by Wyn Staheli, Director of Research
February 9th, 2015
How secure is your computer? Do you have a password on your computer? Do you have the automatic log offs turned on? Is your computer encrypted? Are your off-site storage files encrypted?
This document is designed to give some basic information about making your office a little more secure. It is not a substitute for a thorough HIPAA risk assessment.
However, there are some steps you can take right now to help cut your risk of identity theft, or security breaches. Take steps TODAY!
HIPAA & Passwords
Regardless of whether you are a HIPAA covered entity or not, passwords usage should be part of your office's Policies and Procedures Manual. HIPAA Complete offers a HIPAA Audit which walks you through your office to identify privacy and security shortcomings. Passwords are part of this audit process. HIPAA Complete has the logs, guidelines, and policy templates to get you started.
What is the big deal about encryption? Well, it is the best way to secure your computer against security breaches. What is encryption? Encryption is a process by which data is rendered unreadable/unviewable unless a "key" is used to unlock it. This is a great
"In cryptography, the Advanced Encryption Standard (AES) is an encryption standard adopted by the U.S. government. The standard comprises three block ciphers, AES-128, AES-192 and AES-256, adopted from a larger collection originally published as Rijndael. Each of these ciphers has a 128-bit block size, with key sizes of 128, 192 and 256 bits, respectively. The AES ciphers have been analyzed extensively and are now used worldwide, as was the case with its predecessor, the Data Encryption Standard (DES).
AES was announced by National Institute of Standards and Technology (NIST) as U.S. FIPS PUB 197 (FIPS 197) on November 26, 2001 after a 5-year standardization process in which fifteen competing designs were presented and evaluated before Rijndael was selected as the most suitable (see Advanced Encryption Standard process for more details). It became effective as a Federal government standard on May 26, 2002 after approval by the Secretary of Commerce. It is available in many different encryption packages. AES is the first publicly accessible and open cipher approved by the NSA for top secret information .
Hopefully everyone is using medical billing software that utilizes encryption for their "data at rest" - that is, data that is not moving anywhere on your hard drive. Sadly, most people do not realize that there is also a security "gap" when the data is NOT at rest. Here are three scenarios explaining when data is NOT at rest:
- Most programs let you export data from your computer. This is where it gets tricky. If you export data that contains Protect Health Information to a CSV file to any place on your computer that is NOT encrypted, then you are setting yourself up for a security breach. One reported security breach occured when an employee copied such a file to a USB drive which had the password taped to it!
- When you start your software program (even if properly encrypted when closed and password protected), your data is no longer "at rest". If your computer does not have firewall and spyware keylogger protection, you are setting yourself up for a security breach. Also, other users on your network who have access to that drive, will also have access to that data because it is opened for use.
- Emailing Reports from your software program to another provider is another case of data in motion. Most email servers are not encrypted - no, Gmail and Hotmail are NOT encrypted. Unless you you use encryption on the report itself there is no telling where that email will end up.
Even if you are using encryption on your software, if you wish to avoid the possiblity of a breach, there are also other measures that need to be taken. Here are a few Do's and Don'ts:
Do's and Don'ts
Don't do the following:
- DON'T save files to your hard drive in places that are unencrypted
- DON'T allow all users on your network to have access to the location of your Program Data Files (for InstaClaim, that would be the folder where InstaClaim is installed). Only those who are authorized to edit or view claims data should have access to that folder.
- DON'T take unencrypted backups for off-site storage.
Do the following:
- Use secure passwords. Click here to read more about passwords.
- Use passwords and change them frequently.
- Consider using programs to encrypt ALL your important computer files. There are many good programs out on the market today, . Some go as far as tracking your computer's actual location and can not only locate your computer, but can also make it so the thief cannot access the computer at all.
ALERT: it is essential that no matter what program you purchase, you need to be able to have an administrative reset of encrypted files. For example, if you have a disgruntled employee, they could change the password and you would be completely locked out of your computer and lose everything. Only that disgruntled employee would know how to get in. Not a good situation to be in. Considering the cost of all the hassles associated with losing a computer with theft and the new HITECH Breach Notification requirements, it is well worth the investment.
- Consider using a HIPAA secure off-site backup utility like Mozy.