In the past five years, the way rehab therapists perceive—and use—information technology in their clinics has changed dramatically. We used to manage our files with stationary computers and back-room servers we could only access within the office. Now, our teams are mobile, and we use tablets, laptops, and phones to access the powerful cloud applications—including the WebPT EMR—that help us do our jobs. Essentially, the servers of yesteryear have migrated to the cloud.
With this new way of doing business, we face a new breed of challenges thanks to regulations like HIPAA and HITECH Act as well as the general security threats affecting all Internet users (there are bad people out there—trust us). So, let's talk about some of the best practices we can employ to protect ourselves from the bad guys and keep us safe and productive at the same time!
Here are three things that’ll help us keep our patient data safe and secure:
1. Password Safety and Security
With so many cloud applications out there, a clinic can end up relying on several web apps to keep the business up and running on a daily basis. With each application, you need a password that is complex enough to be safe, but a password changing/recovery process that doesn’t put your operations in jeopardy of halting should you forget and/or need to update your password. After all, many sites feature rotating passwords (i.e., passwords that must be changed routinely to maintain security). And then there’s always the possibility that you’ll need to change your passwords because an employee leaves the company. HIPAA has strong guidelines around this as well. To help manage this, we recommend enlisting the help of a password management app.
There are many different password management apps out there, but we'd like to focus on three: Lastpass, KeePass, and 1Password.
You can use Lastpass on your phone, tablet, and Mac and Windows computers. It integrates directly with your most-used browsers and helps ensure the security of the website passwords you add as well as audit the strength and security of the passwords you already use. One thing that differentiates Lastpass from other apps is that it works really well on Macs. Plus, it offers a premium service (available on an annual basis) that alerts you if a site you're using has security issues and encourages you to change your password for that site.
KeePass differs from a lot of other offerings because it stores your passwords and data in local files on your computer. Thus, sharing that data can be a little more difficult, but definitely still possible using DropBox, Google Drive, or other file-sharing programs. The program is very portable (it can be loaded onto a thumb drive); offers Mac, Windows, and even Linux versions; and is one of the few totally free and open-source options for password storage. Ultimately, KeePass provides a more hands-on type of password management, but it’s still a strong recommendation if you're willing to get your hands a little dirty with plugins and files.
1Password is a well-designed product that really shines with its ease of use. In addition to having a pretty design, 1Password has some very unique features that make it a favorite among techie nerds. First, it favors a simple path and is easy to set up on your PC, either with local files or via a syncing system that runs through a cloud service. If you go the syncing route, you’ll have to pay a one-time setup fee of $50, but this option is unique in that it doesn't use an annual fee system. With just the one-time payment, you're up and running—and using the app on your tablets, phones, and computers. It also includes a digital wallet for storing credit card and addresses for easy entry at checkout when purchasing items and services online.
When it comes to password management, there are many options available, but they all have a common theme: centrally-managed apps with a single-password entry system—and the ability to beef up security even further with two-factor authentication protection—that allow your clinic to manage passwords centrally. That way, you can maintain secure, complex passwords while ensuring everyone has access to those passwords and their associated systems.
2. File Encryption and Data Backups
Encryption is a tool that has been available to businesses for a long time, but IT staff often overlook it as an easy solution to protecting against unauthorized access to high-risk data. HIPAA clearly addresses this option in its guidelines, but because providers are typically using many different devices—all with data that must be kept secure—encryption doesn’t always stand out as a first choice. The WebPT app is strongly encrypted at every level, but even if you’re using WebPT, it's important to make sure your workstations are encrypted using BitLocker (Windows) or FileVault (Mac). Both programs encrypt your entire hard drive and secure the data. When you implement BitLocker or FileVault, make sure you take the encryption keys created during the encryption process and store them in a safe (i.e., locked) place. If you’re using a Windows device, you can store your BitLocker key in your OneDrive account; if you have an Apple device, you can store the key in your iCloud account.
The use of removable storage presents another challenge, because patient data stored on backup drives (external or network) must be encrypted as well. By encrypting the thumb drives and external drives used in your office, you can protect the data contained within them in case of loss or theft. You can’t access an encrypted thumb drive without a key.
Another common topic of discussion among those in data security circles—and something both HIPAA and the HITECH Act address—is the issue of mobile devices. We often see findings in HIPAA cases in which providers have been fined because their mobile devices were not encrypted and contained ePHI or stored passwords that non-authorized individuals could use to access cloud-stored data. In this day and age, setting lock-screen combinations and encrypting devices is an absolute must—especially because it’s so easy to misplace or lose tablets and phones during work or travel. That’s why, when we talk about antivirus protection, we recommend installing antivirus software on phones and tablets—in addition to computers—to protect such mobile devices from malicious software that could compromise data security.
If you’re a WebPT Member, we’ve got you covered when it comes to backing up the files containing your critical EMR data. That’s right—we're storing all of your data, and we keep it safe, too! Just don’t forget to protect the rest of the data you use to run your clinic, and be sure to put a strong backup process in place to cover all your security bases in case of disaster or drive failures. You also need to back up your accounting software offsite (if it’s not in the cloud) just in case. We've seen many instances in which some of a business’s data is safe, but there are still items that haven’t been backed up properly. So, protect yourself with good backups: invest in some safe (i.e., encrypted) cloud storage to house your backed-up data.
Backups and encryption can be tricky, especially if your backups are large and hard to manage or your computer’s operating system is too outdated to support BitLocker or FileVault. Some antivirus programs come with built-in encryption, which can be helpful in keeping things safe. And that brings us to our next topic: virus protection.
3. Antivirus and Malware Protection
In information technology, this is the topic that sparks the most questions. Whether we're at home or at work, we all want to know which tools will best protect us from the bad guys on the Internet, and we want to make sure we're not doing something or going somewhere that’ll cause us to compromise our data or clog our computers to the point that they're unusable. The Internet can be a dangerous place!
There are a lot—and we do mean a lot—of free antivirus programs out there, and while some of them are good, it’s crucial for you to get one that’s great. That means it has strong updates and zero-day fixes (meaning it catches issues the first day they occur and implements fixes right away) for the nastiest viruses on the Internet.
WebPT recently completed an extensive search for our next antivirus solution. After a lot of research, we narrowed our choices down to three top contenders: Sophos, BitDefender and ESET. All of these are great products.
- They work well on both Apple and Windows platforms.
- They do active and passive scanning of workstations and any removable storage devices plugged into those workstations.
- They're centrally managed via either on-premise devices or the cloud.
- They're easy to install.
- They have consistent updates.
In reality, we can recommend all three without hesitation. They all protect well at just about every level, even going so far as to alert you about any compromised sites you might stumble upon as you surf the Internet. The important thing is that you do get an antivirus product and install it on all of your devices. In recent months, phones and tablets have been popular targets for malware and viruses delivered via app stores and websites alike—and as with encryption, those issues are easy to overlook on mobile platforms. So, make sure both your operating system and your antivirus software are up to date, and set a time to scan them (once a week or so) to make sure things are clean.
The Closing Part
My word! Does it seem like these three "basic" ideas have suddenly turned into three very big and complicated issues? Hopefully this post offered more clarification than confusion, but be sure to keep an eye on the WebPT Blog for more posts that address these issues—and find yourself a good managed services IT partner. This type of partner provides the best resource for small businesses looking to protect their data and keep their networks up and running 100% of the time. Many small businesses end up with large bills or data losses that they could have avoided by finding an IT partner to help them navigate the ins and outs of data security. Retail stores with tech teams (think Geek Squad) might seem like a quick, helpful resource—but they can't help you develop best practices infrastructure, and they don’t navigate compliance regulations like HIPAA and HITECH very well. A good managed services team can help you set up backups, ensure your antivirus software is doing its job, and maintain network security.
So, take a look at your office, and start securing your stuff. And remember: Surf safe!