Practice data is among the most valuable assets that your practice owns. Naturally, securing that data should be a priority. Certain measures must be taken as a matter of law, while others should be taken as a matter of good practice. Fortunately, there are several simple measures you can put in place quickly with minimal disruption to your practice. We’ll look at five of those measures in this article.
Before discussing implementation of security measures, it’s important to understand what “data” actually means. Data takes many forms, not all of which require the same level of protection. For example, your clients’ personally identifiable information (commonly known as “PII”) must be managed carefully (it’s the law), whereas the price of annual exams may not rise to the level of requiring strict protection. Before implementing a security program, you’ll need to understand what types of data are being generated in your practice. Some common examples include, customer PII, patient medical records, financial information, and employee information. Once you understand what data is there, you can begin to put some protections in place.
Security is a team effort. Looked at differently, security is only as strong as the most vulnerable person on your team. A good security plan starts with communicating your expectations. Every team member must understand his/her role in securing practice data. This message should be delivered as part of training new-hires, and it should be repeated periodically during staff meetings. Put your requirements into writing and share your plan with your team.
Limit access to data
While we all want to trust our teams to do the right thing when it comes to securing data, it is best to help people avoid making mistakes in the first place. The best way to do this is to limit access to data based on a need to know. If a team member doesn’t need access to billing data, then don’t give him/her access to that data. Your practice management software should be the first line of defense because it should provide a way for you to limit permissions based on role. In our software, for example, you can limit permissions for pretty much every feature, including the ability to view, add, edit, and delete data. Apart from your practice management software, keep sensitive data away from common places such as the front desk, and if applicable, lock the files (employee files are a great example). Sensitive information should be stored centrally and securely.
Don’t share passwords
Sharing passwords is a great way to weaken your security program. Shared passwords hinder your ability to control access to data. They also make it more likely that your password will be stolen or lost. In addition to requiring unique passwords, establish guidelines to ensure that passwords are strong. For example, your password should not be “password.” Instead, passwords should contain a mix of letters, numbers, and symbols, and should be at least eight characters.
Protect your devices
Your devices are the front doors to your business. It makes sense to protect these virtual front doors in the same way that we put locks on the front doors to our homes. Your devices should be running current virus protection software. In addition, your devices should be encrypted. A stolen encrypted device is just that – a stolen device. The thieves would not gain access to any credentials or data on the device.
Review and adjust
A good security program is one that is evolves over time. In order to evolve your program correctly, you must periodically audit compliance, and review that there have not been any material changes to your practice that call for changes to your plan. Violations should be clearly communicated to the offending team member – remember to include steps to improve compliance going forward. If you do make changes to your program, remember to communicate those changes to your team, update your written policies, and adjust access to data as appropriate.