HIStalk Practice Advisory Panel: Social Media, Security Practices
The HIStalk Practice Advisory Panel is a group of physicians, ambulatory care professionals, and a few vendor executives who have volunteered to provide their thoughts on topical issues relevant to physician practices. I seek their input every month or so on an important news development and also ask the non-vendor members about their recent experience with vendors. E-mail me to suggest an issue for their consideration.
If you work for a practice, you are welcome to join the panel. Many thanks to the HIStalk Practice Advisory Panel members for willingness to participate.
For this report, I asked panel members about social media in their practice and privacy and security measures.
What social media tools are being used in your practice?
We’ve had to tighten things up due to fear of lawsuits or other problems. We encourage our providers to only use the official practice website or official practice-based Facebook and Twitter accounts. There are a couple of physicians who use personal Facebook accounts and have patients who have friended them, but that’s discouraged.
Website with vetted patient education content, Twitter, e-mail – with marked restrictions (until we engage our portal) and patient communications portal (pending).
We have a very basic Facebook presence and starting to do some rare tweets. But right now we believe our patients really want connectivity rather than content, so our focus is on making sure it is very easy to send in messages via our secure portal.
Employed clinics have a Facebook presence to make general announcements about clinic-sponsored community events, new services, and physicians joining the group. Periodic reminders about seasonal flu shots are also posted. There is very little social media usage among the private practice clinics within our market.
Patient portal is in place and gaining adoption. We also use YouTube to distribute videos of clinic providers, the clinics news, and leadership messages. Some use of LinkedIn and other social media for recruiting. Still discovering ways to leverage the social media. This is an example of a YouTube video we use to promote our medical group in the community:
What security and privacy measures are in place in your practice? For example, encryption, passwords, remote access, antivirus, backup/recovery processes, etc.
All of the above including mandatory machine encryption and mandatory antivirus measures etc.
Passwords with complexity requirements, fingerprint scanners, Norton 360, Avast Antivirus, Malwarebytes Anti-Malware, LogMeIn Pro, daily incremental local backups to external hard drive, weekly full backups to external hard drive, off-site storage of redundant external backups, pen tablets not allowed to be taken off-site.
Employed clinics follow the enterprise-wide policies and procedures for security and privacy. Those policies address encryption for all devices, minimum password complexity standards, frequency of password changes, non-reusable passwords, antivirus protection active and definitions up to date, OS and application security patches applied, redundancy/backup protection, business continuity and disaster recovery, and employee required annual training on HIPAA security, social engineering, phishing, etc. These policies align and in some case are even more stringent than the regulatory requirements to protect the information and system assets of our enterprise and patients. Daily automated audit systems are in place to notify the appropriate personnel of devices that do not comply with policy.
Unfortunately, for most of the private practices that I have visit, they do not fully comply with the basics of existing regulations regarding security and privacy of electronic patient information, systems, and access. Private practice clinics (especially the small to medium sized clinics) do not have the internal expertise nor resources to accomplish what a larger organization can do with pooled resources. Some clinics are relying on the HITECH REC services or third-party providers to monitor and accomplish some or all the tasks necessary to be compliant with regulations.
We use passwords and antivirus. Remote access is allowed only from home. Not sure if we encrypt. We did not have a backup system initially. We did discuss that once in a staff meeting at which it was decided that another database would be added at another site for backup, but I’m not sure if that ever materialized.
VPN, encryption, daily back-up, antivirus.
We are part of a larger AMC, so lots of the regular network stuff – passwords, virus protection, backups. For remote access, we use dual authentication with a token. In our exam rooms, we set up a system that automatically secures the exam room computers when the door is opened, thus ensuring security when the doctor or nurse leaves the room. Has worked out great!
On the encryption front, we have a disk encryption product on our laptop machines called Credant. The software is a hybrid encryption product that only encrypts some of the files on the laptop, leaving others — like the OS — unencrypted. They say that this is better when compared to full disk encryption because only the user who is logged into the machine has files that are decrypted, whereas full disk encryption products decrypt all of the files for all of the users on successful login.
I think there may be a weakness in it because the whole drive is not encrypted. Given time, I’d try to hack it to see if it fails to encrypt files that it should. So hopefully it is doing a good job. I’m aware of a few cases where users have lost data because the keys were corrupted or something else went wrong with the encryption product.
We use whole-disk encryption for all portable devices and only allow PCs on the network (no BYOD, unfortunately) for making the security easier. Passwords must change every 45 days and cannot repeat for 24 months. Remote access is available with either hard or soft tokens. Antivirus is in place. We do allow users to be administrators on their own devices, but if we suspect trouble, we will then remove those rights. We assume you’re innocent until you mess up. We back up the EHR database nightly and every two weeks a backup is sent to some kind of secure bunker, I think in Nebraska. We randomly test the backups to make sure they are actually usable.
The article about Pediatric Associates in CA has a nugget with a potentially outsized impact: the implication that VFC vaccines…