3. Maintain Good Computer Habits
Policies specifying the circumstances under which devices may be removed from the facility are very important, and all due care must be taken in developing and enforcing these policies. The primary goal is to protect the patient's information, so considerations of convenience or custom (e.g., working from home) must be considered in that light.
But I Need to Work at Home
In today's increasingly mobile world, it is certainly tempting to use mobile technology to break away from the office and perform work from the comfort of home. Those who have responsibility for protecting patient information must recognize that this responsibility does not end at the office door. Good privacy and security practices must always be followed.
Download Mobile Device Checklist 2
3. Maintain Good Computer Habits
The medical practitioner is familiar with the importance of healthy habits to maintain good health and reduce the risk of infection and disease. The same is true for IT systems, including EHR systems — they must be properly maintained so that they will continue to function properly and reliably in a manner that respects the importance and the sensitive nature of the information stored within them. As with any health regimen, simple measures go a long way.
New computers and software packages are delivered with a dizzying array of options and little guidance on how to configure them so that the system is secure. In the face of this complexity, it can be difficult to know what options to permit and which to turn off. While a publication of this length cannot go into detail on this topic, there are some rules of thumb:
• Uninstall any software application that is not essential to running the practice (e.g., games, instant message clients, photo-sharing tools). If the purpose of a software application is not obvious, look at the software company’s web site to learn more about the application’s purposes and uses. Also check with the EHR developer to see if the software is critical to the EHR’s function.
• Do not simply accept defaults or “standard” configurations when installing software. Step through each option, understand the choices, and obtain technical assistance where necessary.
• Find out whether the EHR vendor maintains an open connection to the installed software (a “back door”) in order to provide updates and support. If so, ensure a secure connection at the firewall and request that this access be disabled when not in use.
2 http://healthit.gov/sites/default/files/Mobile Device Checklist.pdf
• Disable remote file sharing and remote printing within the operating system configuration. Allowing these could result in the accidental sharing or printing of files to locations where unauthorized individuals could access them.
Most software requires periodic updating to keep it secure and to add features. Vendors may send out updates in various ways, including automated downloads and customer-requested downloads.
Keeping software up-to-date is critical to maintaining a secure system, since many of these updates address newly found vulnerabilities in the product. In larger enterprises, this “patching” can be a daily task, where multiple vendors may issue frequent updates. In the small practice, there may not be the resources to continually monitor for new updates and apply them in good time. Small practices may instead wish to automate updates to occur weekly (e.g., use Microsoft Windows Automatic Update). However, practices should monitor for critical and urgent patches and updates that require immediate attention. Messages from vendors regarding these patches and updates should be monitored and acted upon as soon as possible.
Operating System (OS) Maintenance
Over time, an operational system tends to accumulate outdated information and settings unless regular maintenance is performed. Just as medical supplies have to be monitored for their expiration dates, material that is out-of-date on a computer system must be dealt with. Things to check include:
• User accounts for former employees are appropriately and timely disabled. If an employee is to be involuntarily terminated, disable access to the account before the notice of termination is served.
• Computers and any other devices, such as copy machines, that have had data stored on them are “sanitized” before disposal. Even if all the data on a hard drive has been deleted, it can still be recovered with commonly available tools. To avoid the possibility of an unintended data breach, follow the guidelines for disposal found in the National Institute of Standards and Technology (NIST) Special Publication 800-88 “Guidelines for Media Sanitation.”3
• Old data files are archived for storage if needed, or cleaned off the system if not needed, subject to applicable data retention requirements. • Software that is no longer needed is fully uninstalled (including “trial” software and old versions of current software).
3 http://csrc.nist.gov/publications/nistpubs/800-88/NISTSP800-88 with-errata.pdf
How do you know if staff members have downloaded programs they are not supposed to?
There are several commercial applications and services (e.g., anti-malware and anti-virus programs) that can be set up to report or even stop the download of rogue/unapproved software. They can conduct vulnerability and configuration scans, and some applications/services can conduct general security audits as well (e.g., other technical, administrative, and physical safeguards). Work with your IT team or other resources to perform malware, vulnerability, configuration, and other security audits on a regular basis.
Policies are in place prescribing Electronic Health Record (EHR) system maintenance procedures.
Staff with responsibilities for maintenance understand and agree to system maintenance policies and procedures.
Computers are free of unnecessary software and data files.
Remote file sharing and printing (including remote printing) are disabled.
Vendor remote maintenance connections are documented and fully secured.
Systems and applications are updated or patched regularly as recommended by the manufacturer.