As technologies in computer hardware and software continuously improve, we can work more efficiently and productively. But along with that progress, comes a disturbing and increasingly worrisome “dark side” for medical practices — particularly given the security and confidentiality mandates coming with the Health Insurance Portability and Accountability Act (HIPAA) in 2003. Everyone’s heard about newer and more destructive computer viruses, worms, and Trojan horses. Most of us have suffered the frustrating e-mail and browser slowdowns caused by “denial of service” attacks against Internet service provider network and corporate servers. And there are frequent news reports of hackers breaking into systems and, in some cases, doing malicious damage (deleting or stealing files, defacing Web sites, etc.). HIPAA will place new, tough security requirements on every dermatologist’s office computer system. Failure to adequately and appropriately protect your computer system from unauthorized external and internal access to and transmission of protected health information could prove disastrous. Within the next year, you’re sure to see third party payers — insurance companies, HMOs, IPAs, etc. -— reacting to HIPAA and amending provider agreements to require that you have protocols in place to monitor and assure computer system security and protect confidential patient information. In the first part of this two-part article series, I’ll give you some suggestions on ways to make it harder for those outside your practice to identify and access your computer system, probe it, and compromise the data. You can implement all of these with the guidance of someone who knows how to set up, configure and secure small-scale computer networks. Connecting to the Internet While most home Internet connections are traditional 56K “dial-ups” and generally suffice for e-mail and web-surfing, medical practices have greater demands and typically connect via high-speed (broad band) pathways such as DSL or cable. Even though broad band connections dramatically improve upload and download performance (for example, when submitting electronic claims or when downloading a database), they can pose a significant, downside security risk if you’re not careful. Unlike a slower, “dial-up” connection, which only connects computers to the outside world when a user clicks on the dialer button or icon, high-speed connections typically are “always on.” By default the connection is always open to the Internet. This constant exposure makes a computer more vulnerable to hackers who search for open Internet connections using special programs such as port scanners. These high-speed automated search programs find vulnerable computers, log Internet addresses, and then allow hacking at will. That’s the unfortunate dichotomy of high-speed Internet connection. It’s fast and productive, but it can be vulnerable if you fail to take appropriate security precautions. Let’s assume you have DSL. Here’s what you can do to make it less vulnerable. Configure for dial-on demand. The first step is to disable DSL’s “always on” default setting. Re-configuring a DSL connection to “dial on demand” means that when you click on your e-mail or browser programs the DSL line instantly opens and quickly connects to the Internet. If you also set a low idle time (the period of process inactivity after which the DSL line automatically disconnects) — say around 60 seconds — you’ll get the high-speed access you want when and as you need it, but without leaving your system exposed to port scanning probes at those times when you’re not on the Internet (e.g., after business hours). Properly configured, dial on demand virtually has no downside. Unlike traditional dial-up, with dial on demand there’s little worry that on disconnecting you’ll lose a good, clean connection and on reconnecting will instead get a slower or “dirtier” connection (a very common complaint with dial-up). So, by reducing the time your computer is connected to the Internet, dial on demand significantly narrows the windows of opportunity for those who’d try to identify and then compromise your system from the outside. Use a router (hub/modem) and firewall(s). Medical offices typically have multiple computers and workstations linked to a network. If this is the case in your practice, use a router with a built-in “firmware” firewall and a user-selectable password feature as the entry point (gateway) for the high-speed line and as the distribution point to the network and its satellite terminals. A DSL line should never connect directly to an unprotected Internet gateway computer that then distributes to other computers in the network. (Note: Be sure to change the default password in the router.) I suggest also using a software firewall to protect the system. Select firewall software that is a demonstrated, quality product that protects the network from unauthorized, inbound probes. But you also want to be certain that it protects the system from unauthorized, outbound transmissions (for example, it prevents your computer from “calling home” to a hacker’s computer if he has surreptitiously planted a program in the system that transfers data from your hard drive to his). Unfortunately, you must do your homework before choosing the best firewall software because many products on the market won’t protect your system from a sneeze much less a hacker’s calculated assault. So do some research. (See “Resources” for more information.) Add a “DMZ” computer. I recommend adding a “DMZ” (as in demilitarized zone) computer to your system. The DMZ computer is, in essence, a trap for intrusive probes. When a probe (inquiry) signal from the outside world tries to access a protected system, the router described above first directs that inquiry to the DMZ computer. The DMZ is programmed to check the inquiry. If not authorized, the inquiry goes no farther — it’s contained in what essentially becomes a black hole. It’s the ultimate firewall, if you will. And, best of all, the average hacker probably won’t know what happened to his probe or why it failed. He’ll only know that it was unsuccessful, and then he’ll probably move on in search of other, easier targets of opportunity. As with a burglar who bypasses your house when he sees evidence of an alarm system, that’s just fine. As long as he goes somewhere else. Your DMZ computer need not be an expensive, state-of-the-art system. Since it will only act as a security gate and won’t be loaded with any software other than an operating system and the authorization protocols, an early Pentium or even a 486 with a little memory and a small hard drive will work just fine. Keep Protected Health Information off Workstations that Can Connect to the Internet What I’ve described so far reduces opportunities to compromise the office computer system from the outside. But what if you want the ultimate level of protection for your protected health information? There is a way, however it comes with a price. Bifurcation. If you want 100% certainty that nobody from the outside can probe and compromise protected health information, then cut the connection between the outside world and your patient records. Keep whatever business records are needed on protected machines that can connect to the Internet, but keep protected health information on machines that can’t. Then a hacker’s successful attack will be limited to your business records. (That’s bad enough, of course, but vis-a-vis HIPAA potentially less problematic than a breach of medical records confidentiality.) Of course, placing protected health information on a computer that can’t access the Internet would prevent most practices from electronically transmitting medical records to other healthcare providers, or claims support documentation to insurance companies. But is that a significant issue? It depends . . . . You’d be forced to send such records by fax or mail/courier. But maybe that’s okay. For most practices either method would be more secure than sending protected health information as an e-mail attachment. Remember, whether you send data via e-mail or file transfer protocol (FTP) unless it’s encrypted anything you send over the Internet can be read by others — authorized or not — along the transmission path. That’s a big HIPAA sore thumb. And, besides, to transmit clear electronic copies of medical records that could be read by an authorized recipient you’d probably need to convert the documents to a .pdf format (Adobe Acrobat), or something similar. That’s a lot of extra work. The real problem, of course, is that with where technology is headed you must have the ability to submit claims electronically — to Medicare and to other third party insurers. And sometimes those claims submissions necessitate attaching support documentation from the confidential medical records. If the protected health information is on a different computer, what do you do? One possible solution is to work with a computer security expert and set up a means by which you can transmit encrypted batchloads of claims that would include any support documentation. This might mean temporarily placing the batchload file(s) on a terminal linked to the Internet, transmitting to the payer, and then removing the temporary file(s) immediately after a transmission is completed. (Note: Pressing delete to remove these temporary files from the transmitting computer’s hard drive isn’t adequate. An incinerator program that permanently deletes/overwrites files is required.) A simpler and cleaner method would be to “burn” (record) the batchloaded claims onto a CD, and then use that CD to transmit the claims from one of your Internet-connected computers. This is an attractive solution since it’s almost fail-safe; the CD’s contents would never actually be loaded onto the transmitting computer’s hard drive. And your staff can securely archive the CD so that you have a permanent record of each day’s work. (Note: If space for archiving CDs becomes a storage challenge, you can always put in an optical disk system that records many gigabytes of data on each optical disk.) Of course, other possible solutions exist, but each must be tailored to the specific needs and capabilities of your practice while still addressing HIPAA requirements. Web site servers. If you host your own Web site, this can create another potential security problem because you want the public to have easy access to your site. But when you host a Web site, you’re publishing an IP address to the world. And if you were to host the Web site on the same server as holds office data, that could dramatically increase opportunities for a hacker to breach your system and get to protected health information. This is a particular problem if you’re using Windows NT/Windows 2000 server software. Windows servers use Microsoft’s IIS (Internet Information Service), a protocol with lots of documented security holes. Many information technology experts have warned against using IIS, but the message doesn’t seem to have filtered to many end-users. If a hacker can get to your Web site (by hacker standards, a fairly easy penetration), and if your patient files are on the same server or another computer connected to it, that’s a potential security breach and a big headache for everyone involved. So never have patient or business information on any Web site server. Host your Web site somewhere else — using an IP address that can’t be tied to your office. I strongly recommend that whatever else you might do to address computer security, break any connection between the medical/ accounting records and a Web site server. What a Can of Worms! Now, all of the above might seem like a time-consuming, costly, and inconvenient process. And it probably will be. Unfortunately, for all its good intent that’s what HIPAA is all about once you get to the realities for medical offices. But your bottom-line concern must be protecting the patient records. After all is said and done, that’s what the federal government intends should drive this entire exercise. Taking the next step Once the network is configured and secured from outside probes, it’s essential to take steps to secure it from internal mischief. In today’s world it’s becoming more likely that your office computer system could be breached and confidential data compromised. Under any circumstances, that’s a nightmare. But HIPAA’s security and confidentiality mandates make it more important than ever to reduce opportunities for hackers, crackers and others to get into your system and create mischief. It’s not optional that you do this; it’s mandatory. The price for being inattentive is too high. Do yourself a favor and obtain a checklist of HIPAA security issues. Then, scan that list to see just how well you’re doing. (See “Resources” for more information.) If you haven’t already started developing practice security protocols, it’s imperative that you begin immediately. If you have some security protocols in place, then you must review them and make appropriate changes to keep up with the ever more creative and devious methods of the “bad guys.” All of this is going to cost. You can invest in protective measures at the front-end, or you can pay the much more costly consequences at the back-end. In part two of this article series (which will run in April), I’ll discuss steps you can take to do this such as limiting network permissions, developing a password protection and log-in policy and limiting remote access. In addition, I’ll talk about points you might want to consider when evaluating your current operating system. Special thanks to software designer and systems consultant, Rick Downes, of RadSoft (https://radsoft.net) and Michael Lockard, Administrator at Talley Medical-Surgical Eye Care Associates for their invaluable contributions to this discussion.
Computer Security on the Internet and in Your Office
As technologies in computer hardware and software continuously improve, we can work more efficiently and productively. But along with that progress, comes a disturbing and increasingly worrisome “dark side” for medical practices — particularly given the security and confidentiality mandates coming with the Health Insurance Portability and Accountability Act (HIPAA) in 2003. Everyone’s heard about newer and more destructive computer viruses, worms, and Trojan horses. Most of us have suffered the frustrating e-mail and browser slowdowns caused by “denial of service” attacks against Internet service provider network and corporate servers. And there are frequent news reports of hackers breaking into systems and, in some cases, doing malicious damage (deleting or stealing files, defacing Web sites, etc.). HIPAA will place new, tough security requirements on every dermatologist’s office computer system. Failure to adequately and appropriately protect your computer system from unauthorized external and internal access to and transmission of protected health information could prove disastrous. Within the next year, you’re sure to see third party payers — insurance companies, HMOs, IPAs, etc. -— reacting to HIPAA and amending provider agreements to require that you have protocols in place to monitor and assure computer system security and protect confidential patient information. In the first part of this two-part article series, I’ll give you some suggestions on ways to make it harder for those outside your practice to identify and access your computer system, probe it, and compromise the data. You can implement all of these with the guidance of someone who knows how to set up, configure and secure small-scale computer networks. Connecting to the Internet While most home Internet connections are traditional 56K “dial-ups” and generally suffice for e-mail and web-surfing, medical practices have greater demands and typically connect via high-speed (broad band) pathways such as DSL or cable. Even though broad band connections dramatically improve upload and download performance (for example, when submitting electronic claims or when downloading a database), they can pose a significant, downside security risk if you’re not careful. Unlike a slower, “dial-up” connection, which only connects computers to the outside world when a user clicks on the dialer button or icon, high-speed connections typically are “always on.” By default the connection is always open to the Internet. This constant exposure makes a computer more vulnerable to hackers who search for open Internet connections using special programs such as port scanners. These high-speed automated search programs find vulnerable computers, log Internet addresses, and then allow hacking at will. That’s the unfortunate dichotomy of high-speed Internet connection. It’s fast and productive, but it can be vulnerable if you fail to take appropriate security precautions. Let’s assume you have DSL. Here’s what you can do to make it less vulnerable. Configure for dial-on demand. The first step is to disable DSL’s “always on” default setting. Re-configuring a DSL connection to “dial on demand” means that when you click on your e-mail or browser programs the DSL line instantly opens and quickly connects to the Internet. If you also set a low idle time (the period of process inactivity after which the DSL line automatically disconnects) — say around 60 seconds — you’ll get the high-speed access you want when and as you need it, but without leaving your system exposed to port scanning probes at those times when you’re not on the Internet (e.g., after business hours). Properly configured, dial on demand virtually has no downside. Unlike traditional dial-up, with dial on demand there’s little worry that on disconnecting you’ll lose a good, clean connection and on reconnecting will instead get a slower or “dirtier” connection (a very common complaint with dial-up). So, by reducing the time your computer is connected to the Internet, dial on demand significantly narrows the windows of opportunity for those who’d try to identify and then compromise your system from the outside. Use a router (hub/modem) and firewall(s). Medical offices typically have multiple computers and workstations linked to a network. If this is the case in your practice, use a router with a built-in “firmware” firewall and a user-selectable password feature as the entry point (gateway) for the high-speed line and as the distribution point to the network and its satellite terminals. A DSL line should never connect directly to an unprotected Internet gateway computer that then distributes to other computers in the network. (Note: Be sure to change the default password in the router.) I suggest also using a software firewall to protect the system. Select firewall software that is a demonstrated, quality product that protects the network from unauthorized, inbound probes. But you also want to be certain that it protects the system from unauthorized, outbound transmissions (for example, it prevents your computer from “calling home” to a hacker’s computer if he has surreptitiously planted a program in the system that transfers data from your hard drive to his). Unfortunately, you must do your homework before choosing the best firewall software because many products on the market won’t protect your system from a sneeze much less a hacker’s calculated assault. So do some research. (See “Resources” for more information.) Add a “DMZ” computer. I recommend adding a “DMZ” (as in demilitarized zone) computer to your system. The DMZ computer is, in essence, a trap for intrusive probes. When a probe (inquiry) signal from the outside world tries to access a protected system, the router described above first directs that inquiry to the DMZ computer. The DMZ is programmed to check the inquiry. If not authorized, the inquiry goes no farther — it’s contained in what essentially becomes a black hole. It’s the ultimate firewall, if you will. And, best of all, the average hacker probably won’t know what happened to his probe or why it failed. He’ll only know that it was unsuccessful, and then he’ll probably move on in search of other, easier targets of opportunity. As with a burglar who bypasses your house when he sees evidence of an alarm system, that’s just fine. As long as he goes somewhere else. Your DMZ computer need not be an expensive, state-of-the-art system. Since it will only act as a security gate and won’t be loaded with any software other than an operating system and the authorization protocols, an early Pentium or even a 486 with a little memory and a small hard drive will work just fine. Keep Protected Health Information off Workstations that Can Connect to the Internet What I’ve described so far reduces opportunities to compromise the office computer system from the outside. But what if you want the ultimate level of protection for your protected health information? There is a way, however it comes with a price. Bifurcation. If you want 100% certainty that nobody from the outside can probe and compromise protected health information, then cut the connection between the outside world and your patient records. Keep whatever business records are needed on protected machines that can connect to the Internet, but keep protected health information on machines that can’t. Then a hacker’s successful attack will be limited to your business records. (That’s bad enough, of course, but vis-a-vis HIPAA potentially less problematic than a breach of medical records confidentiality.) Of course, placing protected health information on a computer that can’t access the Internet would prevent most practices from electronically transmitting medical records to other healthcare providers, or claims support documentation to insurance companies. But is that a significant issue? It depends . . . . You’d be forced to send such records by fax or mail/courier. But maybe that’s okay. For most practices either method would be more secure than sending protected health information as an e-mail attachment. Remember, whether you send data via e-mail or file transfer protocol (FTP) unless it’s encrypted anything you send over the Internet can be read by others — authorized or not — along the transmission path. That’s a big HIPAA sore thumb. And, besides, to transmit clear electronic copies of medical records that could be read by an authorized recipient you’d probably need to convert the documents to a .pdf format (Adobe Acrobat), or something similar. That’s a lot of extra work. The real problem, of course, is that with where technology is headed you must have the ability to submit claims electronically — to Medicare and to other third party insurers. And sometimes those claims submissions necessitate attaching support documentation from the confidential medical records. If the protected health information is on a different computer, what do you do? One possible solution is to work with a computer security expert and set up a means by which you can transmit encrypted batchloads of claims that would include any support documentation. This might mean temporarily placing the batchload file(s) on a terminal linked to the Internet, transmitting to the payer, and then removing the temporary file(s) immediately after a transmission is completed. (Note: Pressing delete to remove these temporary files from the transmitting computer’s hard drive isn’t adequate. An incinerator program that permanently deletes/overwrites files is required.) A simpler and cleaner method would be to “burn” (record) the batchloaded claims onto a CD, and then use that CD to transmit the claims from one of your Internet-connected computers. This is an attractive solution since it’s almost fail-safe; the CD’s contents would never actually be loaded onto the transmitting computer’s hard drive. And your staff can securely archive the CD so that you have a permanent record of each day’s work. (Note: If space for archiving CDs becomes a storage challenge, you can always put in an optical disk system that records many gigabytes of data on each optical disk.) Of course, other possible solutions exist, but each must be tailored to the specific needs and capabilities of your practice while still addressing HIPAA requirements. Web site servers. If you host your own Web site, this can create another potential security problem because you want the public to have easy access to your site. But when you host a Web site, you’re publishing an IP address to the world. And if you were to host the Web site on the same server as holds office data, that could dramatically increase opportunities for a hacker to breach your system and get to protected health information. This is a particular problem if you’re using Windows NT/Windows 2000 server software. Windows servers use Microsoft’s IIS (Internet Information Service), a protocol with lots of documented security holes. Many information technology experts have warned against using IIS, but the message doesn’t seem to have filtered to many end-users. If a hacker can get to your Web site (by hacker standards, a fairly easy penetration), and if your patient files are on the same server or another computer connected to it, that’s a potential security breach and a big headache for everyone involved. So never have patient or business information on any Web site server. Host your Web site somewhere else — using an IP address that can’t be tied to your office. I strongly recommend that whatever else you might do to address computer security, break any connection between the medical/ accounting records and a Web site server. What a Can of Worms! Now, all of the above might seem like a time-consuming, costly, and inconvenient process. And it probably will be. Unfortunately, for all its good intent that’s what HIPAA is all about once you get to the realities for medical offices. But your bottom-line concern must be protecting the patient records. After all is said and done, that’s what the federal government intends should drive this entire exercise. Taking the next step Once the network is configured and secured from outside probes, it’s essential to take steps to secure it from internal mischief. In today’s world it’s becoming more likely that your office computer system could be breached and confidential data compromised. Under any circumstances, that’s a nightmare. But HIPAA’s security and confidentiality mandates make it more important than ever to reduce opportunities for hackers, crackers and others to get into your system and create mischief. It’s not optional that you do this; it’s mandatory. The price for being inattentive is too high. Do yourself a favor and obtain a checklist of HIPAA security issues. Then, scan that list to see just how well you’re doing. (See “Resources” for more information.) If you haven’t already started developing practice security protocols, it’s imperative that you begin immediately. If you have some security protocols in place, then you must review them and make appropriate changes to keep up with the ever more creative and devious methods of the “bad guys.” All of this is going to cost. You can invest in protective measures at the front-end, or you can pay the much more costly consequences at the back-end. In part two of this article series (which will run in April), I’ll discuss steps you can take to do this such as limiting network permissions, developing a password protection and log-in policy and limiting remote access. In addition, I’ll talk about points you might want to consider when evaluating your current operating system. Special thanks to software designer and systems consultant, Rick Downes, of RadSoft (https://radsoft.net) and Michael Lockard, Administrator at Talley Medical-Surgical Eye Care Associates for their invaluable contributions to this discussion.
As technologies in computer hardware and software continuously improve, we can work more efficiently and productively. But along with that progress, comes a disturbing and increasingly worrisome “dark side” for medical practices — particularly given the security and confidentiality mandates coming with the Health Insurance Portability and Accountability Act (HIPAA) in 2003. Everyone’s heard about newer and more destructive computer viruses, worms, and Trojan horses. Most of us have suffered the frustrating e-mail and browser slowdowns caused by “denial of service” attacks against Internet service provider network and corporate servers. And there are frequent news reports of hackers breaking into systems and, in some cases, doing malicious damage (deleting or stealing files, defacing Web sites, etc.). HIPAA will place new, tough security requirements on every dermatologist’s office computer system. Failure to adequately and appropriately protect your computer system from unauthorized external and internal access to and transmission of protected health information could prove disastrous. Within the next year, you’re sure to see third party payers — insurance companies, HMOs, IPAs, etc. -— reacting to HIPAA and amending provider agreements to require that you have protocols in place to monitor and assure computer system security and protect confidential patient information. In the first part of this two-part article series, I’ll give you some suggestions on ways to make it harder for those outside your practice to identify and access your computer system, probe it, and compromise the data. You can implement all of these with the guidance of someone who knows how to set up, configure and secure small-scale computer networks. Connecting to the Internet While most home Internet connections are traditional 56K “dial-ups” and generally suffice for e-mail and web-surfing, medical practices have greater demands and typically connect via high-speed (broad band) pathways such as DSL or cable. Even though broad band connections dramatically improve upload and download performance (for example, when submitting electronic claims or when downloading a database), they can pose a significant, downside security risk if you’re not careful. Unlike a slower, “dial-up” connection, which only connects computers to the outside world when a user clicks on the dialer button or icon, high-speed connections typically are “always on.” By default the connection is always open to the Internet. This constant exposure makes a computer more vulnerable to hackers who search for open Internet connections using special programs such as port scanners. These high-speed automated search programs find vulnerable computers, log Internet addresses, and then allow hacking at will. That’s the unfortunate dichotomy of high-speed Internet connection. It’s fast and productive, but it can be vulnerable if you fail to take appropriate security precautions. Let’s assume you have DSL. Here’s what you can do to make it less vulnerable. Configure for dial-on demand. The first step is to disable DSL’s “always on” default setting. Re-configuring a DSL connection to “dial on demand” means that when you click on your e-mail or browser programs the DSL line instantly opens and quickly connects to the Internet. If you also set a low idle time (the period of process inactivity after which the DSL line automatically disconnects) — say around 60 seconds — you’ll get the high-speed access you want when and as you need it, but without leaving your system exposed to port scanning probes at those times when you’re not on the Internet (e.g., after business hours). Properly configured, dial on demand virtually has no downside. Unlike traditional dial-up, with dial on demand there’s little worry that on disconnecting you’ll lose a good, clean connection and on reconnecting will instead get a slower or “dirtier” connection (a very common complaint with dial-up). So, by reducing the time your computer is connected to the Internet, dial on demand significantly narrows the windows of opportunity for those who’d try to identify and then compromise your system from the outside. Use a router (hub/modem) and firewall(s). Medical offices typically have multiple computers and workstations linked to a network. If this is the case in your practice, use a router with a built-in “firmware” firewall and a user-selectable password feature as the entry point (gateway) for the high-speed line and as the distribution point to the network and its satellite terminals. A DSL line should never connect directly to an unprotected Internet gateway computer that then distributes to other computers in the network. (Note: Be sure to change the default password in the router.) I suggest also using a software firewall to protect the system. Select firewall software that is a demonstrated, quality product that protects the network from unauthorized, inbound probes. But you also want to be certain that it protects the system from unauthorized, outbound transmissions (for example, it prevents your computer from “calling home” to a hacker’s computer if he has surreptitiously planted a program in the system that transfers data from your hard drive to his). Unfortunately, you must do your homework before choosing the best firewall software because many products on the market won’t protect your system from a sneeze much less a hacker’s calculated assault. So do some research. (See “Resources” for more information.) Add a “DMZ” computer. I recommend adding a “DMZ” (as in demilitarized zone) computer to your system. The DMZ computer is, in essence, a trap for intrusive probes. When a probe (inquiry) signal from the outside world tries to access a protected system, the router described above first directs that inquiry to the DMZ computer. The DMZ is programmed to check the inquiry. If not authorized, the inquiry goes no farther — it’s contained in what essentially becomes a black hole. It’s the ultimate firewall, if you will. And, best of all, the average hacker probably won’t know what happened to his probe or why it failed. He’ll only know that it was unsuccessful, and then he’ll probably move on in search of other, easier targets of opportunity. As with a burglar who bypasses your house when he sees evidence of an alarm system, that’s just fine. As long as he goes somewhere else. Your DMZ computer need not be an expensive, state-of-the-art system. Since it will only act as a security gate and won’t be loaded with any software other than an operating system and the authorization protocols, an early Pentium or even a 486 with a little memory and a small hard drive will work just fine. Keep Protected Health Information off Workstations that Can Connect to the Internet What I’ve described so far reduces opportunities to compromise the office computer system from the outside. But what if you want the ultimate level of protection for your protected health information? There is a way, however it comes with a price. Bifurcation. If you want 100% certainty that nobody from the outside can probe and compromise protected health information, then cut the connection between the outside world and your patient records. Keep whatever business records are needed on protected machines that can connect to the Internet, but keep protected health information on machines that can’t. Then a hacker’s successful attack will be limited to your business records. (That’s bad enough, of course, but vis-a-vis HIPAA potentially less problematic than a breach of medical records confidentiality.) Of course, placing protected health information on a computer that can’t access the Internet would prevent most practices from electronically transmitting medical records to other healthcare providers, or claims support documentation to insurance companies. But is that a significant issue? It depends . . . . You’d be forced to send such records by fax or mail/courier. But maybe that’s okay. For most practices either method would be more secure than sending protected health information as an e-mail attachment. Remember, whether you send data via e-mail or file transfer protocol (FTP) unless it’s encrypted anything you send over the Internet can be read by others — authorized or not — along the transmission path. That’s a big HIPAA sore thumb. And, besides, to transmit clear electronic copies of medical records that could be read by an authorized recipient you’d probably need to convert the documents to a .pdf format (Adobe Acrobat), or something similar. That’s a lot of extra work. The real problem, of course, is that with where technology is headed you must have the ability to submit claims electronically — to Medicare and to other third party insurers. And sometimes those claims submissions necessitate attaching support documentation from the confidential medical records. If the protected health information is on a different computer, what do you do? One possible solution is to work with a computer security expert and set up a means by which you can transmit encrypted batchloads of claims that would include any support documentation. This might mean temporarily placing the batchload file(s) on a terminal linked to the Internet, transmitting to the payer, and then removing the temporary file(s) immediately after a transmission is completed. (Note: Pressing delete to remove these temporary files from the transmitting computer’s hard drive isn’t adequate. An incinerator program that permanently deletes/overwrites files is required.) A simpler and cleaner method would be to “burn” (record) the batchloaded claims onto a CD, and then use that CD to transmit the claims from one of your Internet-connected computers. This is an attractive solution since it’s almost fail-safe; the CD’s contents would never actually be loaded onto the transmitting computer’s hard drive. And your staff can securely archive the CD so that you have a permanent record of each day’s work. (Note: If space for archiving CDs becomes a storage challenge, you can always put in an optical disk system that records many gigabytes of data on each optical disk.) Of course, other possible solutions exist, but each must be tailored to the specific needs and capabilities of your practice while still addressing HIPAA requirements. Web site servers. If you host your own Web site, this can create another potential security problem because you want the public to have easy access to your site. But when you host a Web site, you’re publishing an IP address to the world. And if you were to host the Web site on the same server as holds office data, that could dramatically increase opportunities for a hacker to breach your system and get to protected health information. This is a particular problem if you’re using Windows NT/Windows 2000 server software. Windows servers use Microsoft’s IIS (Internet Information Service), a protocol with lots of documented security holes. Many information technology experts have warned against using IIS, but the message doesn’t seem to have filtered to many end-users. If a hacker can get to your Web site (by hacker standards, a fairly easy penetration), and if your patient files are on the same server or another computer connected to it, that’s a potential security breach and a big headache for everyone involved. So never have patient or business information on any Web site server. Host your Web site somewhere else — using an IP address that can’t be tied to your office. I strongly recommend that whatever else you might do to address computer security, break any connection between the medical/ accounting records and a Web site server. What a Can of Worms! Now, all of the above might seem like a time-consuming, costly, and inconvenient process. And it probably will be. Unfortunately, for all its good intent that’s what HIPAA is all about once you get to the realities for medical offices. But your bottom-line concern must be protecting the patient records. After all is said and done, that’s what the federal government intends should drive this entire exercise. Taking the next step Once the network is configured and secured from outside probes, it’s essential to take steps to secure it from internal mischief. In today’s world it’s becoming more likely that your office computer system could be breached and confidential data compromised. Under any circumstances, that’s a nightmare. But HIPAA’s security and confidentiality mandates make it more important than ever to reduce opportunities for hackers, crackers and others to get into your system and create mischief. It’s not optional that you do this; it’s mandatory. The price for being inattentive is too high. Do yourself a favor and obtain a checklist of HIPAA security issues. Then, scan that list to see just how well you’re doing. (See “Resources” for more information.) If you haven’t already started developing practice security protocols, it’s imperative that you begin immediately. If you have some security protocols in place, then you must review them and make appropriate changes to keep up with the ever more creative and devious methods of the “bad guys.” All of this is going to cost. You can invest in protective measures at the front-end, or you can pay the much more costly consequences at the back-end. In part two of this article series (which will run in April), I’ll discuss steps you can take to do this such as limiting network permissions, developing a password protection and log-in policy and limiting remote access. In addition, I’ll talk about points you might want to consider when evaluating your current operating system. Special thanks to software designer and systems consultant, Rick Downes, of RadSoft (https://radsoft.net) and Michael Lockard, Administrator at Talley Medical-Surgical Eye Care Associates for their invaluable contributions to this discussion.
