Each day, there is increasing demand for instant electronic data. And with the lines ever more blurred between personal and work time, people have come to expect the same level of information accessibility at work as at home. Employees want to access data they need for their jobs as well as the ability to book their next vacation from their desks. However, there is a huge difference in how and how much information employees should be able to retrieve on their home computers versus their employer-owned systems.
Technology in the workplace is supposed to increase workplace productivity, but often results in cyberslacking. Here we will focus more on security issues surrounding your practice’s technology. We will outline three reasons for limiting what your employees can access. Your IT partner can provide further guidance.
Do you know what to look for in a managed IT service provider?
Download our checklist to learn if you’re making the best choice for your practice.
Reason #1: The Potential for Data Breaches
The potential for a data breach is a serious issue for any business, but for a medical or dental practice it could spell disaster. While breaches caused by outside hackers get the most press these days, a fair share of them (48% according to sources) are caused by internal human errors. Some common areas where employees could make your practice vulnerable are:
Poor Password Practices
Employees may choose obvious or weak passwords. They might not change them often enough, or they might share them with others.
Falling for Phishing Scams
Passwords could be stolen by hackers through phishing scams. An employee might accidentally click on a fake link or be tricked into sharing a password.
Being Subject to Social Engineering
Social engineering is the use of deception to manipulate individuals into divulging confidential or personal information that may be used for fraudulent purposes.
Taking Files (With Sensitive Data) Out of the Office
Any time paper or electronic files are taken out of your office, information could be lost or stolen, thus compromising your practice.
Additionally, mobile- and remote-friendly workplaces are increasing the risk of a data breach with connected devices coming and going from the network in droves. This leads to:
Reason #2: Employees Often Have Access to More Information Than They Should
Unfortunately, a lot of dentists and doctors do not take the proper precautions when setting up their IT infrastructure. It’s time consuming, expensive and often takes a higher level of skill than the practice owner has. If security measures are not in place where employee access is concerned, you could place your practice at higher risk for not only data breaches, but legal liability. Do all of your employees have the same level of access when it comes to company and patient data? This is dangerous because the more people with data access the higher the risk for compromised data. Terminated or disgruntled employees could even share or sell data.
Role-Based Access Control (RBAC) is a great solution for managing who has access to what within the company structure. Consider role-based access to limit the number of team members who have access to sensitive information like credit card numbers, patient information and more. Access should be granted to different types of data on a need-to-know basis for each employee’s role. You can use an application to define roles and what those roles can access. There are often tools within your practice management software to allow for role-based access control. Your IT partner can set this up for you.
Reason #3: HIPAA, PCI DSS, and Other Compliance
Medical and dental practices are subject to both HIPAA (Health Insurance Portability and Accountability) and PCI DSS (Payment Card Industry Data Security Standards) compliance rules and regulations. How you store and protect data must meet certain guidelines and expectations or your practice will be subject to fines and/or penalties.
General HIPAA compliance requires that practices:
-
Ensure the confidentiality, integrity, and availability of all electronic protected health information (e-PHI) they create, receive, store, or transmit;
-
Identify and protect against reasonably anticipated threats to the security or integrity of the information;
-
Protect against reasonably anticipated, impermissible uses or disclosures; and ensure compliance by their workforce.
PCI compliance requires that businesses restrict employee access to sensitive data on a need-to-know basis. For PCI compliance, practices are required to have a role-based access control system. In addition to RBCA, there should be an updated list of employees that can access credit card data in your business.
In a nutshell, if you aren’t implementing role-based access (which we discussed above), you’re not PCI compliant.
Conclusion
There are many risks involved in giving employees too much unnecessary access to patient and practice data. These risks include data breaches, disgruntled employees, and compliance issues, among others. One of the most important things you can do to protect your practice data is to implement a role-based access control protocol. Employees should only be able to see data that is related to their roles in your practice. We are here to help with this and other IT issues.
In an ideal world, there is a happy medium that allows your staff to do their jobs, but also keeps your patient data and the private data of the company secure.
