|
|
|
Search
07/17/2024 Paul Kesselman, DPM
The Importance of Password Security (Steve Pribut, DPM)
Several years ago, I was employed as the Compliance Officer for a local podiatry practice with 10 or so employees and two offices. What I soon found out was that everyone from the office manager to the back office medical assistants all had the same level of access to the EHR and all had the same password to log into the EHR.
While the doctors all had different sign-ins from staff they too shared the same password while the other employees all shared another same password. This meant that the accounts receivable, postings, lab orders, accounts payable could not be traced back to any one individual person.
This meant you would not know who posted a check, wrote off a balance or entered a claim.
How would you know who entered an order for DME, placed a lab report into a chart for review, etc.?
How would you know which medical assistant entered or edited a history or which scribe wrote the note? For that matter, other than the doctor signing their name at the end of the note, how would you know it was actually any specific doctor?
This went on for some time until the EHR company paid a site visit and had a very loud and difficult conversation with the owner of the practice.
The bottom line: Every employee at a practice should have their own password entry into the EHR. When the employee is finished entering information, whether in front of a patient or not, they should be exiting the EHR. Leaving the computer for the next employee or physician to enter their own password. The password and employee ID should dictate and limit the employees function and ability to view, enter and edit data. In this manner, every step that is entered can be traced back to the individual performing a specific task.
As for turning or rebooting or starting the computer or looking at programs other than the EHR, the same rules apply. Each employee has a dedicated function and thus limits their functions.
To keep employees on their toes and not share passwords today, fingerprinting and face recognition can be utilized. Having employees changing passwords on a regular basis is also a great idea.
Paul Kesselman, DPM, Oceanside, NY
Other messages in this thread:
07/15/2024 Michael L. Brody, DPM
The Importance of Password Security (Steve Pribut, DPM)
Dr. Pribut brings us some excellent points. Each member of the practice should have their own login to practice software. Well-designed software has an audit log which can be reviewed to see "who did what and when" This is important should there be issues or discrepancies in the information in a EHR system or practice management system. You should not allow users to 'share' and account. In addition each user should have their own login for the operating system.
With each user having their own account, when a member of your practice leaves you then re-activate their login information to all practice software systems as well as their access to the actual computer. This is an integral part of administrative security of your computers, network and software.
Dr. Pribut also mentions the use of password managers. Password managers have the advantage of creating unique and quite complex passwords that can be very difficult to break using 'brute force' techniques. The disadvantage of password managers is that you have all of your passwords stored in a single system. If the password manager is hacked, the hackers now have all of your passwords, and no matter how complex they are, they can simply grab them from your password manager and break into your account. A very interesting article about hackers attacking password managers can be found at Beyond Identity at this lin : https://www.beyondidentity.com/resource/password- managers-hacked-a-comprehensive-overview
In addition the use of a password manager creating complex passwords does not protect you from hackers getting your password from the system you log into and then posting it to the internet, which is what happened on July 4th with the Obamacare file I originally referenced in this thread. I am NOT saying you should not use a password manager. I am saying it is important to change your passwords annually so that the stolen password that is published is no longer a valid password, and you should monitor cybersecurity news to watch of announcements of breaches of your password manager software and when that does happen take the appropriate steps to protect yourself.
No system is perfect, each has it's advantages and disadvantages. With each method of protecting our data that is developed hackers will work to defeat that security to access our data. Hackers are now even using AI to hack into our systems. A very scary article on this topic can be found at Keypoint Intelligence titled. The Rise of AI- Driven Hacking https://keypointintelligence.com/keypoint- blogs/the-insiders-guide-to-cybersecurity-the-rise- of-ai-driven-hacking.
We need to be diligent and make it as difficult as possible for hackers to access our systems. It is also important to be aware of the Strengths, Weaknesses, Opportunities, and Threats that exist and make informed decisions about how to best protect ourselves. The best we can do is stay aware of what is going on and what tools and methods are available to assist us to maintain security and threads of this nature are vital to make sure that everybody is aware of the issues and risks they face in the cyber environment we work and live in.
Michael L. Brody, DPM, Commack, NY
|
|
|
|