Written by: Daniel Haurey on 10/18/13

Being proactive and not reactive when it comes to protection of business networks and PHI has not been on the forefront in medical offices.  Healthcare professionals are bordering being paralyzed with the overwhelming amount of changes in their organizations that drive resource and financial obligations.  This is the key to why it is being put on the back burner.  But the fact is, medical office networks and PC’s are more at risk of infection and infiltration now than they have ever been in the past. 

They’re helped along by the false sense of safety by the many PC manufacturers who now ship computers with a trial version of a consumer anti-virus product installed. For many, those constant reminders to register their anti-virus software seem as good as a free pass to ignore basic preventative maintenance.  Most end users, especially in healthcare environments, don’t realize that these consumer-oriented anti-virus programs are both temporary trial versions that soon stop working, and not a fit for the heavy duty protection that a healthcare business environment requires.

What’s worse, recent research by anti-virus firm Kaspersky suggests that end users and business owners drastically underestimate the threat posed by malware and hackers. In a recent survey, respondents largely believed that there were about 4,000,000-6,000,000 new pieces of malware per year. In fact, security researchers actually identify over 200,000 new malware pieces EACH DAY – over 12 times as many as people believe. So what are some of your biggest medical office IT vulnerabilities, and how can you mitigate the risks?  Here’s a list.

People Problems

The number one-way malware, viruses and and hackers penetrate business networks is through exploiting people rather than technology. This encompasses things like employees who download malicious files (knowingly or unknowingly) or those who reuse the same password over and over or on countless sites, including their work related accounts. This category also includes users and employees with malicious intent, and those who actively go out of their way to hurt your practice.

The best way to curb this problem is to have a strong security policy and to train every employee on it. Require frequent password changes through your server.  Lock down and filter frivolous and unnecessary web browsing and file downloading.  And make sure disgruntled employees are identified and segregated before they can do damage on the IT systems.  (See “Former Rocky Mountain Spine Clinic employee stole patient information”)

Build a Wall Around Your Medical Practice Network

Small to medium sized medical practices often choose to save money by relying solely on endpoint protection alone (anti-virus software) for guarding against hackers and malware. That is, they count on infections being dealt with after they’ve already infiltrated individual laptops and computers.  Unfortunately, by the time the malicious code gets to the end computer, it may already be too late.

Instead, physicians and practice admins should invest in a strong perimeter security to put a shield between their network and the public Internet. The perimeter security investment is not nearly as expensive as many medical practices think it will be, and the protection offered by having several layers between you and the web is exponentially better than simply counting on the reactive nature of PC anti-virus software.

Protect Mobile Devices

Most businesses are still struggling to understand how mobile devices fit into their information security infrastructure. More than any other device, cell phones and tablets straddle the line between purely business and purely personal, and many employees and physicians use both their business phone and their personal phone for both purposes. In fact, increasingly many employees of medical practices are combining the business and personal phone into one single product, and employers are all too happy to oblige them, since it seems to take the responsibility off of their shoulders. Unfortunately, this creates an incredibly dangerous situation.  Mobile phones are increasingly becoming targets of malware and hacking.

If mobile phones and tablets such as iPhones and iPads are going to be used in the course of conducting the business of your medical practice, they should be centrally managed and enforce security features such a locking mechanism which will lock the phone automatically after only a brief period of inactivity.  In IT, we call this Mobile Device Management or MDM for short.  This will prevent lost phones from compromising your company security and ePHI.  Further, you or your IT folks should have a method of remotely erasing devices should they become lost or stolen.

According to Stevie Davidson, CPHIT, of New Jersey based Health Informatics Consulting, “The lack of good mobile device management is one of the top reasons for breaches today.  Whether it is a laptop or a mobile device, you must remember, under the new HIPAA Omnibus Rule, we are not operating under a low probability assessment.  In other words, you are guilty until you prove yourself innocent.  You need to use the Four Factor Assessment to determine a low probability that PHI has been compromised.”

Davidson adds, “If you are looking for reasons why you need to implement encryption and other protections, just remember that the feds will deem any unrecovered loss a breach, even if it just has an EHR application on it and nothing else. From their perspective, there is no way for you to prove there wasn’t any unencrypted PHI on it. Assumptions do not protect you from reputational harm and business sustainability.  So, take a moment to reflect on the cost of not being proactive against the cost of being reactive.”