Page 18 - Layout 1
P. 18
CYBER
SECURITY
Theft of Patient Information
on the Upswing
By Medical Protective
Thieves have discovered that, often with little risk, they can break • No laptop computer should be used for clinical purposes unless
into healthcare practitioners’ offices and steal computers. Generally, it has complete password installation. Laptops with clinical in-
they’re not interested in the clinical information that the computers formation on them should not be left in cars, not even in
may contain — although that remains a concern. trunks.
What they’re hoping to steal is something they can use for a variety • Firewalls should be built into all office systems. Contractual
of criminal schemes: Social Security numbers and credit card num- arrangements with vendors should specify the security results
bers. And they’re having a lot of luck. the practice hopes to achieve with its security system.
Doctors have an ethical and legal responsibility to ensure both the • Consider installation of a security system for the office.
security and the privacy of patient information. This includes the
need to protect patients from the possibility of identity theft. • Use only bonded cleaning staff. If you cannot control the clean-
ing process (i.e., you rent office space in a building that pro-
The following suggestions may help prevent theft vides cleaning services), inquire about the security check that
of patient information: the company uses to screen potential hires. Depending on the
setup of your office, you may need to ask the cleaning crew’s
• Install security passwords on all computers in the practice. En- employer to sign a Business Associate Agreement to ensure
force their use and periodic change by employees. HIPAA compliance.
• In general, authorize as few people as possible to have keys to • Ensure that access to clinical areas is locked during lunch times,
the office. Employees who have access to the office should have hours when patients are not in the office, or if an employee is
a key to the main door only. working late. If possible, main office doors should also be locked
during these times.
• Do not authorize an employee to have a key to the office until
that person has successfully passed a probationary period. • Report any suspicious activity, possible breach of security, or
threats of violence from terminated employees (or disgruntled
• Stipulate the return of keys from all employees, regardless of patients) to the police.
whether they quit or are terminated. Employees who are fired
should be required to turn in their keys, collect their personal • Report any theft (prescription pads, drug samples, patient in-
belongings, and leave the office immediately upon termination. formation, office materials, etc.) to the police.
They should not be given the opportunity to access any patient
or business-related information. • Report any breach of patient confidentiality to a Medical Pro-
tective claims representative at 800–348–4669.
• If an employee is fired or leaves under less-than-ideal circum-
stances, consider changing office locks. This article was produced by the clinical risk management team at
Medical Protective, the nation’s oldest professional liability insurance
• Automatically change passwords whenever an employee quits company dedicated to the healthcare professions. For additional infor-
or is terminated. mation, please contact Laura Cascella at laura.cascella@medpro.com or
visit the Medical Protective website at www.medpro.com.
• Backup disks, tapes, or reports should be kept under lock and
key, preferably off site.
18 San Antonio Medicine • February 2016
