Home » Advisory Panel » Recent Articles:

HIStalk Practice Advisory Panel: Social Media, Security Practices

January 25, 2013 Advisory Panel, News Comments Off on HIStalk Practice Advisory Panel: Social Media, Security Practices

The HIStalk Practice Advisory Panel is a group of physicians, ambulatory care professionals, and a few vendor executives who have volunteered to provide their thoughts on topical issues relevant to physician practices. I seek their input every month or so on an important news development and also ask the non-vendor members about their recent experience with vendors. E-mail me to suggest an issue for their consideration.

If you work for a practice, you are welcome to join the panel. Many thanks to the HIStalk Practice Advisory Panel members for willingness to participate.

For this report, I asked panel members about social media in their practice and privacy and security measures.


What social media tools are being used in your practice?


We’ve had to tighten things up due to fear of lawsuits or other problems. We encourage our providers to only use the official practice website or official practice-based Facebook and Twitter accounts. There are a couple of physicians who use personal Facebook accounts and have patients who have friended them, but that’s discouraged.


Website with vetted patient education content, Twitter, e-mail – with marked restrictions (until we engage our portal) and patient communications portal (pending).


We have a very basic Facebook presence and starting to do some rare tweets. But right now we believe our patients really want connectivity rather than content,  so our focus is on making sure it is very easy to send in messages via our secure portal.


Employed clinics have a Facebook presence to make general announcements about clinic-sponsored community events, new services, and physicians joining the group. Periodic reminders about seasonal flu shots are also posted. There is very little social media usage among the private practice clinics within our market.


Patient portal is in place and gaining adoption. We also use YouTube to distribute videos of clinic providers, the clinics news, and leadership messages. Some use of LinkedIn and other social media for recruiting. Still discovering ways to leverage the social media. This is an example of a YouTube video we use to promote our medical group in the community:


What security and privacy measures are in place in your practice? For example, encryption, passwords, remote access, antivirus, backup/recovery processes, etc.


All of the above including mandatory machine encryption and mandatory antivirus measures etc.


Passwords with complexity requirements, fingerprint scanners, Norton 360, Avast Antivirus, Malwarebytes Anti-Malware, LogMeIn Pro, daily incremental local backups to external hard drive, weekly full backups to external hard drive, off-site storage of redundant external backups, pen tablets not allowed to be taken off-site.


Employed clinics follow the enterprise-wide policies and procedures for security and privacy. Those policies address encryption for all devices, minimum password complexity standards, frequency of password changes, non-reusable passwords, antivirus protection active and definitions up to date, OS and application security patches applied, redundancy/backup protection, business continuity and disaster recovery, and employee required annual training on HIPAA security, social engineering, phishing, etc. These policies align and in some case are even more stringent than the regulatory requirements to protect the information and system assets of our enterprise and patients. Daily automated audit systems are in place to notify the appropriate personnel of devices that do not comply with policy.

Unfortunately, for most of the private practices that I have visit, they do not fully comply with the basics of existing regulations regarding security and privacy of electronic patient information, systems, and access. Private practice clinics (especially the small to medium sized clinics) do not have the internal expertise nor resources to accomplish what a larger organization can do with pooled resources. Some clinics are relying on the HITECH REC services or third-party providers to monitor and accomplish some or all the tasks necessary to be compliant with regulations.


We use passwords and antivirus. Remote access is allowed only from home. Not sure if we encrypt. We did not have a backup system initially. We did discuss that once in a staff meeting at which it was decided that another database would be added at another site for backup, but I’m not sure if that ever materialized.


VPN, encryption, daily back-up, antivirus.


We are part of a larger AMC, so lots of the regular network stuff – passwords, virus protection, backups. For remote access, we use dual authentication with a token. In our exam rooms, we set up a system that automatically secures the exam room computers when the door is opened, thus ensuring security when the doctor or nurse leaves the room. Has worked out great!


On the encryption front, we have a disk encryption product on our laptop machines called Credant. The software is a hybrid encryption product that only encrypts some of the files on the laptop, leaving others — like the OS — unencrypted. They say that this is better when compared to full disk encryption because only the user who is logged into the machine has files that are decrypted, whereas full disk encryption products decrypt all of the files for all of the users on successful login.

I think there may be a weakness in it because the whole drive is not encrypted. Given time, I’d try to hack it to see if it fails to encrypt files that it should. So hopefully it is doing a good job. I’m aware of a few cases where users have lost data because the keys were corrupted or something else went wrong with the encryption product.


We use whole-disk encryption for all portable devices and only allow PCs on the network (no BYOD, unfortunately) for making the security easier. Passwords must change every 45 days and cannot repeat for 24 months. Remote access is available with either hard or soft tokens. Antivirus is in place. We do allow users to be administrators on their own devices, but if we suspect trouble, we will then remove those rights. We assume you’re innocent until you mess up. We back up the EHR database nightly and every two weeks a backup is sent to some kind of secure bunker, I think in Nebraska. We randomly test the backups to make sure they are actually usable.


HIStalk Practice Advisory Panel 1/17/13

January 17, 2013 Advisory Panel Comments Off on HIStalk Practice Advisory Panel 1/17/13

The HIStalk Practice Advisory Panel is a group of physicians, ambulatory care professionals, and a few vendor executives who have volunteered to provide their thoughts on topical issues relevant to physician practices. I seek their input every month or so on an important news development and also ask the non-vendor members about their recent experience with vendors. E-mail me to suggest an issue for their consideration.

If you work for a practice, you are welcome to join the panel. Many thanks to the HIStalk Practice Advisory Panel members for willingness to participate.

For this report, I asked panel members: When purchasing HIT systems, what resources do you use to compare vendors and products?


I don’t put a lot of stock in KLAS. What I do put stock in is actually talking to users of the products, and not necessarily those given on vendor-supplied reference lists. Our organization participates in various external quality organizations, specialty organizations, and advocacy groups. All of them have listservs where you can ping the rest of the members to find out what products they are using for a particular business need, or how they like a particular product. It’s a good real-world resource.

I also ping CMIOs that share the same primary vendor as we have. They’re well positioned to tell what products they use to fill functionality gaps or that compliment our EHR.


Lately we’ve awarded three contracts without a formal RFP or competitive vendor selection process. Unfortunately, that approach has been both expensive and has resulted in us owning products or buying consulting services that have failed to meet the functionality or quality our users desire. Hopefully we’ll learn a lesson soon.


Combination of talking to peers (e.g. people I know, AMDIS listservs), reading about them, doing demos. We’ll see if KLAS has info on them as well.


Industry groups (AMGA, Premier, SG2, HIStalk, etc) along with consultants in certain cases to identify potential options and then detail comparisons of the vendors in an RFP type process.


When our administrators looked for an EHR, they simply looked at the market leader in our niche market, got a one-hour demo, and chose it. Turns out that’s not a good method.


If we were to choose today, I would look at user comments on KLAS and see what is being mentioned on blogs like HIStalk.


We haven’t purchased any new HIT systems for the employed physicians in several years. For private practice physicians, I provide them with the latest reports from KLAS, AARP, AMA, etc. I also share with them the top five market share EMR vendors in the region. Additionally, I provide them with two or three names of the clinics using each EMR system in the region so that they are aware of the colleague / competitor decisions in the market they serve. I also provide user group information for each EMR vendor if there is a local presence.


KLAS, hospital offering, advice from colleagues.


Google and Web research. EMRConsultant.com. Personal recommendations from colleagues. Demos, demos, demos.  Getting access to a test site for extended, unrestricted hands-on experience seems to be the most helpful.


Platinum Sponsors


  

  

  


  

Gold Sponsors


 

Subscribe to Updates




Search All HIStalk Sites



Recent Comments

  1. The article about Pediatric Associates in CA has a nugget with a potentially outsized impact: the implication that VFC vaccines…

  2. Re: Walmart Health: Just had a great dental visit this morning, which was preceded by helpful reminders from Epic, and…

  3. NextGen announcement on Rusty makes me wonder why he was asked to leave abruptly. Knowing him, I can think of…

  4. "New Haven, CT-based medical billing and patient communications startup Inbox Health..." What you're literally saying here is that the firm…

  5. RE: Josephine County Public Health department in Oregon administer COVID-19 vaccines to fellow stranded motorists. "Hey, you guys over there…