Medical Office Data Breaches

Avoiding Medical Office Data Breaches in Four Steps

Medical office data breaches don’t just happen to big entities like UCLA or Stanford. They affect private medical practices as well. Breaches, both big and small, can result in serious problems. For a physician, a data breach can bring audits, fines, even litigation. It can damage your reputation in the community… it can also spell a HIPAA (Health Insurance Portability and Accountability Act) violation. There are many ways a data breach can happen in a private practice. Luckily there are four steps you can take to reduce the risk of medical office data breaches:

  1. Secure your devices
  2. Secure your data
  3. Secure access to your data
  4. Train your staff

Secure Personal and Practice Devices

Step one is to protect your hardware. First, list all the devices that belong to the practice, to providers, and to employees. Determine which cell phones, iPads, laptops and desktops access PHI (Protected Health Information). Carefully inventory devices that contact patients. Then, create a policy to make sure those devices are never left unattended. Understand that portable devices are vulnerable to theft. A stolen laptop that includes unencrypted patient data can constitute a HIPAA violation. So, decide which portable devices can leave the practice. Lock up the remaining devices after business hours. Enable settings that let you wipe all devices remotely if they go missing. Set all devices to need passwords and to go into sleep mode when left idle.

Secure Your Data

Step two is to protect the PHI that you are storing and transmitting. If you use wireless routers, check that they send encrypted data. If you access your desktop from home, encrypt data using a VPN (virtual private network) service. Remember to use an encrypted connection if you use tablets to access your EMR. You can encrypt your Android and your iPhone, too. The key here is to ensure PHI is always encrypted.

When using online software, be sure to select secure, encrypted services (such as Always have third parties sign a Business Associate Agreement. Avoid those that send or store data offshore. Use secure browsing whenever possible.

Secure Access to Data

Step three is to control who accesses your data. You can avoid many breaches by keeping a tighter grip on passwords. First, make it a point to change all passwords at least quarterly. Then designate different access levels to employees. For example, your receptionist may not need to see a patient’s full documentation. In this case, restrict access to the scheduler only. Finally, be sure to disable employee passwords as soon as they leave your employment.

Train Your Staff

Now that you’ve put measures in place to secure devices, data, and access, it is time to train your employees. Hand out written cyber policies on how to protect devices and data. Have a clear password strategy. Invest in current HIPAA and cyber-security training. Keep abreast of trends as new technologies evolve. Then, everyone at the practice can help you avoid problems.

Optional: Consider Cybersecurity Insurance

Cyber insurance helps mitigate losses in the event of a data breach. Today, most major insurers offer this type of policy, although it is new. When shopping for insurance, be sure to do your homework as not all policies are the same. Ask about specific cyber-security policies or tools that help keep premiums down.

You Can Avoid Medical Office Data Breaches

You cannot always prevent a data breach. Physicians, patients, and employees can fall victim to phishing scams and other attacks. But you can avoid the most common, controllable types of breaches. Apply best practices to your security policies and stop these problems before they start!


[bctt tweet=”Avoiding Medical Office Data Breaches in Four Steps” username=”remindercall”]



Copyright Reminder Services Inc. - 2019