In the modern healthcare world, technology is playing an increasing role in record keeping. Whether your practice is small or large, stable or growing, a cloud-based electronic records system is something you should consider. There are many benefits to moving away from the traditional client-server system, as well as things to consider before you make the change.
Benefits to Cloud-Based Medical Computing
Using the cloud for your practice’s records, both clinical and administrative, is akin to renting a house: you pay for the benefits of living in it, but the maintenance issues are someone else’s problem. Once implementation is completed, you will receive full tech support including troubleshooting and the updating of software and security measures. This reduces the cost of IT staffers, as well as the headache of dealing with software issues that may be outside your area of interest. You will be using the same software to which you are accustomed, but the software itself, along with the data, will exist outside the walls of your practice.
Since the cloud stores data in external servers that you access over the Internet, your records are available to you anytime you have an Internet connection. This allows for the same access to pertinent information whether you’re in the office, on hospital rounds, or at home. Collaboration among colleagues is also much easier since everyone can access the same information simultaneously. And cloud information storage allows access from all sorts of devices, including tablets and smartphones.
Now that cloud service providers are also liable under HIPAA (Health Insurance Portability and Accountability Act), security of data is excellent. Data is stored in multiple places by the provider, backed up regularly and encrypted, ensuring that it can be recovered with ease if needed and that only those who should have access can get to the information. With billing information and medical history all in one place, security is more important than ever.
Considering the legal requirement to keep patient data on-hand for years, an on-site storage facility or IT infrastructure can fill up very quickly. Cloud-based storage is virtually limitless, translating into more patients, doctors at your practice or additional locations without the increased cost of a larger facility or upgrading software to handle the load.
Things to Know Before Moving Into the Cloud
Using the cloud does not involve hardware or software costs, so it is less costly overall than maintaining an in-house IT staff and servers. Your practice will pay a monthly fee to the cloud provider, for the “software as a service” arrangement.
While many cloud providers have started to ensure HIPAA compliance, not all are fully compliant. Before deciding on a provider, make sure to ask about compliance. Matthijssen works with lawyers and has extensive experience ensuring medical practices become and maintain HIPAA-compliant.
The idea of the office is one that has changed significantly over the years. Thanks to mobility and better connectivity, workers can send invoices on the train, meet with clients on a screen in a hotel room, and work on cases at home. The boom in the remote work space allows more work to be done, it is cutting costs, and yes, it is leading to significant security concerns. Matthijssen reviews common network security concerns with remote workers.
The virtual office is one that involves many players and devices. One of the most common policies in the modern work space is BYOD, or Bring Your Own Device. This allows users to work from their own devices, it permits cohesive connectivity without meeting in the flesh, and it reduces infrastructure expenses. As companies reorganize infrastructure and remove company-owned devices, they need to have a plan in place that does not lose sight of the increased vulnerability and potential for loss.
Common Threats for Remote Workers
Remote workers are not tethered to a desk, which means their devices can be stolen, hacked and lost. Lack of encryption, failure to use device passwords, and unsecure network access puts not only the client and client data at risk, but the factors expose the company as well. No business or industry is immune. Threats can even be something as simple as kids at home and shared family domains. If your company permits or encourages remote commuting, your office must take steps to ensure the integrity of EVERY transaction and device, and the company’s image.
Ways to Improve Network Security
Three strategies aid in protecting your company’s remote security, and each won’t kill your company’s budget.
- Require passwords and multi-step verification
Passwords, passwords, passwords. The first line of defense against outside intrusions is a PIN or password. Company’s must set password requirements. There must also be a lockout feature or deactivation feature that kicks in when a password or PIN is typed in incorrectly a set number of times.
Many applications require a two-step verification process that requires two verifications into the app before access is granted. For example, after a user enters the password correctly, a separate code or alert is sent to a registered mobile number. The code must be entered or the user must allow entry from the smartphone.
- Move to the cloud
Web-based cloud solutions and applications can improve your company’ remote security, and the cloud is compliant with various industry regulations, such as HIPAA. It is important to recognize that we are talking about business-grade cloud programs and applications, not personal cloud services. The cloud requires passwords for access, data is not stored on a device, but encrypted and stored online, and managers and owners can control employee access.
- Establish guidelines for connectivity
You spend a great deal of time revamping and testing your office’s network security, but what are your strategies for ensuring safe network connectivity outside the office? A company must draft security policies and standards to which all users must adhere when out of the office. The policy must state that users cannot access free Wi-Fi, unsecured connections, or Bluetooth connections they do not recognize. Users must secure their own networks at home as well.
The professionals at Matthijssen can help you review your company’s existing policies for remote workers and make suggestions for a safe and secure environment.
Back in 1996, the United States Congress passed the Health Insurance Portability and Accountability Act in an effort to help people hold on to their health insurance when they changed jobs. Attached to the HIPAA was Title II that helped prevent fraud and specifically the so-called “Security Rule.” This requires that businesses dealing with sensitive personal information secure it along three major axes: administrative, physical, and technical.
Do You Need to Be HIPAA Compliant?
Are you a Covered Entity? If you are a business that has anything to do with the storing or transmission of healthcare policies or information, you are. The law stipulates that any company that is responsible for protected heath information (PHI) or electronic protected health information (EPHI) must be HIPAA compliant. This extends to anyone dealing not just with information and records, but also with the software used to do so. Everyone from the offices and practitioners themselves to their contracted vendors to the insurance companies they work with are all considered “Covered Entities.”
Administrative and Physical
The first two forms of HIPAA compliance are already familiar to most Covered Entities (CEs). For a long time now, precautions have had to be taken to physically prevent the use or transmission of medical information. What makes this a bit tougher today is the electronic component.
All CEs must have a clear and codified set of policies when it comes to accessing PHI. This means making sure your office has rules in place regarding who can access what information at which terminals. Keeping logs of who is accessing the PHI is essential and other physical limitations need to prevent public access to equipment. As for administrative protections, your business must offer adequate supervision of these physical safeguards. In addition, you must demonstrate other policies in action like training programs and update awareness. You must also be sure to have a set of policies for the event of a breach of security. How you will fix the breach and appropriate punishment must be clear and followed.
The technical safeguards, of course, can be rather tricky. As soon as you’re dealing with EPHI, the risk increases exponentially. Consequently, the technical safeguards focus on security and recovery. For example, it is imperative that an off-site backup exists for all PHI and EPHI that cannot be directly accessed if your primary information system is compromised.
As for ongoing security, HIPAA requires that extensive precautions be taken for any method of PHI transmission. This means that everything from internal databases to interoffice email must be secure.
Finally, the ability to detect unauthorized access or changes made to PHI is critical. To be HIPAA compliant means that you can demonstrate how you would know if your files were breached by a hacker and how you would discover an internal issue with a staff member.
The penalties for noncompliance became much steeper in 2009 when an addendum was attached to incentivize compliance and minimize violations.
Matthijssen can help you become and maintain HIPAA compliance.
Virtualization, the process of dividing physical hardware into smaller virtual components, provides several benefits to your business including increased efficiency, capabilities and more. If you haven’t taken the leap into the world of virtualization, here are some reasons you should consider taking the plunge.
Moving to virtual servers from physical servers reduces the number of physical servers your business requires, as virtualization allows you to do more with less. Most dedicated physical servers use between 5-15% of their capacity, but several virtual servers can be housed on one physical server. This reduces the power needs and cooling costs associated with physical servers as well as saves on the amount of office space required to house these servers. Increased efficiency is also realized when outdated applications or data can be removed from the physical servers. Fewer physical servers also means less time and employee resources dedicated to maintenance of the machines.
Virtualization provides a safe environment to test new software, server upgrades and patches. First installing the new code in a virtual environment provides you with an opportunity to debug the changes in a controlled environment and increases the chance of a successful deployment when the changes are implemented in the live environment.
Server virtualization aids in business continuity by decreasing the likelihood of a hardware failure and decreasing the amount of downtime related to such a failure. In the event a physical server experiences a disruption, you can migrate the data and applications housed on that server onto a virtual server while you work to get the original machine back in service.
A key component to disaster recovery is being able to get back up and running as soon as possible. A main benefit of virtualization is that it requires fewer physical servers to begin with. Back-ups of virtual servers can be reinstated more quickly than a physical environment can be repaired, which is imperative to getting your operations back in action. You can store a small number of physical servers off site, which can easily be relocated in the event of a disaster situation.
Web activities can be segregated onto a virtual server without access to sensitive files, which means any malware installed cannot proliferate through your entire network. As virtualization expands from servers to desktops, companies are seeing a reduction in the loss of data due to equipment failure since data is stored on the virtual machine rather than the local drive. This is especially significant as businesses are utilizing remote access solutions and “bring your own device” policies more than ever before. Employees can log into their virtual desktop from any location and have immediate access to the same programs and security provisions required by your business.
Determining which methods of virtualization are best for your business can be tricky. Our team is ready to help. Contact us today!