| Keeping Your Practice Safe How to Prevent Hack Attack
You've got an alarm on your door, but are you laying out a welcome mat for electronic villains? "Hackers are like typical criminals. Some kids break into a house to prove they can do it; some to vandalize it; some to steal things; some to get information to blackmail someone," explained Randy Meyers, director of network security services for Ajilon Consulting. "All those kinds of criminals also exist in cyberspace. They're all the same motivations as for conventional crimes." Security breaches can wreak havoc on a practice, whether from hacking — defined as unwanted electronic external intrusion or tampering — or misuse of information from within a practice. Understand your risks First, don't panic about hackers invading your computer system. Unlike banks or corporations, physician practices, hospitals and other medical facilities are at relatively low risk for information theft. "Except for the obvious need to be confidential with medical records, the threat of people stealing information is relatively low," said Howard Haft, M.D., a physician with Maryland Healthcare Associates in Waldorf, Md. Nevertheless, it is wise to be cautious, and the Health Insurance Portability and Accountability Act (HIPAA) demands it. When it comes to analyzing your practice's risks, HIPAA says to take a risk-based approach, Meyers pointed out. "The first things you have to identify are all your vulnerabilities. Say the lock on the front door could be stronger. Then you must say, (a) what is the risk that this vulnerability will be exploited and (b) what’s the risk of impact if it gets exploited?" The easiest way to determine where your system could let a hacker in is to hire a consultant who specializes in security vulnerability assessments. Get referrals from insurers, hospitals or other physician practices in your area. Make sure the consultant not only checks your network, but helps prioritize your risks. Once you've analyzed your risks, lay out a cost and benefit analysis of addressing those risks. That way, you can budget for controlling your top-priority risks this year, while your next tier might wait a year or two. At a basic level, practices can self-audit their practice management system, which most likely has a log that shows who signed on. "Each quarter, look at the sign-ons, who’s been looking at records, for how long," recommended Rosemarie Nelson, an independent health care technology consultant based in Syracuse, N.Y. "How many people access the system? How many people sign on and sign off? Does it look reasonable? Sometimes people sign on in the morning, then leave for hours at a time without signing off." Address with your staff any system use that raises security eyebrows. Do-it-yourself protection Every physicians practice should have some basic security processes in place. Take advantage of capabilities already on your system. First, if you have a Windows operating system, upgrade to Windows XP, advised Meyers. "XP is the best, most secure Windows operating system," he said. Most software — from Windows to practice management systems — allows each user to establish a unique log-in identifier and password. Establish passwords for everyone who uses your system, and make sure employees change their password every 90 days, said Nelson. You may want to remind employees not to undermine this security feature by writing passwords down where they can be easily found, such as in a desk calendar or on a bulletin board. Also, activate the automated screen-saver feature on your office PCs. Use the feature that requires a password for reactivation. As you set up screen savers, don't neglect free-standing, non-networked PCs, such as a transcription computer or a lab information workstation. Make sure only employees who must use a certain system know that system’s password. Finally, train employees about how to share private information. If someone calls for test results, establish processes to check the caller's identity. Meyers advises requiring multiple factors to identify a caller, "so if someone stole a piece of mail, he wouldn't have enough information." Or simply make it policy that no information is released over the phone, he said. Code-red software A fire wall limits access to systems via the Internet and monitors activity moving in and out of a system. "You might go so far as to have security in place that doesn't accept calls, but has a dial-back setting," suggested Nelson. "That way, a vendor dialing into your system doesn't get an immediate connection, but the system turns around and redials the incoming call to ensure it's legitimate." Randy Louth, information technology officer for The Allergy and Asthma Center in Fort Wayne, Ind., sees the greatest system danger in data corruption from viruses and Trojan horses. To protect his systems, Louth uses two multi-tiered fire walls, internally and externally, and he has put in place filters that screen out questionable e-mail, such as applications and image files. "Virus software that automatically updates itself every night or more than once a day is very important," said Louth. Between his virus protection software and his fire walls, Louth filters out 10 viruses a day from the couple thousand e-mails the practice processes daily, as the staff deals with thousands of active patients. Howard Haft agreed. "There's nothing quite so sad as to come in and find out the whole system is dead [from a virus]." Don't forget that even physicians can create inadvertent risks. "As more physicians use handhelds, we see more risks," said Nelson. For example, if a physician syncs his handheld to his home computer, but the home e-mail doesn't have virus protection or a fire wall, something can infiltrate the handheld from home. "A common virus can send portions of data out to random people in an e-mail contact list. From a physician's e-mail, that could be a portion of someone's clinical information or some procedures that were done in the office. That's a very real risk in today's world," Nelson said. To fight this element of risk, practices might cover subscriptions to virus programs for home PCs or set a policy, establishing that handhelds for office use may be synced only with office network PCs. Pricing the solutions "The original investment is only part of it," said Haft. "Systems become obsolete at a disappointing rate; so, reinvestment is a big part of it." For most practices, simply determining risks and evaluating priorities requires investment. A full vulnerability assessment by a specialized consultant can cost $50,000. To reduce costs, small to medium practices might team up within a region for a group rate. "At the end of the day, the cost to send a couple of consultants to an area is close to fixed," Meyers explained. "A consultant could [study] one physician's office with 10 to 12 employees in a couple days; or, he could do three practices in a region simultaneously. Small practices could get together and pool their money to engage somebody." If an audit by a consultant bursts your budgetary seams, you might consider applying for one of the cyber insurance programs some insurers offer. For example, if a hacker corrupts a database, insured businesses could recover the cost of restoring the data. To determine your security levels and premium, the insurer assesses a practice’s technology systems. That assessment can provide "some level of road map on where to go," Meyers said. "But know that the insurance company's assessment will be focused on its needs and not on yours." Whatever you do, do it now. "The biggest mistake practices make is waiting," Meyers said. "It's your duty to understand the risks involved in your business. The longer you wait, the more likely something bad will happen, and 'I don't know' doesn't work as an excuse."
Back to top
|
By
Susanna Donato
 |
 |
 |
 |
 |
 |
