See to it that your security installment is properly configured to device approval and that it requires unique user authentication. Patient convenience shouldn’t trump security.

FILE STORAGE APPS

Do you store office files in the “cloud”? Mr. Meikle points out that Dropbox — the most popular storage app — is not HIPAA compliant and has been hacked before. If you are willing to take the risk, he says, at least get an enterprise account since it has better protection than an individual account and employees who leave your practice can’t take the data with them.

MOBILE DEVICES

Mr. Meikle says you should use a mobile device management solution that covers the devices if they are stolen with the use of encryption. Mobile devices are especially vulnerable if they have been “jail-broken,” which doctors like to do (and which voids their warranty).

DESKTOP DEVICES

Screen locking/timing out after inactivity is a given, says Mr. Johnson. He adds that all employees should log-in with unique credentials — not just into the applications they use but also the machine itself. This ensures a proper audit trail in case problems arise.

PEOPLE PROBLEMS

The most cost-effective way for hackers to get into your data is through your staff. “Phishing” schemes, which use fake mail or email notices, have become very sophisticated. Mr. Meikle says you should periodically review this with your staff and remind them not to open any email attachments.

If you have third-party vendors who can access your data, have them sign a business associate (BA) agreement. Otherwise, you can be responsible if they have a breach, so perform your due diligence.

CREDIT TRANSACTIONS

Last, Mr. Johnson says most businesses that process credit cards don’t know about or ignore the requirements under the Payment Card Industry Data Security Standard (PCIDSS).

An explanation of how to stay in compliance can be found on its website, www.pcisecuritystandards.org. OM

Peter J. Polack, MD, FACS, is co-managing partner for Ocala Eye, a multi-subspecialty ophthalmology practice located in Ocala, Fla. He is also founder of Emedikon, an online practice resource for physicians and administrators. His email is ppolack@ocalaeye.com.