07/17/2024
RESPONSES/COMMENTS (INTERNET SECURITY)
From: Paul Kesselman, DPM
Several years ago, I was employed as the Compliance Officer for a local podiatry practice with 10 or so employees and two offices. What I soon found out was that everyone from the office manager to the back office medical assistants all had the same level of access to the EHR and all had the same password to log into the EHR.
While the doctors all had different sign-ins from staff, they too shared the same password while the other employees all shared another same password. This meant that the accounts receivable, postings, lab orders, and accounts payable could not be traced back to any one individual...
Editor's note: Dr. Kesselman's extended-length letter can be read here.
07/15/2024
RESPONSES/COMMENTS (INTERNET SECURITY)
From: Michael L. Brody, DPM
Dr. Pribut brings us some excellent points. Each member of the practice should have their own login to practice software. Well-designed software has an audit log which can be reviewed to see "who did what and when". This is important should there be issues or discrepancies in the information in a EHR system or practice management system. You should not allow users to 'share' an account. In addition, each user should have their own login for the operating system.
With each user having their own account, when a member of your practice leaves, you then re-activate their login information to all practice software systems as well as their access to the actual computer. This is an integral part of...
Editor's note: Dr. Brody's extended-length letter can be read here.
07/12/2024
RESPONSES/COMMENTS (INTERNET SECURITY)
From: Howard E Friedman, DPM
The issue of password security is really one of overall cybersecurity which every office as well as every individual needs to take seriously. Cybersecurity for healthcare is a focused topic of the Cybersecurity and Infrastructure Security Agency (CISA), a federal agency under the jurisdiction of the Department of Homeland Security which does have online resources for the healthcare sector (see below).
I believe that cybersecurity for healthcare should be a topic addressed in continuing education seminars. The recommendation for strong passwords is on target. Passwords should be lengthy, complex (including letters, upper and lower case, numbers and symbols), and changed often. Password managers are designed to keep track of these passwords.
Cybersecurity also includes training staff to avoid phishing emails which are pervasive and to...
Editor's note: Dr. Friedman's extended-length letter can be read here.
07/11/2024
RESPONSES/COMMENTS (INTERNET SECURITY) - PART 1B
From: Michael Brody, DPM
Even though secure and convenient, biometric password authentication requires and stores sensitive and unique information about individuals, like fingerprints and facial features. The risk of identity theft and fraud might significantly increase if this data falls into the wrong hands.
Biometric data is 'static'; it does not change. Once you use biometric data for login, that data is stored in your computer so that your computer can recognize you. If your computer is hacked, hackers now have your biometric data which can be utilized to break into your accounts. Here are some links to events of breaches of biometric data:
which appropriately points out breaches, the biggest disadvantages of biometrics, because biometric data can't be changed. So, if your password is hacked, you can change your password. If your security key is hacked, you can get a new security key. You cannot change your biometric data so once a hacker has it, they always have it. That is why I am not a fan of using biometric data for security purposes.
Michael Brody, DPM, Commack, NY
07/11/2024
RESPONSES/COMMENTS (INTERNET SECURITY) - PART 1A
From: Steve Pribut, DPM
Practice software requires an individual sign-in. And multiple users can use the same computer - and then sign in to the practice management software as distinct individuals on different days. Some Software allows remote access with multi-factor verification.
While the formula verification described by Dr. Brody works, there are others who feel a completely unique password for each site, and the use of a secure password remembering program is closer to ideal. I've used both methods.
When an employee leaves the practice, their password and access can be easily removed by an administrator.
Steve Pribut, DPM, Washington, DC
07/09/2024
RESPONSES/COMMENTS (INTERNET SECURITY)
From: David Secord, DPM
I'm surprised that Dr. Brody didn't mention the most secure way of having secure passwords: don't use them. If you use a desktop computer, a USB-based biometric reader can easily be found on Ebay. Every laptop I've owned for about a decade has had a biometric reader, but if yours doesn't, you can always pick one up.
My understanding is that the requirement to change and log password changes is eliminated if you are using a fingerprint to sign in. My newest laptop has the biometric reader built into the power button. As you are powering up, my fingerprint is read at the same time and lets me know that it has been read successfully (or not) as the Windows splash screen displays. Very convenient.
David Secord, DPM, McAllen, TX
07/08/2024
RESPONSES/COMMENTS (INTERNET SECURITY)
From: Michael Brody, DPM
As part of the July 4 activities, a hacking group known as ObamaCare posted 9,948,575,739 unencrypted passwords to the Internet in a file titled rockyou2024. This list of passwords comes from a combination of old and new data breaches.
Data breaches are now seeming like an almost daily event with more and more passwords being ‘broken’ on a regular basis. What does this mean for you in terms of protecting the Protected Health Information (PHI) you are responsible for as well as protecting your private data? You always want to follow good password security policy which includes:
Change your passwords on a regular basis – at least once a year for ALL of your...
Editor's note: Dr. Brody's extended-length letter can be read here.
