Urology Coding Alert

Follow this advice to meet the fed’s requirements.

Your practice, like most others, probably takes steps to ward against unauthorized computer access by implementing tools such as antivirus software, firewalls, and more. Those are good measures, but don’t get too comfortable: Healthcare organizations continue to be vulnerable to cyber attacks, even with strong security measures in place. Add to that the fact that you’re dealing with sensitive patient data, and your level of potential risk rachets up to another level.

Case in point: The Department of Health and Human Services Office for Civil Rights (OCR) announced a small $100,000 settlement with Medical Informatics Engineering, Inc. (MIE), an Indiana-based software and EMR company. At the root of the HIPAA violation was a failure to assess risks that allowed cyber thugs to hack into its firm through a “compromised user ID and password,” an OCR brief suggests. The end result was the disclosure of 3.5 million individuals’ electronic protected health information (ePHI).

Take This Username Advice

The best usernames allow IT staff to identify individuals easily. In fact, usernames are often standard and don’t allow for much differentiation by the individual employees.

“Usernames at work aren’t usually up to the individual; they’re set by the IT department and they usually follow a common standard such as ‘first_initial.’‘last_name,’ but you can take steps to keep your work username more secure by using it only for work,” advises Jen Stone, MSCIS, CISSP, QSA, a security analyst with Security Metrics in Orem, Utah.

“Username formats should meet a corporate standard for consistency, but should not be considered confidential information,” explains Adam Kehler, CISSP, principal consultant and healthcare practice lead with Online Business Systems agrees.

The format should essentially promote easy identification and allow IT to quickly assess who should be accessing practice data. Moreover, if a data security issue does arise, IT staff can quickly identify the account involved and do damage control on the incident.

Tip: Don’t mix work with pleasure. It’s a good idea to use different usernames for your home accounts versus your work ones. Separating your work tech from your home tech not only protects patients, but it protects you, too.

Here’s why: “If you use your work email as an account name, chances are good you’ll be tempted to use your work password as well,” warns Stone. “Then, when ‘Flower Sparkle Games’ is hacked, the hackers not only get access to your game, they also get access to your work account.”

Create Stronger Password Controls

You may not put much thought into the creation of your work passwords, but you should. If your practice experiences a breach, one of the first things the feds will ask about is risk assessment — and weak password controls will be seen as ignoring potential risks.

Consider these four password must-dos that Kehler suggests for users:

1. Multi-factor Authentication (MFA): Put MFA into use when sites allow it.

2. Password safe: “Use a password safe that is compatible with all of your devices,” he advises.

3. Arbitrary passwords: Make your passwords “random and unique” and add them to your password safe.

4. Outside-the-box hints: Some sites require hints; “use random words” instead of meaningful ones “and store those in the password safe,” he says.