• linkedin
  • Increase Font
  • Sharebar

    10 ways to improve patient data security


    For example, in an EHR integrated with a practice management system, a receptionist may only need to use the scheduling application; role-based access would not let that person access any clinical or financial data. 

    This approach helps protect privacy and prevent the use of PHI to commit fraud, Kim notes. In addition, she says, if a user’s password is stolen and that person has only partial access to the EHR, it limits how much damage the thief can do. 


     Don’t store data on user devices

    “What small providers have in place in terms of security isn’t typically there to keep information confidential, but to protect their access to it,” notes Kim. 

    That could explain why many small practices allow users (staff, physicians and anyone with access to the system) to store PHI on their desktop computers, laptops and even mobile devices. But doing so makes the information more vulnerable to hackers, experts say.

    Practices should prohibit the storage of PHI on end-user devices, says Nathan Gibson, chief information officer for Charles, West Virginia-based Quality Insights. Centralized storage of PHI on a practice server is safer, he notes, but staff education and training about the risks of local storage are still necessary. 

    “If the employees aren’t aware of the importance of PHI being centralized, and they start creating PDFs and performing print screens that means that information is still being stored locally,” he points out. Staff should be instructed to access information from the network and not store any data on their own devices, says Gibson. 

    Many doctors and nurses use tablets and smartphones at work. These devices can pose security threats if they’re allowed to connect to the network or if they can download EHR data. 

    Some healthcare organizations install remote “wiping” software on laptops and mobile devices employees use at work. In theory, that would allow a practice to erase data on those devices if they were lost or stolen. 

    However, Gibson points out that the device must be connected to the internet, either via Wi-Fi or the cellular phone network, to receive the signal from the practice. The device may connect to the cellular network automatically when it’s turned on, but that signal can be blocked, he says.

     Use and scan audit logs

    All certified EHRs have audit logs that record which user did what in the EHR and when. 

    However, practices often don’t turn these logs on or configure them correctly. According to Kim, a recent HIMSS survey showed that fewer than half of hospitals and practices were using their audit logs or another feature designed to prevent people from tampering with the logs to erase the signs of an intruder. Practices that don’t know how to activate and configure audit logs should ask their vendors or IT consultants about it.

    Beyond that, she notes, practices need software that automatically scans their audit logs to detect anomalies that might indicate a cyberattack, such as an unfamiliar user or a known user logging on at an unusual time of the day.


    You must be signed in to leave a comment. Registering is fast and free!

    All comments must follow the ModernMedicine Network community rules and terms of use, and will be moderated. ModernMedicine reserves the right to use the comments we receive, in whole or in part,in any medium. See also the Terms of Use, Privacy Policy and Community FAQ.

    • No comments available

    Latest Tweets Follow