 |
Is IT Safe?
Posted: Tuesday, January 3, 2012 1:25 pm
After a lot of thought, and discussion, one of my staff had a flash of insight: Doctors, and medical staff, need to learn how to tell their patients that their data is safe. They need to do it in layman’s terms. But first, they need to know that their networks and policies are sufficient to protect their patients’ data. From that perspective, we put together a series of questions that doctors, or their staff, should ask their IT vendors. These questions not only offer a way to reassure concerned patients, but they also may lead to discovery of network or policy shortcomings, and it’s much better to find out before some sort of data breach may occur. Ideally, the IT vendor can answer the questions the right way, and can also help “translate” the answers into everyday language. We begin with data safety: • Where is our patient data stored? Is it onsite (in the doctor’s office), offsite (at a data center) or both? • Is our patient data encrypted? How strong is the encryption? Who has the encryption password? • Do we have a strong password policy? Are passwords changed periodically? Do staff-members share their passwords with other staff-members? • If we use laptops, are they allowed out of the building? Is the data on the laptop encrypted? If laptops are allowed out of the building, are they securely stored? • Do we have a Wi-Fi network in the office? Is it password protected? Encrypted? If the wireless password is hacked, can patient data be accessed from the Wi-Fi network? We continue with data availability: • If our patient data is stored offsite only, (in “the cloud”) what do we do if the Internet goes down at a critical time? Do we have a way to access patient data in case of an extended Internet outage? • If our patient data is stored onsite only (on a server, for instance) do we have current backups of data? Are the backups tested? How long does it take to restore patient data if necessary? • Assuming that we have good, tested backups, if our server were to do down, how long would it take to get back up and running? Do we have any sort of failover? Can our IT vendor provide a standby server if necessary? • What is the longest time that we can reasonably expect to get access to recent patient data if an emergency need for such data happens during network, Internet, or server problems? In an ideal world, all medical offices would be able to answer the above questions like this: Our patient data is stored in our office, in a locked room only accessible by key persons. It is backed up at least once daily. It is encrypted with military grade encryption, and the password is held by senior staff members. We have a very strong password policy in place for our employees, and passwords are changed periodically. We also store our data offsite at a secure data center, but we only send that data offsite after it has been encrypted. The data center does not have the encryption password. We test our backups monthly to ensure there is no corruption. Our IT vendor can deliver a standby server within a few hours if necessary. If our entire building were damaged, we can have all patient data restored from offsite within one business day. Such answers should put your patients at ease about their data. If you can’t truthfully answer these questions in this way, you need to put pressure on your IT vendor right away. If you don’t have an IT vendor, find one who offers IT security audits free of charge. Tags:NoneBookmark:
|
Digg
Facebook
Technorati
Newsvine
Google| Google Ad Blocks |
 |
| Add our RSS Feed |
  |
| Copyright © and Trademark ™ 2008 All Rights Reserved Copyright Statement | Privacy Statement | Terms of Service |
