1. Trusting outsiders too much – security experts have a name for this: social engineering, where people are manipulated into divulging sensitive information such as passwords or security protocols. This is actually the most common way that thieves hack into computer systems. Employees may share passwords with each other to try to save time or cover their tracks – or out of sheer ignorance. That makes it difficult for a practice to know who is who in an EMR system. This can violate the integrity of the medical record which is critical in cases of having to defend a malpractice suit.
2. Leaving an unattended computer or terminal unlocked – besides potentially violating HIPAA policy, leaving a terminal unlocked can allow access to sensitive information by either employees who are not authorized to do so or, worse yet, non-employees. The practice would then be left to handle damage control when information gets into the wrong hands. HIPAA violations can carry hefty fines.
3. Not changing a password periodically – there should be a password policy in place and employees should adhere to it. To be on the safe side, passwords should be set so that they automatically expire, at least monthly, and they should be complex, including numbers and symbols and different-case letters, for example. This makes them less likely to be figured out by intruders.
4. Keeping passwords or sensitive information on sticky notes – although something like this should also be part of the practice’s password policy, I mention it here by itself because it happens so much.
5. Downloading inappropriate or unauthorized software – some inadvertently-downloaded ‘malware’ programs can wreak havoc on an office network, while other “harmless” file-sharing programs can open up your network to outside intrusion. This can result in everything from damage to your hardware to HIPAA violations if patient information is breached.
6. Inappropriate use of practice equipment – this would include such things as viewing pornography, which could also make the practice liable for a sexual harassment lawsuit, or using practice email for personal uses. There is software that can allow you to monitor employees’ internet use.

A physician once asked me if it was possible not to even have internet access in his office. While it is possible, it is difficult for a medical practice not to have internet access at all because so much information travels across some sort of internet connection. It is better to have a good written internet policy and have proper oversight.

Tweet This Post

© Emedikon LLC for Medical Practice Trends.com, 2009. | Permalink | No comment | Add to del.icio.us
Post tags: electronic medical records, EMR, HIPAA, medical office network, password management, security, sexual harassment, social engineering

Feed enhanced by Better Feed from Ozh