In the past five years, the way rehab therapists perceive—and use—information technology in their clinics has changed dramatically. We used to manage our files with stationary computers and back-room servers we could only access within the office. Now, our teams are mobile, and we use tablets, laptops, and phones to access the powerful cloud applications—including the WebPT EMR—that help us do our jobs. Essentially, the servers of yesteryear have migrated to the cloud. 

With this new way of doing business, we face a new breed of challenges thanks to regulations like HIPAA and HITECH Act as well as the general security threats affecting all Internet users (there are bad people out there—trust us). So, let's talk about some of the best practices we can employ to protect ourselves from the bad guys and keep us safe and productive at the same time!

Here are three things that’ll help us keep our patient data safe and secure:

The State of Rehab Therapy in 2018 Guide - Regular BannerThe State of Rehab Therapy in 2018 Guide - Small Banner

1. Password Safety and Security

With so many cloud applications out there, a clinic can end up relying on several web apps to keep the business up and running on a daily basis. With each application, you need a password that is complex enough to be safe, but a password changing/recovery process that doesn’t put your operations in jeopardy of halting should you forget and/or need to update your password. After all, many sites feature rotating passwords (i.e., passwords that must be changed routinely to maintain security). And then there’s always the possibility that you’ll need to change your passwords because an employee leaves the company. HIPAA has strong guidelines around this as well. To help manage this, we recommend enlisting the help of a password management app.

There are many different password management apps out there, but we'd like to focus on three: Lastpass, KeePass, and 1Password.


You can use Lastpass on your phone, tablet, and Mac and Windows computers. It integrates directly with your most-used browsers and helps ensure the security of the website passwords you add as well as audit the strength and security of the passwords you already use. One thing that differentiates Lastpass from other apps is that it works really well on Macs. Plus, it offers a premium service (available on an annual basis) that alerts you if a site you're using has security issues and encourages you to change your password for that site.


KeePass differs from a lot of other offerings because it stores your passwords and data in local files on your computer. Thus, sharing that data can be a little more difficult, but definitely still possible using DropBox, Google Drive, or other file-sharing programs. The program is very portable (it can be loaded onto a thumb drive); offers Mac, Windows, and even Linux versions; and is one of the few totally free and open-source options for password storage. Ultimately, KeePass provides a more hands-on type of password management, but it’s still a strong recommendation if you're willing to get your hands a little dirty with plugins and files.


1Password is a well-designed product that really shines with its ease of use. In addition to having a pretty design, 1Password has some very unique features that make it a favorite among techie nerds. First, it favors a simple path and is easy to set up on your PC, either with local files or via a syncing system that runs through a cloud service. If you go the syncing route, you’ll have to pay a one-time setup fee of $50, but this option is unique in that it doesn't use an annual fee system. With just the one-time payment, you're up and running—and using the app on your tablets, phones, and computers. It also includes a digital wallet for storing credit card and addresses for easy entry at checkout when purchasing items and services online.

When it comes to password management, there are many options available, but they all have a common theme: centrally-managed apps with a single-password entry system—and the ability to beef up security even further with two-factor authentication protection—that allow your clinic to manage passwords centrally. That way, you can maintain secure, complex passwords while ensuring everyone has access to those passwords and their associated systems. On that note, we'd be remiss not to point out the importance of creating secure passwords in the first place. For tips on how to do that, check out this article.

2. File Encryption and Data Backups

Encryption is a tool that has been available to businesses for a long time, but IT staff often overlook it as an easy solution to protecting against unauthorized access to high-risk data. HIPAA clearly addresses this option in its guidelines, but because providers are typically using many different devices—all with data that must be kept secure—encryption doesn’t always stand out as a first choice. The WebPT app is strongly encrypted at every level, but even if you’re using WebPT, it's important to make sure your workstations are encrypted using BitLocker (Windows) or FileVault (Mac). Both programs encrypt your entire hard drive and secure the data. When you implement BitLocker or FileVault, make sure you take the encryption keys created during the encryption process and store them in a safe (i.e., locked) place.  If you’re using a Windows device, you can store your BitLocker key in your OneDrive account; if you have an Apple device, you can store the key in your iCloud account.

The use of removable storage presents another challenge, because patient data stored on backup drives (external or network) must be encrypted as well. By encrypting the thumb drives and external drives used in your office, you can protect the data contained within them in case of loss or theft. You can’t access an encrypted thumb drive without a key.

Another common topic of discussion among those in data security circles—and something both HIPAA and the HITECH Act address—is the issue of mobile devices. We often see findings in HIPAA cases in which providers have been fined because their mobile devices were not encrypted and contained ePHI or stored passwords that non-authorized individuals could use to access cloud-stored data. In this day and age, setting lock-screen combinations and encrypting devices is an absolute must—especially because it’s so easy to misplace or lose tablets and phones during work or travel. That’s why, when we talk about antivirus protection, we recommend installing antivirus software on phones and tablets—in addition to computers—to protect such mobile devices from malicious software that could compromise data security.

If you’re a WebPT Member, we’ve got you covered when it comes to backing up the files containing your critical EMR data. That’s right—we're storing all of your data, and we keep it safe, too! Just don’t forget to protect the rest of the data you use to run your clinic, and be sure to put a strong backup process in place to cover all your security bases in case of disaster or drive failures. You also need to back up your accounting software offsite (if it’s not in the cloud) just in case. We've seen many instances in which some of a business’s data is safe, but there are still items that haven’t been backed up properly. So, protect yourself with good backups: invest in some safe (i.e., encrypted) cloud storage to house your backed-up data.

Backups and encryption can be tricky, especially if your backups are large and hard to manage or your computer’s operating system is too outdated to support BitLocker or FileVault. Some antivirus programs come with built-in encryption, which can be helpful in keeping things safe. And that brings us to our next topic: virus protection.

3. Antivirus and Malware Protection

In information technology, this is the topic that sparks the most questions. Whether we're at home or at work, we all want to know which tools will best protect us from the bad guys on the Internet, and we want to make sure we're not doing something or going somewhere that’ll cause us to compromise our data or clog our computers to the point that they're unusable. The Internet can be a dangerous place!

There are a lot—and we do mean a lot—of free antivirus programs out there, and while some of them are good, it’s crucial for you to get one that’s great. That means it has strong updates and zero-day fixes (meaning it catches issues the first day they occur and implements fixes right away) for the nastiest viruses on the Internet.

WebPT recently completed an extensive search for our next antivirus solution. After a lot of research, we narrowed our choices down to three top contenders: Sophos, BitDefender and ESET. All of these are great products.

  • They work well on both Apple and Windows platforms.
  • They do active and passive scanning of workstations and any removable storage devices plugged into those workstations.
  • They're centrally managed via either on-premise devices or the cloud.
  • They're easy to install.
  • They have consistent updates.

In reality, we can recommend all three without hesitation. They all protect well at just about every level, even going so far as to alert you about any compromised sites you might stumble upon as you surf the Internet. The important thing is that you do get an antivirus product and install it on all of your devices. In recent months, phones and tablets have been popular targets for malware and viruses delivered via app stores and websites alike—and as with encryption, those issues are easy to overlook on mobile platforms. So, make sure both your operating system and your antivirus software are up to date, and set a time to scan them (once a week or so) to make sure things are clean.

The Closing Part

My word! Does it seem like these three "basic" ideas have suddenly turned into three very big and complicated issues? Hopefully this post offered more clarification than confusion, but be sure to keep an eye on the WebPT Blog for more posts that address these issues—and find yourself a good managed services IT partner. This type of partner provides the best resource for small businesses looking to protect their data and keep their networks up and running 100% of the time. Many small businesses end up with large bills or data losses that they could have avoided by finding an IT partner to help them navigate the ins and outs of data security. Retail stores with tech teams (think Geek Squad) might seem like a quick, helpful resource—but they can't help you develop best practices infrastructure, and they don’t navigate compliance regulations like HIPAA and HITECH very well. A good managed services team can help you set up backups, ensure your antivirus software is doing its job, and maintain network security. 

So, take a look at your office, and start securing your stuff.  And remember: Surf safe!

  • The Ultimate ICD-10 FAQ: Part Deux Image

    articleSep 24, 2015 | 16 min. read

    The Ultimate ICD-10 FAQ: Part Deux

    Just when we thought we’d gotten every ICD-10 question under the sun, we got, well, more questions. Like, a lot more. But, we take that as a good sign, because like a scrappy reporter trying to get to the bottom of a big story, our audience of blog readers and webinar attendees aren’t afraid to ask the tough questions—which means they’re serious about preparing themselves for the changes ahead. And we’re equally serious about providing them with …

  • What Happens if Your Physical Therapy Software Goes Out of Business? Image

    articleJul 15, 2016 | 7 min. read

    What Happens if Your Physical Therapy Software Goes Out of Business?

    You’ve most likely heard the news: PTOS is going out of business. That means that in a few short months, PTOS customers will be left without a physical therapy practice management and billing software solution, so they’ve got to find new systems—stat . After all, no one wants to lose all of their valuable patient and business data—nor do they want to wait until the last minute to find a replacement. Shopping for a PTOS alternative, partnering with …

  • The Essential Guide to Disaster-Proofing Your PT, OT, or SLP Practice Image

    articleSep 28, 2015 | 11 min. read

    The Essential Guide to Disaster-Proofing Your PT, OT, or SLP Practice

    September is Disaster Recovery Month, which makes it a perfect time to think about disaster-proofing your practice. If you’re ready to skip this blog because you don’t think a disaster will impact your practice, consider the following factors: Not all disasters are city-wide events, and a disaster of any scale could destroy your practice. These events come in all shapes and sizes, from the sprinklers going off in your clinic and destroying your equipment, to snow storms …

  • Last Legs: The Compliance Vulnerabilities of Dead or Dying Software Image

    articleOct 24, 2016 | 5 min. read

    Last Legs: The Compliance Vulnerabilities of Dead or Dying Software

    Rusty mechanical equipment. Creaky carnival rides. Wobbly chairs. People are naturally skeptical of things that are dilapidated, rundown, or slipshod—and with good reason. After all, that which is ramshackle usually isn’t reliable. Now, imagine it’s the physical therapy software you use everyday to run your rehab therapy practice that’s gone derelict. Take PTOS EMR, for example , because if you didn’t know, this therapy office software is going out of business, and it has ceased all updates …

  • ICD-10 Open Forum Image

    webinarOct 5, 2015

    ICD-10 Open Forum

    On October 1, the US officially said RIP to ICD-9 and brought ICD-10 to life. For some of you, the transition might’ve been all sugar and spice—a real treat. But for many others, the switch to the new code set might’ve left you feeling overwhelmed, tricked, or even a bit scared. At the very least, you might be haunted by some lingering questions. That’s where we can help. We’ve brewed a cauldron filled to the brim with …

  • ICD-10 Crash Course: Last-Minute Training for PTs, OTs, and SLPs Image

    webinarSep 2, 2015

    ICD-10 Crash Course: Last-Minute Training for PTs, OTs, and SLPs

    It’s officially here: the last month before all HIPAA-eligible professionals must switch to the ICD-10 code set. As the regret of procrastination washes over many of those professionals, they’re scrambling to ready themselves and their practices for the big switch. If you, like so many other rehab therapists, find yourself asking, “ICD-what?” then you’re in dire need of straightforward training—stat! Otherwise, you could leave your practice vulnerable to claim denials after October 1. Join us at 9:00 …

  • 4 Tips for Implementing an EMR System Image

    articleJan 5, 2015 | 5 min. read

    4 Tips for Implementing an EMR System

    Preparing to implement an EMR system within your practice? Then you’re undoubtedly experiencing some anxiety. After all, it’s quite the change from the pen and pad of paper so many therapists have been using for decades—like, since mullets were cool. And even if you’re starting fresh with a new practice and EMR is all you’ve ever known, the pressure is still on to get this implementation right. Here are our tips for implementing an EMR with ease: …

  • Common Questions from our Cloudy with a Chance of Reform Webinar Image

    articleFeb 13, 2017 | 13 min. read

    Common Questions from our Cloudy with a Chance of Reform Webinar

    In our first webinar of 2017 , WebPT’s co-founder and president, Heidi Jannenga, teamed up with CEO Nancy Ham to discuss the current and future healthcare trends that will impact PTs, OTs, and SLPs. (Missed it? No worries; you can view the complete recording here .) As always, we received quite a few questions during the presentation—way more than we could address live. So, we’ve put them all here, in one handy Q&A doc. Scroll through and …

  • Protecting Patient Data: Lessons Learned from the Anthem and Equifax Data Breach Settlements Image

    articleOct 10, 2019 | 6 min. read

    Protecting Patient Data: Lessons Learned from the Anthem and Equifax Data Breach Settlements

    Before 2015, data breaches were mostly confined to retail businesses. However, as more patient information becomes digitized, big data breaches are becoming more common in health care. And hackers don’t discriminate; they target organizations of all types and sizes, ranging from big hospitals to small private practices. So, is there anything a small-to-medium-sized physical therapy practice can do to reduce the risk of a data breach? Performing a HIPAA risk assessment is an excellent first step.  No …

Achieve greatness in practice with the ultimate EMR for PTs, OTs, and SLPs.