by AJ Riviezzo
Recently, one of our own, the Center for Vein Restoration (CVR), made national news. It was, unfortunately, not for anything positive. Per news reports CVR was hacked in early October. More than 400,000 individuals had their data stolen which may include names, dates of birth, Social Security numbers, clinical information, and even medical records it appears.
This is not to rub salt in CVR’s wounds. If a company as large as CVR can be hacked, it is a reminder that all of our practices and companies may be at risk. Below are some thoughts that you may want to consider for your own practice.
Social Security Numbers – There is virtually no reason to collect a patient’s Social Security number any longer. It was a helpful tool for ‘skip tracing’ or to help guess a patient’s Medicare number. Now that the Medicare number is no longer the Social with an alpha suffix, this is no longer helpful. If your practice is still gathering and capturing the Social Security number, I strongly recommend you stop that practice.
Wi-Fi Network – unsecured Wi-Fi networks are an invitation to being hacked. One possibility is to disable the service set identifier (SSID) making your Wi-Fi difficult to find. You should also update your system to the latest encryption standard which is WPA2 which is much more difficult to hack.
Multi-Factor Authentication (MFA) – Your computer at the office and your software (particularly your EHR/PM programs) should be using an MFA process. When you log in, it sends a code to your cell phone or email that you must enter. This dramatically cuts down on anyone entering your system with nefarious intent. If your current EHR software does not have this feature, you need to push them to add it.
Passwords – Yes, they are a pain. Always updating them frequently is an even greater pain. I am right there with you. However, how much pain – personally and financially – will you incur if your system or software is hacked? Password should be alpha-numeric with special characters.
Education – I receive emails almost every day purporting to be from the HR department for American Physician. Funny since I do not have an HR department. Educate your staff to NOT open attachments unless they know, for certain, who sent it to them. Semi-frequent reminders should be reviewed with the staff.
Authority and Permissions – Speaking of employees, be sure to set any security parameters in your EHR/PM system to the duties the individual is performing. The receptionist, for example, needs to know some data elements, but they likely do not have a need to be able to alter security parameters for others, pull any and all financial reports, etc.
Web Application Firewall (WAF) – a WAF can be hardware or software that automatically reviews the data that you send and receive helping to ensure it locks down unreasonable data requests particularly from external sources. Software solutions can be cloud based for a monthly fee. I am by no means a software security expert. If you have concerns about your hardware or software data security, please reach out to a local expert. Yes, the cost may be more than you want to spend, but the peace of mind may be well worth it.