HIPAA Compliance for Medical Practices
83.9K views | +11 today
Follow
HIPAA Compliance for Medical Practices
HIPAA Compliance and HIPAA Risk management Articles, Tips and Updates for Medical Practices and Physicians
Your new post is loading...
Your new post is loading...
Scoop.it!

Data Breach Reporting Requirements for Medical Practices

Data Breach Reporting Requirements for Medical Practices | HIPAA Compliance for Medical Practices | Scoop.it

Are we ready to replace passwords with biometrics for access to our facilities' networks and EHRs? I know that I'm ready for something easier and more secure than my ever-changing facility login, a byproduct of being forced by the system to change my password every couple of months.

In its current iteration, the EHR at my facility takes three separate login steps to get into the record to document a patient encounter or retrieve information. This doesn't seem like much, but multiply it by 20 or 30 patients and it becomes burdensome and a significant time waster.

If a terminal is locked, I have to enter my credentials to access the system and from there, I have to enter my credentials to open the EHR. Then if I want to dictate any notes, I have to again enter my credentials to open the dictation software. It gets old in a hurry, and is a major complaint among members of the medical staff at my community hospital.

The IT team in our organization is experimenting with using the embedded "near field" chip in our ID cards as a way in which to log in to the EHR. It would be a big step forward and would eliminate the majority of authentication to access our EHR. It would also have the added advantage of encouraging all members of the medical staff to carry their hospital IDs, but not all software needed for charting supports this mode of authentication.

Fast Identity Online (FIDO) is the current buzz phrase that refers to all of the biometric authentication technology currently available or planned. We are already using our fingerprints in a variety of ways to unlock our phones and doors, and there are readily available technologies that rely on retinas, irises, face recognition, or voice recognition that are being developed to solve authentication and security problems. We have seen the future in a variety of science fiction films, and much of it is working and available technology.

While there is a tremendous upside to FIDO technology, there are also significant downsides in the form of privacy. We constantly see that passwords are not 100 percent secure, and companies tasked with protecting our personal data stored on their servers also fail. It is not too much of a stretch to raise concerns about personal biometric data being stored on vulnerable servers, and the privacy vulnerability that this represents to us all as individuals.

There should be similar concerns with biometric security data. My fingerprints are stored on my phone as a security measure, but could an enterprising criminal find a way to use that data to reconstruct my fingerprints?

As always, computer technology and software are well ahead of privacy protections and personal security, and will remain so for some time, possibly forever.

To make it work on an EHR, we need enterprise level solutions, as the thought of customizing my FIDO login separately at each terminal in the hospital, defeats the purpose and intent of making this simultaneously easier and more secure.

It seems that an enterprising technology company would see the opportunity in allowing medical providers to quickly and securely sign into an EHR. I know that there are a lot of smart people working on this problem in an attempt to make this both easier and more secure for those of us in the trenches.

As the pace of technology development and implementation becomes more rapid, so does the need for increasing security and privacy, as well as reducing the technological burden on the healthcare providers who daily have the use this technology in the performance of their jobs. These competing trends get more important everyday as the penetration of the EHR becomes more ubiquitous.


No comment yet.
Scoop.it!

Securely Disposing Medical Practice Equipment

Securely Disposing Medical Practice Equipment | HIPAA Compliance for Medical Practices | Scoop.it
It goes without saying that computers are expensive. Medical practices will often gift used office equipment to employees or family members; or donate them to vocational programs. Risk management attorney Ike Devji says that donating old equipment like scanners, fax machines, and computers at the end of the year is very common. "At the end of the year practices will rush to spend money so that it is not taxable. They buy [new] equipment … and computers are replaced."

There's just one small problem. Deleting sensitive patient data will not permanently eliminate it from the hard drive of the device. And if you've donated your practice's scanner to the local thrift store, it still contains sensitive patient data that "a well-trained 12-year-old kid with access to YouTube can get … off the hard drive," says Devji.

Devji points out that a high-end digital scanner can store up to 10,000 pages of patient data. And equipment that is synched to your EHR, even smartphones and tablets, needs to be destroyed or disposed of in a secure manner.

If you have old equipment that you'd like to get rid of, contact your IT consultant. He should be able to point you in the right direction. Or you could follow Devji's approach: He uses his old equipment for target practice in the Arizona desert.
No comment yet.