In this article and the accompanying sample computer security policy, Dr. Peikari outlines the steps you can take to secure your systems, comply with HIPAA patient privacy regulations, and keep your office computers running smoothly.
Defending Your Medical Practice from Hackers, Viruses and Spyware
A couple of weeks after we opened our little medical practice, we began to have a big problem. Our shiny new computers were starting to slow down, even to the point of becoming unusable. We called tech support, and after a brief exam, they announced that the machines were loaded down with spyware.
Worse, the problem kept happening. Our IT support costs began to rise as their house calls became a routine occurrence.
Fortunately, I had learned a little bit about computer security. So I scribbled out a brief security policy and had it implemented it on some of the office machines.
I’m happy to say that none of the machines secured by our new “office security policy" have since been compromised. The office runs smoothly, and we no longer pay for frequent IT support visits.
Implementing a Computer Security Policy
Good news: you can do the same thing in your own office, with little or no expense. With a little practice, even newcomers to computers can learn to do it. In the associated Practice Tool I’ve provided our sample security policy. You will see that most of the techniques are easy to do, and the software is either free or very inexpensive. These simple measures provide a great deal of protection.
HIPAA requires you to do these things. However, HIPAA is the last reason you should do this. You should secure your networks because it is the right thing to do. Your patients depend on you for their health. They should also know they can count on you to preserve their confidential information.
Note that the following policy was designed for a small office: it will probably work for up to 15-20 staff, at the most. In lecturing on this subject across the state of Texas, I have found that 95% of small-to-medium sized medical offices use Windows machines, mostly Windows XP. For this reason, we do not cover Linux security in this article.
Larger organizations will need to spend more cash and more time on security. For example, a group with 50 staff would save time by configuring security via Windows Server and Active Directory. However, that is beyond the scope of this article.
I hope that these suggestions will save you time and money. Writing a security policy is very hard. I have never seen one like this that is tailored to the small medical practice. Hopefully it will help. If it does, and especially if it doesn’t, please email me with feedback.
©2006 Cyrus Peikari, M.D.
About the Author:
Dr. Peikari is a Dallas based internist who co-wrote the HIPAA continuing education course for the Texas Medical Association. In addition, he is a sought after speaker on computer security – having written five books on wireless network security.
Dr. Peikari is a member of the netdoc.com Advisory Board.