Computer Consult

Keep tabs on who sees what

Security levels and passwords will help you maintain patient privacy and safeguard your records.

Cheryl L. Toth

A billing clerk in a Dallas medical practice got angry when she was denied a promotion. Then she got even, by going into the practice management software program and deleting claims that hadn't been submitted to insurers and patients yet. The doctors are facing tens of thousands of dollars in lost revenue.

This act of vandalism illustrates why you need to restrict access to your practice's electronic data. Your computer system shouldn't be an open book that any employee can thumb through freely. Security precautions are even more critical in light of the now-final privacy standard established by the federal Health Insurance Portability and Accountability Act, as well as that law's final security standard, due to be published soon. The following tips will help you tighten your computer network.

Define data privileges. The average practice management software program lets you grant or deny access to various files—depending on the employee—by setting up user accounts, says Larry Bossom, a manager with Project Leadership Associates, a technology consulting firm in Chicago. These accounts require employees to type in both a user name and a password to gain admittance.

"Besides protecting data from unauthorized parties, user accounts let you create audit trails to maintain a record of which staff members performed which transactions," says Bossom. "It's just a matter of turning on the controls. Some practices don't."

The operating system for your office's computer network, be it Windows, NetWare, or Unix, also features the same kind of security controls, says Bossom. You can configure user accounts to prevent an employee from peeking into payroll records or accidentally deleting your practice management program. To simplify matters, deploy the same user name and password for the practice management and network systems.

Limit who can enter and edit data. Decide not only which data files particular employees can read, but which ones they can edit. You also have to guard against well-intentioned security breaches, like the one Bossom encountered in a large group practice: Whenever the managers of two satellite offices wanted to give self-pay patients a discount, they lowered standard fees in their computer system's master fee schedule. Unfortunately, doing so made those discounts the norm for the entire group. "Only the practice's top administrator should have the authority to revise a fee schedule," says Bossom.

The same concerns about access apply to electronic medical records. You need to decide, for example, who's authorized to enter data—physicians, physician assistants, nurses, and medical assistants are logical choices—and who can only read the record. The ability to fine-tune these controls in an EMR varies from product to product.

Pick hacker-resistant passwords. Don't let staffers use any words found in a dictionary as stand-alone passwords. Hackers will search entire online dictionaries—including those of foreign languages—to crack a password. Also avoid passwords based on anything a hacker could find out about an individual, such as his computer login name, his birthday, dog's name, or telephone number. "A password should be a combination of letters, numbers, and symbols," Bossom says. And the longer the better. Bossom recommends a minimum of eight characters.

Change passwords regularly. The industry standard is every 60 to 90 days. Your network software can automatically remind employees to reset.

Keep passwords under wraps. Don't allow employees to write their passwords on sticky notes and slap them on their monitors. They should memorize their passwords or keep them in a safe place away from their workstations. And although you want employees to work as a team, instruct them not to exchange passwords.

Change the computer "locks."When an employee quits or is terminated, delete his or her user account and institute new passwords for everybody else. Otherwise an ex-employee privy to another staffer's password could hack into the system.

Insist that staffers routinely log in and out. "This step is often skipped during busy patient hours, but when an employee starts typing at a workstation that somebody else logged into, you're unable to track computer activity by user," Bossom says. "So when mistakes are made, you won't know whom to hold accountable."

Managing access to electronic data may be bothersome, but it's also a crucial task. There's more than one angry billing clerk in the medical world.

The author is a Tucson-based writer and practice management consultant with KarenZupko & Associates. Computer Consult is edited by Senior Editor Robert Lowes.

 

Cheryl Toth. Computer Consult: Keep tabs on who sees what. Medical Economics Dec. 9, 2002;79:27.