Information Managers
  • Home
  • Services
    • All Services
  • Templates
  • Blog
  • Contact Us
  • Practice Management Success
  • Podcasts

How To Include Cybersecurity In Your Privacy Impact Assessment

Posted on November 2, 2022 by Izza Nuguit in Blog

How To Include Cybersecurity In Your Privacy Impact Assessment

Keeping information safe and secure is a challenging development for businesses of all sizes over the last few years. Remote working and using cloud hosted services forced healthcare practices to change, or at least re-examine, their cybersecurity practices and protocols.

According to CyberEdge’s Cyberthreat Defense Report, 85% of organizations suffered from a successful cyberattack in 2021.

A privacy impact assessment (PIA) is an important tool to help understand the risks to patient health information and your healthcare business.

The recent Technology Fact Sheet, “How To Protect Against Ransomware“ from the Ontario Information and Privacy Commissioner, provides explanations and recommendations for all businesses.

Conduct privacy and security risk assessments whenever major new technology changes are introduced, and ensure that all critical elements of your IT environment are regularly reassessed.

Ontario Information Privacy Commission

Does Your PIA Include Cybersecurity Risks and Mitigation Plan?

You should review your PIA regularly, at least annually, and update your risk mitigation plans when there is a change in your administrative, technical, or physical practices. You also need to consider that the threat environment external to your business, like the increasing risk of cybersecurity vulnerabilities, can damage your business.

In this Episode #107 of the Practice Management Nuggets Podcast, Jean L. Eaton, Practical Privacy Coach with Information Managers shows us how to include cybersecurity risks in your PIA.

My Takeaways

A Privacy Impact Assessment is a type of a risk assessment. We know that cybersecurity vulnerabilities is a real risk for all businesses, including medical, dental, and other healthcare practices.

Take the time now to consider the new cybersecurity risks. Discuss this with your IT and managed services provider. Find strategies that work best in your practice. Remember—ignoring the risk doesn’t make it go away!

Next time you update or amend your PIA, include what you have done lately to prevent a cybersecurity incident in your practice.

Listen To The Podcast

Cybersecurity in Your Privacy Impact Assessment | Episode #107​

Expert tips with Jean L. Eaton on Practice Management Nuggets Podcast For Your Healthcare Practice.

Listen here: Practice Management Nuggets Podcast

Listen To The Podcast Here

#PracticeManagementNugget, #PrivacyImpactAssessment, cybersecurity, podcast

October Is Cyber Security Awareness Month!

Posted on October 20, 2022 by Jean Eaton in Blog

Cyber Security Awareness – 4 Cyber Security Tips to Keep Your Business Safe and Secure

Keeping information safe and secure is challenging developments for businesses of all sizes over the last few years. Remote working and using cloud hosted services forced healthcare practices to change, or at least reexamine, their cybersecurity practices and protocols. According to CyberEdge’s Cyberthreat Defense Report, 85% of organizations suffered from a successful cyberattack in 2021.

Now, businesses who have suffered cyberattacks along with companies who’ve been fortunate enough to avoid being a victim of breaches and hack are looking at ways they can bolster their defenses and safeguard their data. But which plans, practices, and services should these organizations invest in?

Below are 4 steps businesses of all shapes and sizes can take to better protect themselves against cyber attacks:

Identify “Crown Jewels” of Your Business

Understanding what information cybercriminals are after most is essential to combating cyber attacks. Know where your patient, employee, business, financial data is collected and stored in your practice and by your vendors. Create a written inventory of your data and the hardware and software you use to manage and store the data. Review who has access to important data and end outdated user access to anyone who does not need access to the data to do their job. This practice will ensure that business leaders have a track record of accessibility so that they know where to look in case of a vulnerability or breach.

Protect Assets by Updating and Authenticating

Protecting your data and devices from malicious actors is what cybersecurity is all about. Make sure your security software is current. When you invest in the most up to date softwares, web browsers, and operating systems you defend against a host of viruses, malware, and other online threats. Furthermore, make sure these devices have automatic updates turned on so employees aren’t tasked with manually updating devices. Additionally, make sure all data is securely backed up in a remote location.

Another important way to keep your assets safe is by ensuring staff are using strong authentication to protect access to accounts and ensure only those with permission can access them. This includes strong, secure, and differentiated passwords. According to a 2021 PC Mag study, 70% of people admit they use the same password for more than one account. Using weak and similar passwords makes a hacker's life a lot easier and can give them access to more materials than they could dream of. See “How Does Unique User ID Protect Patient Information In Your Practice?” 

Finally, make sure employees are using multi-factor authentication. While this may result in a few extra sign-ins, MFA is essential to safeguarding data and can be the difference between a successful and unsuccessful breach.

Monitor and Detect Suspicious Activity

Companies must always be on the lookout for possible breaches, vulnerabilities and attacks, especially in a world where many often go undetected. This can be done by investing in cybersecurity products or services that help monitor your networks such as antivirus and antimalware software. Moreover, make sure your employees and personnel are following all established cybersecurity protocols before, during, and after a breach. Individuals who ignore or disregard important cybersecurity practices can compromise not only themselves, but the entire organization. Paying close attention to whether your company is fully embracing all of your cybersecurity procedures and technology is incumbent upon business leaders.

Have an Incident Response Plan Ready

No matter how many safeguards you have in place, the unfortunate reality is that cyber incidents still occur. However, responding in a comprehensive manner will reduce risks to your business and send a positive signal to your customers and employees.  Regular cyber security awareness training will help prevent incidents and help you to quickly respond to an incident when it happens. Therefore, businesses should have a cyber incident response plan ready to go prior to a breach. In it, companies should embrace savvy practices such as disconnecting any affected computers from the network, notifying your IT staff or the proper third-party vendors, and utilizing any spares and backup devices while continuing to capture operational data.

Here's a great no-cost opportunity to provide cyber security awareness training to your team!

October is Cyber Security Awareness Month, a global effort to help everyone stay protected whenever and however you connect. The overarching theme for the month is, ‘Do Your Part. #BeCyberSmart.’ and Information Managers is proud to be a champion and support this online safety and education initiative this October.

 

Events This Month

Myla Cybersecurity Training Anne Genge cyber security awareness

Ask your questions live with Cybersecurity and Data Privacy experts in an interactive webinar format.

Join us for the first “Ask Me Anything” style webinar for healthcare professionals, practice managers, privacy officers, and owners on Friday October 21 at 1pm EST. It’s free to attend. Once you register, you’ll have access to the Zoom link on the day of the event.

We know that when we train our teams to identify cybersecurity risks, that we can reduce our risk of a business disruption and privacy breaches. And, when an incident occurs, we can identify the problem more quickly and reduce the harm and the cost.

It all starts with better understanding cybersecurity.

Click the button to hop over to the Myla Training website for more information and to register right away!

Register Ask Me Anything!

 

CyberSecurity Champions

cyber security awareness month champion

Information Managers Ltd has been a CyberSecurity Champion for many years – and now you can, too!

We want to help you, your family, friends and our community stay protected all year long, too. We encourage you to sign up as an individual Cybersecurity Awareness Month Champion. After signing up, you’ll receive a toolkit of free resources, including simple online safety habits and steps you can take to #BeCyberSmart.

National Cybersecurity Awareness Month is co-led by the National Cyber Security Alliance (NCSA) and the Cybersecurity and Infrastructure Agency (CISA) of the U.S. Department of Homeland Security. For more information about ways to keep you and your family safe online visit https://staysafeonline.org/cybersecurity-awareness-month/ and/or cisa.gov/ncsam.

 

 

 

Follow Information Managers blog posts, social media, and resources that you can download and use right away!

 

#BeCyberSmart

How Virtual Medical Office Administration Services Can Help Your Healthcare Practice With Kyle Sherritt

Posted on October 12, 2022 by Jean Eaton in Blog

How Virtual Medical Office Administration Services Can Help Your Healthcare Practice

 

Have you ever said, ‘If only, . . .

  • our referral backlog was caught up,
  • our incoming faxes were sorted,
  • our billing team was more confident, or
  • someone could help with the incoming phone calls during our busiest hours or lunch hour!'

If you have uttered these words, then you want to listen to our episode today how virtual medical office assistants and receptionists can help your healthcare practice.

In this Episode #106 of the Practice Management Nuggets Podcast, guest expert Kyle Sherritt, VP Sherritt Services shows us how a virtual medical office assistant and virtual receptionist can improve the bottom line of your healthcare practice and improve the patient experience.

My Takeaways

Many—heck!—most healthcare practices have staffing fluctuations.

When you start your healthcare practice, you hire an entry-level receptionist and medical office assistant (MOA). You learn together how to set up your appointment scheduler, your patient recall reminders, and your fee-for-service billing.

Then, you get a little busier, but not busy enough to hire another MOA to assist the busy hours. Your new MOA is ready to take holidays, but you don’t have a relief person on board, yet.

The physician is doing most of the billing because they haven’t trained the MOA to do that, yet.

You want the MOA to step up and take on more administration roles in the clinic, but they can’t meet your expectations because they can’t walk away from the ringing telephone.

You might find that your dreams of a smooth-running office so that you can focus on your patients’ needs are spiraling out of control.

Or, maybe you have heard about a no-staff office practice for your small one-person practice. It sounds great, but you discover that you really don’t enjoy making appointment reminder phone calls yourself.

Would you like some help with that?

Sherritt Services is now providing virtual medical office administration services!

Imagine—phones answered promptly even during your peak hours and your patients receiving a warm reception without staff running off to put yet another person on hold.

Your billing is now done by your in-clinic staff correctly, without coaching from the physician now that the staff has successfully completed the Alberta Medical Billing Online Course.

These new services are brought to you by Sherritt Services, the medical office administration service provider trusted by healthcare providers for over 25 years.

Listen To The Podcast

​How Virtual Medical Office Administration Services Can Help Your Healthcare Practice | Episode #106

Expert tips with Jean L. Eaton on Practice Management Nuggets Podcast For Your Healthcare Practice.

Listen here: Practice Management Nuggets Podcast

Listen To The Podcast Here
Kyle Sherritt virtual medical office administration

Kyle Sherritt is the VP Sherritt Services Inc. and the Sales Director.

Kyle has contributed to the business development of Sherritt Services since 2009.

#PracticeManagementNugget, podcast

Managing Employees When They Make Mistakes With Stacey Messner

Posted on October 3, 2022 by Izza Nuguit in Blog

Managing Employees When They Make Mistakes – Addressing Employee Performance and Restoring the Workplace

Have you ever had an employee who has made a mistake and now you’re scrambling about what to do next?

Your business needs a set of reasonable rules and guidelines for employees to follow. This helps to create a safe and respectful workplace and protect the privacy rights of your patients and employees.

Your healthcare practice should have a written policy and procedure to guide you in your response to a privacy and security incident.

Sometimes, our employees have been directly involved in the incident. For example:

  • Petty theft (personal gain)
  • Snooping in patient or employee records (disregarding policies)
  • Faxing a report to the wrong recipient (carelessness)
  • Using patient or employee information to cause harm (malice)

When employees and healthcare providers do not meet our expectations, sanctions or discipline may be appropriate.

In this episode #105 of the Practice Management Nuggets Podcast, guest human resources expert Stacey Messner gives practical advice to clinic managers and privacy officers to navigate difficult conversations after an employee makes a mistake.

Listen To The Podcast

Managing Employees When They Make Mistakes – Addressing Employee Performance and Restoring the Workplace | Episode #105

Expert tips with Jean L. Eaton on Practice Management Nuggets Podcast For Your Healthcare Practice.

Listen here: Practice Management Nuggets Podcast

Listen To The Podcast Here

Are you prepared to have difficult conversations with your employees?

Grab this tip sheet from Stacey Messner free when you subscribe to Stacey’s newsletter list.

Listen in a different way

Featured Guest: Stacey Messner

Stacey Messner Will Teach You How to Manage Employees When They Make Mistakes – Address Employee Performance and Restore the Workplace

Human resources expert Stacey Messner, Leader in HR gives practical advice to clinic managers and privacy officers to navigate difficult conversations after an employee makes a mistake, addressing employee performance improvement and workplace restoration practices.

Get Stacey Messner Listen Differently Tip Sheet

Download the free tip sheet from Stacey here
Managing Employees Stacey Messner

Stacey Messner, Leader in HR, has been providing human resource consultation on a contract basis to businesses in the North Peace Region of Alberta since 2016.

With over 20 years of experience working in all disciplines of HR in many industries including not for profit, Stacey prides herself in providing HR services and support to leaders in workplaces who are responsible for their HR programs.

The services Stacey offers are HR advisory, training and development, workplace assessment, conflict resolution, and special projects such as job description review, HR policy manual, performance review, recruitment, and orientation programs. Stacey was born and raised in the Saskatchewan prairies and married into a Peace Country family where she lives with her husband and kids.

She is an active member in her community, loves raising a family in a rural setting, and enjoys the activities and beauty of the region.

#PracticeManagementNugget, podcast

Do You Want To Be A Confident Healthcare Privacy Officer?

Posted on September 6, 2022 by Meghan in Blog

What Is a Privacy Officer?

A privacy officer is a key employee in a healthcare organization who is named by the healthcare provider (custodian) and assigned the responsibility to oversee all activities related to the implementation of, and adherence to, the organization’s privacy practices, and to ensure operational procedures are in compliance with relevant privacy laws. The Privacy Officer monitors employees and systems about how information is collected, used, and disclosed and access to identifying information.

A privacy officer may be known by other titles like privacy compliance officer or a security officer.

If your healthcare business involves the collection, use, and disclosure of your clients' and patients’ personal health information, a privacy officer is necessary in order to meet legislated requirements.

If You Don't Have a Privacy Officer

Healthcare practices without a privacy officer often experience confusion about how patients’ personal health information should be collected, used, and disclosed. Patients may complain about lack of access to their personal health information. Without a named privacy officer to assume the responsibility to implement and monitor reasonable administrative, technical, and physical safeguards you are more likely to experience privacy and security incidents, privacy breaches, investigations, fines, and charges under the privacy legislation!

Here are some examples of what can happen if you don’t have a privacy officer:

  • In 2019, the British Columbia Office of the Information and Privacy Commissioner (OIPC) conducted a privacy audit of 22 medical clinics. OIPC auditors examined 22 clinics and found gaps in privacy management programs at several clinics, including the absence of a designated privacy officer, a lack of funding and resources for privacy and a failure to ensure that privacy practices keep up with technological advances.
  • A complaint was made against a medical clinic with an employee suspected of accessing health information for an unauthorized purpose. The Alberta OIPC investigated and revealed confusion around the roles and responsibilities of privacy compliance among the custodians and the privacy officer. The OIPC determined that the custodian was in contravention of the regulation which requires custodians to ensure that their affiliates are aware of and adhere to the all of the custodian’s administrative, technical, and physical safeguards with respect to health information. (See Do You Know Where Your Policies and Procedures Are?)
  • Employees are not aware of privacy requirements and engage in snooping into personal health information. Consequences of employee snooping include firing, charges under the Health Information Act and court ordered fines, jail time, probation, community service and more. (See Snooping Conviction Earns 3 Years Probation )
Say No to Snooping

Roles and Responsibilities

So, what does a privacy officer do? The roles and responsibilities of a privacy officer in a typical healthcare practices include the following:

  • Identify privacy compliance issues for the business.
  • Ensure privacy and security policies and procedures are developed and keep them up to date.
  • Ensure that everyone working at your clinic and your vendors are aware of their privacy obligations.
  • Monitor your clinic's ongoing compliance with privacy legislation like the Health Information Act (HIA) in Alberta.
  • Provide advice and interpretation of related legislation for the business.
  • Respond to requests for access and corrections to personal information.
  • Ensure the security and protection of personal information in the custody or control of the business.
  • Act as the primary point of privacy and access contact for staff, patients, vendors, regulators and other stakeholders.

Get the FREE Practice Management Success Tip, Privacy Officer Job Description Template.

 

healthcare, healthcare privacy officer, HIA, privacy officer, privacy officer training, webinar

Best Computer Service Support Options for Your Small Healthcare Practice

Posted on August 30, 2022 by Izza Nuguit in Blog

What is the Best Computer Service Support for Your Small Healthcare Practice?

Many healthcare providers starting their first practice are ‘bootstrapping’ their business. They don’t have external investors in their business. Business owners are balancing what can they do themselves and what services to hire from someone else.

Today, we will strategize how to implement technology in your healthcare practice and have a look at the different options available to you to select the best computer service support for your small healthcare practice.

Should You Do It Yourself?

When starting your own healthcare practice, it can be tempting to try to save costs by trying your hand at a DIY approach for managing the hardware and software required to run a practice.

That might work for a while. But soon, you will want to look into your options for outsourcing some of this.

When outsourcing your information technology (IT) need, it’s important to remember that you are ultimately responsible for managing the collection, use, security and safeguards for all personal information that you collect and control.

Let me help you with some definitions, terminology, resources to help you manage your computer network system and to determine what services are best suited for your needs.

We’ll have a look at:

  • Internet Service Providers
  • Managed Service Providers VS Managed Security Service Providers
  • Hardware as Service
  • Value Added Resellers
  • Cloud Service Providers
  • Software As A Service (SaaS), and
  • Remote Monitoring and Management Tools

Keep reading to find out the differences of these.

What is an Internet Service Provider (ISP)?

Internet service providers are likely the service on this list you are already most familiar with-–after all most of us deal with them in our personal lives, as well as in our professional lives.

These are companies which provide services which allow us to access the internet.

Unfortunately, some people assume that their ISP is also providing network security at the same time, which is simply not the case the majority of the time.

Something as simple as not changing the default password on your modem or wireless router can lead to vulnerabilities in your network. Right away, many DIY business owners are starting to feel the pinch about not knowing enough about IT to keep their practices secure.

There are some internet service providers also now offering managed service provider system as well. If you choose to go this route, ensure that you have a clear understanding about what they can and cannot do and documentation to show what exactly what is included in your fees.

Managed Service Providers (MSP) and Managed Security Service Providers (MSSP)

The definition of Managed Service Provider (MSP) is:

A MSP delivers services, such as network, application, infrastructure and security, via ongoing and regular support and active administration on customers’ premises, in their MSP’s data center (hosting), or in a third-party data center.

MSPs may deliver their own native services in conjunction with other providers’ services (for example, a security MSP providing sys admin on top of a third-party cloud IaaS). Pure-play MSPs focus on one vendor or technology, usually their own core offerings. Many MSPs include services from other types of providers. The term MSP traditionally was applied to infrastructure or device-centric types of services but has expanded.

– Gartner's Information Technology Glossary

Managed service providers are a great option for end users without the technical expertise required to manage their own networks.

If considering an MSP, you may consider referencing the Risk Considerations For Managed Service Provider Customers document put out by the Cybersecurity and Infrastructure Security Agency which outlines risk considerations organizations need to consider when they partner with a MSP.

MSP vs MSSP

Managed Security Service Providers (MSSP) provide security monitoring and management services to organizations to ensure they are protected from cybersecurity threats.

The types of services MSSPs can offer include threat monitoring and intrusion detection, firewall management, patch management, endpoint protection, and penetration testing as examples.

An MSP ensures your IT systems are operational, but a MSSP offers true security as a service, ensuring your people and systems are safe, secure and compliant.

Managed Services are a good way for businesses to get a high-quality IT service at a predictable monthly cost, instead of having to manage everything themselves, in-house.

What is Hardware as a Service?

Hardware as a Service allows customers to outsource the procurement, installation and support of their IT hardware, at a fixed and predictable monthly cost. Companies who use Hardware as a Service benefit from knowing any issues with their hardware will be diagnosed and fixed by the provider, without having to guess at the cost of the repair.

This is a convenient way of getting the best hardware without having to spend much cash upfront. The service model is similar to leasing or licensing whereby a business obtains IT hardware from a company, and the terms are dictated by a Service Level Agreement (SLA). In the case of hardware breakdown or any hardware becoming obsolete, the hiring company is responsible for repairing or changing it. Hardware as a Service can be provided by a managed service company or as a stand-alone service provided to businesses who are looking to acquire IT hardware.

Typically, these vendors do not provide ongoing monitoring, updates, and patch support to your network.

What is a Value-added Reseller?

A value-added reseller takes existing hardware, adds features such as third-party software, and then sells it at a markup to the end user.

The biggest difference between VARs and MSPs is the term of their involvement with the end user. VARs generally operate on a transactional basis (per license or seat), or a short-term contract. By contrast, MSPs operate on longer-term annual or multi-year contracts, and the tenure of their relationship is open-ended.

What is a Cloud Service Provider (CSP)?

CSPs offer access to technology and infrastructure that they own. This may be part of your digital transformation plan.

You’ve likely heard of some of the more popular cloud service providers, such as Amazon Web Services, Microsoft Azure and Google Cloud Platform.

If you choose to use a cloud service for storing information, you’ll want to do some due diligence to determine the security the service has in place, where the information is stored, and to avoid services which have servers outside of Canada. Even when you use a CSP, you are still responsible to ensure that your local computer environment is secure. This is referred to as a Shared Responsibility model.

Best Computer Service Support Tiny

What is the Software As A Service (SaaS) Business Model?

SaaS is a type of CSP. The vendor provides a software on their data centre and you remotely access the software and use it on your device. Examples of this includes Microsoft Office 365, Google Workspaces, and even some electronic medical record (EMR) and electronic dental record (EDR) service providers.

If you’re using a service such as this, the same security caveats which come with cloud services need to be considered such as where the servers storing the information are located.

Privacy, confidentiality, and security of personal information is a shared responsibility whether it is on your device or an outsourced service.

You must properly configure your SaaS so that it is properly securing your data, and communication between yourself and your vendor is critical to understanding the shared responsibility of securing the data.

managed service provider

As the end user, you are responsible for security ‘in’ the cloud. This includes the responsibility of:

  • Collecting and maintaining the customer / PHI data
  • Identity and access management (IAM)
  • Application management
  • Operating system and firewall on your devices
  • Client side data encryption, data integrity, authentication
  • Server-side encryption
  • Network traffic management

Remote Monitoring and Management Tools (RMM)

Many MSPs, and some internal IT teams, use a remote monitoring and management tool (RMM). This is the software put on the workstations and servers, primarily. These tool report back to the RMM server and provides data so that the MSP can monitor and manage the system.

The tool allows the MSP to see issues such as:

  • When software needs to be updated
  • If computer needs to be rebooted
  • That there was an error in a system log that needs to be addressed.

All of this happens behind the scenes and allows the MSP to manage your system remotely.

The issue with RMM is that the software has the ability to fully control your computers so these RMM tools need to be secured.

If not secured properly from internal threats as well as external threats and a bad guy is able to get into your MSP’s RMM, they now have access to every single client network—including yours!–that the MSP manages. And that is a bad, bad day!

Vet Your Vendors for the Best Computer Service Support Option

Most healthcare providers start with a DIY approach to their computer network. Over time, your needs will change. It is good practice to meet regularly with your vendors to re-visit your IT strategy.

Your best computer service support option during your start-up phase will likely be different as your business matures.

When you select the right outsourced service to support your healthcare practice, you will improve your practice management efficiency and privacy compliance.

Remember to vet the vendor before you enter into a service agreement and Information Management Agreement.

See the Practice Management Nuggets Podcast for Your Healthcare Providers, What Healthcare Practices Should Know About Vendor Vetting And Accountability | Episode #085 with guest Expert Donna Grindle for tips to help you with this step.

Join Practice Management Success Today!

As a healthcare provider, you need to stay on top of changing trends and technologies that impact privacy compliance and efficient practice management.

Changing technology and properly managing computer systems is just one aspect of that.

Practice Management Success offers you access to tools, templates, tips, and training to help solve common problems which may come up in your practice.

It's kinda like having a clinic manager mentor (or a Jeannie) on Zoom!

Become a member of the Practice Management Success Membership!

digital health, healthcare practice management, privacy

How Does Unique User ID Protect Patient Information In Your Practice?

Posted on August 18, 2022 by Izza Nuguit in Blog

Why You Need Unique User ID In Your Healthcare Practice

When you’re setting up computer systems for your healthcare practice, start by ensuring that every user has a unique user identity (user ID).

Sharing login credentials for everyone on your team can lead to compromised account security, which makes you more vulnerable to phishing attempts, and leads to a greater risk of sensitive information getting into the wrong hands.

Today we’re going to look at why you need to ensure everyone on your team who requires access to IT systems has their own unique user ID and login credentials.

What is User ID?

The user ID or username that you create when you are granted access to a computer network or software application should be unique to the user (not shared). The user ID is persistent—that is, it doesn’t change.

While a user ID needn’t be as complex as a password, you want to avoid an easily guessed or spoofed name. Instead, create a user ID that is reasonably short and uses a mix of letters and numbers and special characters. The system should not allow duplicate user ID’s and may have additional criteria about what the name can include.

Sometimes, the user ID appears linked to the content that you enter. For example, the username might be associated with a clinic note you enter in the electronic medical record, internal messaging, or even a blog post.

You can think of the user ID as your digital signature that uniquely identifies the computer user.

 

Unique user id

You may also have certain programs or additional software, applications, and data, including sensitive information, personally identifying information (PII), and personal health information (PHI) which require an additional unique user ID and password.

Don’t Share Your Unique User ID!

Individuals are responsible for their unique user ID. A user ID is important to provide non-reputability for the user. It ensures that the user cannot deny having taken a particular action.

For example, in an office computer, a user ID would be used to login to the system. Once the user is logged in, they can view their personal folders, shared folders, access to printers, and so on. If the user were to deny accessing and printing a particular file, the user ID would prove that they had indeed accessed and printed the file.

Layers of Protection Is Better

A two-step process that requires the user to enter their unique user ID to access a computer or device, and another unique user ID to access a program like an EMR, is an example of a dual login. This added level of security ensures that an authorized user has access to both the local device and the software.

Multi-factor authentication (MFA) is a better level of security. Again, this starts with entering a unique user ID on the device, a different unique user ID to access specific software, and a token or code that is sent to the user. The user must enter the code into the software prior to access granted. The goal of this authentication intent is to make it more difficult to access devices or applications without the subject’s knowledge, such as by malware on the endpoint.

MFA is a core component of a strong identity and access management (IAM) policy. It all starts with having a unique username, password, and an additional verification factor, which decreases the likelihood of a successful cyber attack.

79% of organizations have experienced an identity-related security breach in the last two years [Identity Defined Security Alliance] and 61% of all breaches resulted from stolen credentials, whether through social engineering or brute force attacks. [Verizon Data Breach Investigations Report]. 

Why You Need Unique User ID In Your Healthcare Practice

Benefits of enforcing unique user ID for every user include:

  • Tracking user activity and manage overall operations on a particular system, network or application.
  • Improved security, decreased likelihood of inappropriate access, reduced errors, reduced malicious actions internal and external to the business.
  • Avoidance of fines and sanctions, under privacy legislation.

My EMR / EDR Has Unique User ID. Isn’t That Good Enough?

Many healthcare practices have not yet implemented a unique user ID policy. Instead, they rely on the electronic medical record (EMR), electronic dental record (EDR) or other practice management software (PMS) system to require unique user ID to access this sensitive data.

This simply isn’t good enough. Locking the back door while the front door is unlocked is not a sufficient deterrent to prevent unauthorized access to your systems and the information that it contains.

I’m certain that there are other sections in your computer files where sensitive information (employee, business, and/or patient information) is maintained. This needs to be protected by identity management and audit tracking, too.

The extra layer of protection of having unique user ID to access your computer system AND another unique user ID to access your EMR / EDR is a reasonable safeguard. Alberta Netcare, NIST, and privacy regulations recommend this minimum standard.

In IBM’s Cost of Data Breach Report 2021, compromised credentials were responsible for 20% of breaches.

Having shared user accounts (instead of unique user ID) increases the likelihood that the user credentials will be compromised and may result in a privacy and security incident.

The IBM report also identified that a zero trust approach helped reduce both the likelihood and the cost of a privacy and security breach. Zero trust means that everyone accessing electronic data must use strong authentication and authorization at all times. In short, don’t assume that because the user is accessing a computer at a specific location, that the user is authorized to access the computer.

Authentication and authorization (both subject and device) are discrete functions performed before a session to an enterprise resource is established.

Make It Easy To Implement Unique User ID Policy

Businesses should use business-grade computer hardware and software for their computer networks and mobile devices. Select operating systems that make it easy to create and manage user accounts. Ensure that user activity audit logging is enabled.

You might be ‘pretty good’ at managing a computer. However, I recommend that healthcare providers, clinic managers, and business owners contact a local computer network technician or managed service provider to help you properly set up user management. Protect your patient’s information and your practice with good computer user management.

Join Practice Management Success Today!

As a healthcare provider, you need to stay on top of changing trends and technologies-–not just those related to your work, but things in the world which can affect how you manage your practice and patients.

Changing technology is a huge part of that world, and properly managing computer systems is just one aspect of that.

Become a member of the Practice Management Success Membership!

Practice Management Success offers you access to tools, templates, tips, and training to help solve common problems which may come up in your practice.

It's kinda like having a clinic manager mentor (or a Jeannie) on Zoom!

digital health, healthcare practice management, privacy, security

Alberta’s New OIPC Commissioner

Posted on July 30, 2022 by Izza Nuguit in Blog

Alberta’s New OIPC Commissioner

The Select Special Information and Privacy Commissioner Search Committee recommends the appointment of Diane McLeod as Alberta’s Information and Privacy Commissioner effective August 1, 2022.

The next time that you correspond with the AB OIPC office, make sure to change the following names in your templates:

Change the name of the outgoing Commissioner, Jill Clayton, and replace with the name of the new Commissioner, Diane McLeod.

More details are in the news release from the Office of the Information and Privacy Commissioner here.

What Does the Alberta OIPC Do?

The Commissioner is an agent of the Legislative Assembly of Alberta. This is not a government department nor is it a department under Alberta Health Services.

The mission of the Office of the Information and Privacy Commissioner of Alberta (OIPC) is to advocate for the access and privacy rights of Albertans, to ensure that public bodies, health custodians and private sector organizations uphold the access and privacy rights contained in the laws of Alberta, and to provide fair, independent and impartial reviews in a timely and efficient manner. OIPC of Alberta

There is a similar role in each of the provinces in Canada.

When to Contact the Alberta OIPC Commissioner

If you are in Alberta and you are a custodian (including physicians, dentists, chiropractor, podiatrist, optometrist, pharmacist, RN and others) you might need to contact the AB OIPC Commissioner in any one of these scenarios.

  • You are submitting a new Privacy Impact Assessment.
  • You have a change in custodians in your practice (a custodian moves, retires, or you add a new custodian to your practice.)
  • You have experienced a privacy breach in your practice and must inform the Commissioner.

If you are a resident of Alberta, you might contact the Commissioner if

  • You have a complaint about how a business manages your personal information. Ideally, you will bring your complaint to the privacy officer of the business first, before filing a complaint to the OIPC. Ideally, you will bring your complaint to the privacy officer of the business, first, before filing a complaint to the OIPC.

There are other situations that may arise that you may need to contact the OIPC. The Commissioner performs the responsibilities set out in Alberta’s three access to information and privacy laws:

  • Freedom of Information and Protection of Privacy Act (FOIP)
  • Health Information Act (HIA)
  • Personal Information Protection Act (PIPA)

The Commissioner checks or regulates that the businesses to whom the above legislation (and others) apply works according to these laws.

The OIPC website has many resources and reports available to better understand your roles and responsibilities regarding the collection, use, access, and disclosure of personal information.

Do you have questions about privacy compliance and practice management at your healthcare business? I’m happy to help you!

Email Jean L. Eaton, Your Practical Privacy Coach and Practice Management Mentor to book a quick, 10-minute call with me.

OIPC Commissioner, privacy

Your Patient Requests To Record Their Appointment With You

Posted on July 29, 2022 by Izza Nuguit in Blog

Your Patient Requests To Record Their Appointment With You – What Does This Mean For You, As A Health Care Provider?

Often, doctors’ visits are fairly straightforward.

When there are no major concerns or new diagnoses, it can be in and out quickly, and with little fuss.

There are times, however, when visiting the doctor can be overwhelming for patients.

When a patient is receiving a new diagnosis, for instance, it often comes with instructions for how to best manage their condition, dietary restrictions, or exercises they need to perform in order to help them achieve a better outcome.

In cases like this, some patients may request to record their conversations with you, their healthcare provider.

The first time you receive a request like this, it may seem surprising.

With technology such as smartphones, it’s becoming easier and easier for people to make these recordings so it’s best to be prepared for it.

Let’s have a look at the things you need to consider when it comes to patients who ask to record their appointments.

Why Do Patients Want To Record Conversations?

A patient may request to record a conversation for several reasons.

Some of these may include:

  • More accurate sharing of health advice and instructions with other family members or caregivers who help them manage their diagnosis
  • Allows for better communication between you as a healthcare provider and your patients
  • Improved compliance with instructions, as they will refer to the recording

Benefits To Recording Patient Appointments

 

Each of these reasons ultimately has the effect of potentially helping improve compliance with your instructions, and thus improving patient outcomes.

“71% of patients listened to their recordings, while 68% shared them with a caregiver.” – The Dartmouth Institute for Health Policy & Clinical Practice 

Unfortunately, anytime you are recorded, there is the potential drawback that recordings could be used inappropriately.

Some inappropriate use of recordings by patients may include:

  • Recording without the consent of the healthcare provider.
  • Recording information (audio, visual) of other persons, including patients, visitors, or other employees.
  • Sharing of recording inappropriately on social media.
  • Security of the recording may be compromised, which may negatively affect the patients’ and the healthcare providers’ privacy.
  • Patient’s recording of the healthcare visit may be used against the healthcare provider in a complaint process.

As you can see, there are both benefits and drawbacks to allowing recording of conversations with patients.

Now we will look at the next steps when you allow recording and when you would prefer to not be recorded.

I’ve Agreed To Be Recorded – Now What?

If your patient has requested to record your session, and you’ve agreed, there are some things which will need to be discussed before moving forward regarding appropriate use of recordings.

The patient usually requests permission to record at the beginning of the encounter.

Discuss and agree to the terms of the recording, for example:

• How the recording will be made
• How a recording will be made available to the patient’s health record
• Identify (name) who will be included in the recording and ensuring that the privacy of other people is not affected
• How follow-up questions will be managed.

Document the Encounter

You, as the healthcare provider, may make the recording, keeping a copy for the health record, and share the recording with the patient. Or, you may make a separate recording at the same time of the patient and add the recording to the patient’s health record.

If you will also make a recording, the patient is required to consent in writing to the recording. Include the patient’s consent in the patient’s health record.

In addition to the clinic notes you may make:

  • Securely maintain the audio recording in the patient’s health record or in a digital audio file format securely stored on the computer network.
  • In the patient’s health record clinic note, include the link to the computer file with thee recording.
  • The healthcare provider will record in the clinic note:
    • The conversation was recorded – by whom and who has control of the audio file.
    • Consent was obtained (if applicable)
    • Summary of the conversation

What If I Don’t Feel Comfortable Being Recorded?

If a patient requests to record your session, you may choose to decline their request.

This may just be because you are working to implement policies and systems surrounding recording, but they aren’t quite in place yet.

If a patient request to record your session, and your decision to decline, you will need to make a note of the request, as well as your grounds for denying it, in the patient’s clinic notes.

If the patient is worried about being able to remember of follow instructions, some alternatives to recording may include:

  • Provide the patient with information resources including paper handouts, advice documents, or on-line audio or video advice and information resources.
  • Allow the patient to invite a trusted family member, friend, or care provider to accompany the patient during the patient’s health care visit.

Workflow Patient Record Appointment

Join Practice Management Success Today!

As a healthcare provider, you need to stay on top of changing trends and technologies-–not just those related to your work, but things in the world which can affect how you manage your practice and patients.

Changing technology is a huge part of that world, and the growing use of cell phones to record conversations is just one aspect of that.

Be prepared when patients ask permission to record their visits with you. Grab the procedure and patient request form template that you can use right away! Become a member of the Practice Management Success Membership!

Practice Management Success offers you access to tools, templates, tips, and training to help solve common problems which may come up in your practice.

It's kinda like having a clinic manager mentor (or a Jeannie) on Zoom! ✨

Reference

Canadian Medical Protective Association [Internet]. Ottawa (ON): CMPA 2017 March. Smartphone Recordings By Patients: Be Prepared, It's Happening Retrieved https://www.cmpa-acpm.ca/static-assets/pdf/advice-and-publications/perspective/com_17_perspective_march-e.pdf

The Dartmouth Institute for Health Policy & Clinical Practice. “Can patients record doctor's visits? What does the law say?.” ScienceDaily. www.sciencedaily.com/releases/2017/07/170710135301.htm (accessed July 23, 2022).

 

 

digital health, healthcare practice management, privacy

Get It In Writing Podcast – Employee Snooping and Other Privacy Breaches

Posted on July 12, 2022 by Izza Nuguit in Blog

Get It In Writing Podcast Talks About Employee Snooping

In this episode of the Get It In Writing podcast, Corinne Boudreau explores common sources of privacy breaches for health care practitioners in Canada with health privacy expert, Jean L. Eaton.

Specifically, Corinne and Jean chat about:

  • How employee snooping results in 20% of healthcare privacy breaches
  • What policies you must have in your healthcare practice
  • What role and importance privacy policies play in healthcare

Employee Snooping and Other Privacy Breaches to Guard Against if You're a Health Care Practitioner

Listen to the podcast episode here: Get It In Writing Podcast Season 1 – Episode 10

Or on your favourite podcast player!

What Is Snooping?

Snooping is a privacy breach! When you access patients’ personal information for a purpose other than to provide a health service, it is snooping.

Often, people view personal information of their patients, clients, or employees because they are ‘curious’. Not everyone understands that ‘just looking’ is considered snooping.

When We Know Better, We Do Better

Discuss snooping with your employees and prevent privacy breaches in your healthcare practice.

Want to learn more? Pick up Jean’s book, Tips to Prevent Employee Snooping: A Key Component of Your Privacy Practice Management Program, with your favourite e-book seller.

Tips To Prevent Employee Snooping - Privacy Management Program Book Cover

Corinne Boudreau makes legal jargon easier to understand. That’s worth a 5 ***** rating, isn’t it?

Listen to the podcast and give Corinne a 5 star ***** rating!

digital health, healthcare practice management, privacy breach
123›»

Search the site

What is the elephant in the room?

The Elephant in the Room Find out here...

Privacy Policy

"I did think that the info session was interesting on how many tools can be created and intertwined for the use of the patient. I do find the sessions good."

--Practice Management Nugget event, 'Engage your patients using automated tools' with Karol Clark

- Debra from Spruce Grove

Register for Free On-line Privacy Breach Awareness Training!

Privacy Policy

Copyright 2022 Information Managers Ltd.

2 shares
Manage Cookie Consent
To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.
Functional Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes. The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
Manage options Manage services Manage vendors Read more about these purposes
View preferences
{title} {title} {title}