By Tom Murphy

Along with the evolution of electronic health records (EHR) comes the potentially expensive reality of data breaches and theft for all medical practices, both large and small. Many physicians and practice administrators still believe their practice is too small to be a target for hackers. Everything we have seen over the past few years involving breaches from large health systems such as Athenahealth and Blue Cross Blue Shield is just as relevant for small practices. All medical practices need to implement the following recommendations to make cybercrime more difficult and provide their practices with a better chance to prevent a breach and the expensive fallout that ensues.

Take data security seriously and implement a practice data security plan. The data security plan should include specific individual(s) directly responsible for implementing and reviewing the data security plan that limits staff access to protected health information and provides protections for HIPAA. The following key steps should be part of any data security plan.

• Hire Only Qualified IT Support – Most small practices do not have the budget for IT, but this is an area that should receive top priority. Trying to protect your systems without a qualified and trusted specialist is too risky.
• Install and Update Anti-Virus Software – The average medical practice communicates electronically with multiple networks every day. One of the many requirements from HIPAA is that you “protect your systems from malicious software.” In addition to installing the anti-virus, anti-malware, anti-spam software, you must continuously update the software when prompted to ensure the most comprehensive protection.
• Provide Staff Training and Education – Staff training should include the following:
  1. Explanation of HIPAA regulations,
  2. Guidelines for the use of practice computers for anything other than work-related items,
  3. Guidelines for the use of mobile devices at home and work,
  4. Procedures for transporting data offsite,
  5. Encryption of all patient data, and
  6. Protocols for departing employees.
• Data Encryption – The single most important thing a practice or individual can do to protect its data is to make sure the data is encrypted. Back up sensitive data. Encrypt and secure all mobile devices.
• Internal Risk Assessments and Security Audits – Require your reputable and trustworthy IT or EHR specialist to review your networks and equipment. Make sure software updates and upgrades are current on all systems and devices.

Medical practices maintain personal and professional data that is actually preferred by cybercriminals due to the premium they can demand for this information from other criminals who are eager to purchase this data. Small, independent physician practices are actually more vulnerable than the large health systems due to the ease with which a cybercriminal can access this unprotected “low-hanging fruit”.

In addition to the aforementioned guidelines, medical practices can use the resources from their physician’s medical professional liability insurance carrier. We strongly recommend that you review your current cyber/privacy insurance coverage, as most policies are inadequate to properly protect a practice from a serious breach. Consult with your agent in order to determine if you need additional protection.