The first quarter of 2022 has been a concerning time in the world due to the invasion by Russia into Ukraine. While hackers are always a concern, our awareness is higher now due to concerns of Russia increasing their cyber attacks. Many cyber security consultants and firms are increasing their business with the high awareness provided by the media. Cyber security is important and the Pediatric practice owner should ask what is the ‘right’ level of cyber security engagement and associated cost to provide protection to the practice. The challenge is that many Pediatric practice owners have limited knowledge in this area and can either operate in a manner that provides inadequate protection or contact a consultant and significantly add costs to the practice that might not be necessary. This is a good time to pause and evaluate some basics on cyber security as how it applies to Pediatric practices.
What is cyber security?
Cyber security is security as it applies to information technology. When evaluating the areas to protect, a pediatric practice needs to identify devices that store, manipulate or move data/information. System design can reduce security risk as well as other interventions such as anti-virus software, setup of office networks and practice security policies and approaches.
Cyber Security considerations related to Pediatric EHR systems:
Many EHR systems store data on devices such as laptops and desktops in the office. If a system stores a copy of patient data locally on devices, these devices need a higher level of security on the device compared to a system that does not store patient data on local devices. Also, if a practice maintains a computer server that has patient data, the practice network needs a much higher level of physical and cyber security compared to a practice that uses a secure cloud.. The reason is that a hacker that breaks into the wifi or network of the practice can then damage the computer server located at the practice within the network. An approach to mitigate and reduce this risk significantly is to move all data to a secure cloud facility – this is what has been occurring for the last ten years in many industries.
Practices that leverage the PediatricXpress EHR system have a lower relative risk of cyber attacks and hacks compared to EHR systems that a facility maintains a server due to a number of factors including:
- Users, based on their role (e.g. Front Desk, MA/nurse, Provider, administrator) have different level of access to patient information. A front desk account has less access to information compared to a physician/provider.
- Local devices such as laptops and desktops in the office, do not store the patient data (data is maintained at a private cloud facility). The only exception to this is when a practice scans documents to a desktop in the office then uploads the document to the PediatricXpress system. The practice should delete scanned documents that users scan onto a local desktop located in the practice after the documents are uploaded to the patients chart since uploaded documents are stored on the cloud and are not needed on the local device.
- PediatricXpress EHR is maintained in a Private Cloud with enterprise level firewalls and monitored 24 hours a day/ 7 days a week by a team of Network engineers. This level of security and network management is not cost feasible for most independent Pediatric practices that implement a server-based EHR. Note that many smaller hospitals have had security breaches within their server based EHR even though the hospital employs a full time IT team. While these hospitals usually had an IT staff on hand, there were security risks within their network and/or users that allowed for cyber breach (e.g. local computers are on the same network as the EHR system servers and users click on an e-mail virus that infects the local network).
- The PediatricXpress system is built in redundancy for which the redundant system takes over if the primary servers are down. This ‘fail over’ is designed to provide optimal uptime for practices as well as data redundancy.
- The data, applications and scanned documents are backed up to provide another level of redundancy.
Some Security Risk considerations in a Pediatric Practice:
It is necessary to access a Pediatric EHR to conduct patient visits in a productive manner. A pediatric practice should evaluate both their physical security and computer security approach at least once a year and maintain one point person in each practice location as the point for computer security. While this article discusses cybersecurity considerations, it is very important that the office has consistent physical security that limits access to computers in the office. Let’s look at some of the cyber security risks and how to mitigate these risks related to Network setup and computers in the office:
- Network Setup: All computers are connected to a router/wifi that is connected to the access point from a company such as Verizon or Xfinity. For fios or cable internet, the connection is from the carrier (Verizon or Xfinity) then terminates into a box in the office that connects into the router supplied by the company. This router should have an admin account with a secure password. Make sure that this password is not “Password’ but a true password. Also, recommend that the wifi password be secure/unique and not given out to staff or non-network administrators. Most of the wifi networks provide a guest network that shares the same access point.. While this is an option to consider providing a guest network on the wifi, note that guest use with streaming might reduce the staff speed on applications they use to conduct their work. Also consider that while there is some convenience for staff members to connect to the office network with their personal devices to the office wifi, there are additional security risks associated with this connection and if staff members are streaming while on the wifi, this can impact the performance of the network for the office conducting work associated with operating a pediatric practice..
- Computers: All computers should be set up to have an admin account (only the admin for the practice has access to this) and standard user accounts (all users of a desk top). A more secure, but more complicated, approach is to have a separate user login on each computer for users that might access the computer. Many offices find this too difficult since there might be 3-4 different individuals accessing a front desk computer. If setting up one front desk account on the desk tops at the front desk, keep in mind that if users are not careful, they might begin using another practice front desk person’s online accounts (will discuss further in next item). The practice should have all computers with antivirus software that is up to date.
While the highest risk of patient data exposure is removed by using a Pediatric EHR that is cloud based (PediatricXpress) versus an on site server, the areas discussed in this article can further enhance security and/or confusion on user access to the system. Consider that there are other steps that can be taken but most practices first need to focus on the areas discussed above prior to seeking other levels of cyber security including additional measures and approaches.