Malicious threats to your practice’s key data by hackers and virus developers are well known. However, did you know that the biggest threat to your security may come from human error by well-meaning employees?
“A survey we did found that 80 percent of people in public and private sector organizations believed that human error was the major cause of their security breaches,” said Kris Madura, security program manager for the Computer Technology Industry Association, a trade organization representing the computing industry.
In other words, it is more likely that improper access to patient data will result from, say, poorly positioned computer monitors than from a hacker who broke into your system. The good news is that preventing these problems is usually simpler and less expensive than high-tech measures such as firewalls and antivirus software, according to Ms. Madura.
Besides helping you secure your data, implementing these low-tech solutions now will put you in good stead for meeting the April 2005 deadline for the HIPAA security regulations.1 (To refresh your memory on HIPAA, the impending security rules, which concern technological and physical measures to safeguard data, complement privacy regulations, already in force, that establish what types of information need to be kept secure.2)
Develop a Security Policy
Before implementing any security measures, you must first create a climate in your office in which all security procedures, both low- and high-tech, can succeed. To do that, you need a security policy to which everybody—from physicians to receptionists—must adhere.
The place to start is to appoint a security officer to oversee development and implementation of the security policy. This position is similar to the privacy officer that is required by HIPAA privacy regulations, and can even be filled by the same person. One practical reason to appoint a security officer now is that you’ll eventually need to do so to help your practice comply with HIPAA security regulations.
The next step is to have the security officer lead the process of developing a security policy. This will involve surveying your office with an eye to where security breaches, no matter how small or unintentional, can occur. For instance, can patients see the contents of computer screens from the front desk? Who has access to computers that can access important information? Are passwords taped to the computer monitor?
When a first draft of the policy is completed, distribute it to all employees. After a period of feedback, every employee must be trained about the policy. Ultimately, the goal is for your practice’s security policies to become part of the culture of the workplace.
“A lot of offices now include security in employee agreements, so employees not only have to show up at work but also must help ensure the availability, confidentiality and integrity of data,” said Gary Morse, president of Razorpoint Security Technologies, a consulting firm in New York City. “Security becomes part of their job because it’s that important.”
Treat Passwords Seriously
Perhaps no part of the security policy is more important than a strong policy about passwords, the experts agreed. Key parts of the password policy must relate to password selection, how often they are changed and preventing employees from storing passwords in obvious places.
“We do a lot of security audits where we’re paid to break into networks and find our clients’ vulnerabilities,” said Mr. Morse. “Even with large companies that spend hundreds of thousands of dollars for firewalls, we can usually get into their systems.”
A leading culprit is poorly enforced password policies, he said. For instance, in many cases, intruders can log on to a network or into specific programs using hackneyed user names and passwords like “guest.”
At the very least, the policy should prohibit use of obvious passwords such as the user’s street or children’s names. Mr. Morse urged use of passwords that are at least eight characters long, can’t be found in a dictionary and are a combination of upper- and lowercase letters and numbers. While such passwords can be difficult to remember, he offered this tip: “Start with an eight-character dictionary word. Then do upper- and lowercase and number substitutions. If you start with the word ‘kangaroo,’ it can end up being KaN4ero0. That’s a good password that’s relatively easy to remember.”
Next, make sure people don’t write down the passwords and save them on their desks or under their keyboards. And require users to change passwords regularly, such as every few months, Mr. Morse stressed.
By using sensible passwords and other commonsense solutions (see box), you can heighten security dramatically at very low cost.
1 For an overview of HIPAA’s security provisions, see the May 2003 Practice Perfect at www.eyenetmagazine.org/archives.
2 For interactive HIPAA learning modules, order the AAOE’s 2004 HIPAA Compliance CD-ROM. Try a free demo at www.aao.org/hipaacdrom.
7 Simple Solutions
There’s more to securing your practice’s data than firewalls and antivirus software. Fortunately, some of the best security measures are low-tech and inexpensive.
1. Place monitors carefully. Position computers and monitors carefully so that they can be viewed only by those who have permission to do so. For instance, place computers and monitors away from heavily trafficked areas such as hallways and waiting rooms.
2. Install privacy screens. Another way to protect data from prying eyes is to use so-called privacy screens for monitors. Privacy screens require a person to be directly in front of the monitor to view the display and prevent casual but improper access to information. Security screens are available for most sizes of monitors and laptops and typically cost between $100 and $200 each.
3. Use screen saver security. Make sure that passwords are required to unlock screen savers. Screen savers blank out a screen after a prespecified period. Using the password capability built into most screen savers, employees can walk away from their desk and not worry about somebody viewing their screen.
4. Limit server access. Make sure your server is located in a secure room that can be accessed only by those with permission to do so, Mr. Morse said. He strongly suggested centralizing storage of data on a server instead of storing it on various PCs throughout your office. Individual PCs then access information stored on the server over the network. That’s useful because it is easier to secure one computer, in this case a server, than every computer in your office.
5. Lock your computers. Because theft of computers is both expensive and compromises data, you may want to lock computers, particularly laptops, to desks. Simple and inexpensive cable and lock systems are readily available from office and computer supply stores.
6. Protect mobile devices. PDAs and laptops can be inadvertently left in or stolen from public places such as airline terminals. Require use of passwords to both start mobile devices and load specific programs. You also can buy encryption software that scrambles data unless the proper password is applied. That way, even if somebody steals your computer, the thief can’t access the data.
7. Shred paperwork. While computer printers have made it easy to churn out large quantities of paperwork, your security may be rendered meaningless if those paper files aren’t secure. Ms. Madura urges ophthalmologists and their office managers to use a shredder for printed versions of information that is no longer needed.