What is the Best Computer Service Support for Your Small Healthcare Practice?

Many healthcare providers starting their first practice are ‘bootstrapping’ their business. They don’t have external investors in their business. Business owners are balancing what can they do themselves and what services to hire from someone else.

Today, we will strategize how to implement technology in your healthcare practice and have a look at the different options available to you to select the best computer service support for your small healthcare practice.

Should You Do It Yourself?

When starting your own healthcare practice, it can be tempting to try to save costs by trying your hand at a DIY approach for managing the hardware and software required to run a practice.

That might work for a while. But soon, you will want to look into your options for outsourcing some of this.

When outsourcing your information technology (IT) need, it’s important to remember that you are ultimately responsible for managing the collection, use, security and safeguards for all personal information that you collect and control.

Let me help you with some definitions, terminology, resources to help you manage your computer network system and to determine what services are best suited for your needs.

We’ll have a look at:

• Internet Service Providers
• Managed Service Providers VS Managed Security Service Providers
• Hardware as Service
• Value Added Resellers
• Cloud Service Providers
• Software As A Service (SaaS), and
• Remote Monitoring and Management Tools

Keep reading to find out the differences of these.

What is an Internet Service Provider (ISP)?

Internet service providers are likely the service on this list you are already most familiar with-–after all most of us deal with them in our personal lives, as well as in our professional lives.

These are companies which provide services which allow us to access the internet.

Unfortunately, some people assume that their ISP is also providing network security at the same time, which is simply not the case the majority of the time.

Something as simple as not changing the default password on your modem or wireless router can lead to vulnerabilities in your network. Right away, many DIY business owners are starting to feel the pinch about not knowing enough about IT to keep their practices secure.

There are some internet service providers also now offering managed service provider system as well. If you choose to go this route, ensure that you have a clear understanding about what they can and cannot do and documentation to show what exactly what is included in your fees.

Managed Service Providers (MSP) and Managed Security Service Providers (MSSP)

The definition of Managed Service Provider (MSP) is:

A MSP delivers services, such as network, application, infrastructure and security, via ongoing and regular support and active administration on customers’ premises, in their MSP’s data center (hosting), or in a third-party data center.

MSPs may deliver their own native services in conjunction with other providers’ services (for example, a security MSP providing sys admin on top of a third-party cloud IaaS). Pure-play MSPs focus on one vendor or technology, usually their own core offerings. Many MSPs include services from other types of providers. The term MSP traditionally was applied to infrastructure or device-centric types of services but has expanded.

– Gartner's Information Technology Glossary

Managed service providers are a great option for end users without the technical expertise required to manage their own networks.

If considering an MSP, you may consider referencing the Risk Considerations For Managed Service Provider Customers document put out by the Cybersecurity and Infrastructure Security Agency which outlines risk considerations organizations need to consider when they partner with a MSP.

MSP vs MSSP

Managed Security Service Providers (MSSP) provide security monitoring and management services to organizations to ensure they are protected from cybersecurity threats.

The types of services MSSPs can offer include threat monitoring and intrusion detection, firewall management, patch management, endpoint protection, and penetration testing as examples.

An MSP ensures your IT systems are operational, but a MSSP offers true security as a service, ensuring your people and systems are safe, secure and compliant.

Managed Services are a good way for businesses to get a high-quality IT service at a predictable monthly cost, instead of having to manage everything themselves, in-house.

What is Hardware as a Service?

Hardware as a Service allows customers to outsource the procurement, installation and support of their IT hardware, at a fixed and predictable monthly cost. Companies who use Hardware as a Service benefit from knowing any issues with their hardware will be diagnosed and fixed by the provider, without having to guess at the cost of the repair.

This is a convenient way of getting the best hardware without having to spend much cash upfront. The service model is similar to leasing or licensing whereby a business obtains IT hardware from a company, and the terms are dictated by a Service Level Agreement (SLA). In the case of hardware breakdown or any hardware becoming obsolete, the hiring company is responsible for repairing or changing it. Hardware as a Service can be provided by a managed service company or as a stand-alone service provided to businesses who are looking to acquire IT hardware.

Typically, these vendors do not provide ongoing monitoring, updates, and patch support to your network.

What is a Value-added Reseller?

A value-added reseller takes existing hardware, adds features such as third-party software, and then sells it at a markup to the end user.

The biggest difference between VARs and MSPs is the term of their involvement with the end user. VARs generally operate on a transactional basis (per license or seat), or a short-term contract. By contrast, MSPs operate on longer-term annual or multi-year contracts, and the tenure of their relationship is open-ended.

What is a Cloud Service Provider (CSP)?

CSPs offer access to technology and infrastructure that they own. This may be part of your digital transformation plan.

You’ve likely heard of some of the more popular cloud service providers, such as Amazon Web Services, Microsoft Azure and Google Cloud Platform.

If you choose to use a cloud service for storing information, you’ll want to do some due diligence to determine the security the service has in place, where the information is stored, and to avoid services which have servers outside of Canada. Even when you use a CSP, you are still responsible to ensure that your local computer environment is secure. This is referred to as a Shared Responsibility model.

What is the Software As A Service (SaaS) Business Model?

SaaS is a type of CSP. The vendor provides a software on their data centre and you remotely access the software and use it on your device. Examples of this includes Microsoft Office 365, Google Workspaces, and even some electronic medical record (EMR) and electronic dental record (EDR) service providers.

If you’re using a service such as this, the same security caveats which come with cloud services need to be considered such as where the servers storing the information are located.

Privacy, confidentiality, and security of personal information is a shared responsibility whether it is on your device or an outsourced service.

You must properly configure your SaaS so that it is properly securing your data, and communication between yourself and your vendor is critical to understanding the shared responsibility of securing the data.

As the end user, you are responsible for security ‘in’ the cloud. This includes the responsibility of:

• Collecting and maintaining the customer / PHI data
• Identity and access management (IAM)
• Application management
• Operating system and firewall on your devices
• Client side data encryption, data integrity, authentication
• Server-side encryption
• Network traffic management

Remote Monitoring and Management Tools (RMM)

Many MSPs, and some internal IT teams, use a remote monitoring and management tool (RMM). This is the software put on the workstations and servers, primarily. These tool report back to the RMM server and provides data so that the MSP can monitor and manage the system.

The tool allows the MSP to see issues such as:

• When software needs to be updated
• If computer needs to be rebooted
• That there was an error in a system log that needs to be addressed.

All of this happens behind the scenes and allows the MSP to manage your system remotely.

The issue with RMM is that the software has the ability to fully control your computers so these RMM tools need to be secured.

If not secured properly from internal threats as well as external threats and a bad guy is able to get into your MSP’s RMM, they now have access to every single client network—including yours!–that the MSP manages. And that is a bad, bad day!

Vet Your Vendors for the Best Computer Service Support Option

Most healthcare providers start with a DIY approach to their computer network. Over time, your needs will change. It is good practice to meet regularly with your vendors to re-visit your IT strategy.

Your best computer service support option during your start-up phase will likely be different as your business matures.

When you select the right outsourced service to support your healthcare practice, you will improve your practice management efficiency and privacy compliance.

Remember to vet the vendor before you enter into a service agreement and Information Management Agreement.

See the Practice Management Nuggets Podcast for Your Healthcare Providers, What Healthcare Practices Should Know About Vendor Vetting And Accountability | Episode #085 with guest Expert Donna Grindle for tips to help you with this step.

Join Practice Management Success Today!

As a healthcare provider, you need to stay on top of changing trends and technologies that impact privacy compliance and efficient practice management.

Changing technology and properly managing computer systems is just one aspect of that.

Practice Management Success offers you access to tools, templates, tips, and training to help solve common problems which may come up in your practice.

It's kinda like having a clinic manager mentor (or a Jeannie) on Zoom!

Become a member of the Practice Management Success Membership!

Your Patient Requests To Record Their Appointment With You – What Does This Mean For You, As A Health Care Provider?

Often, doctors’ visits are fairly straightforward.

When there are no major concerns or new diagnoses, it can be in and out quickly, and with little fuss.

There are times, however, when visiting the doctor can be overwhelming for patients.

When a patient is receiving a new diagnosis, for instance, it often comes with instructions for how to best manage their condition, dietary restrictions, or exercises they need to perform in order to help them achieve a better outcome.

In cases like this, some patients may request to record their conversations with you, their healthcare provider.

The first time you receive a request like this, it may seem surprising.

With technology such as smartphones, it’s becoming easier and easier for people to make these recordings so it’s best to be prepared for it.

Let’s have a look at the things you need to consider when it comes to patients who ask to record their appointments.

Why Do Patients Want To Record Conversations?

A patient may request to record a conversation for several reasons.

Some of these may include:

• More accurate sharing of health advice and instructions with other family members or caregivers who help them manage their diagnosis
• Allows for better communication between you as a healthcare provider and your patients
• Improved compliance with instructions, as they will refer to the recording

Benefits To Recording Patient Appointments

Each of these reasons ultimately has the effect of potentially helping improve compliance with your instructions, and thus improving patient outcomes.

“71% of patients listened to their recordings, while 68% shared them with a caregiver.” – The Dartmouth Institute for Health Policy & Clinical Practice 

Unfortunately, anytime you are recorded, there is the potential drawback that recordings could be used inappropriately.

Some inappropriate use of recordings by patients may include:

• Recording without the consent of the healthcare provider.
• Recording information (audio, visual) of other persons, including patients, visitors, or other employees.
• Sharing of recording inappropriately on social media.
• Security of the recording may be compromised, which may negatively affect the patients’ and the healthcare providers’ privacy.
• Patient’s recording of the healthcare visit may be used against the healthcare provider in a complaint process.

As you can see, there are both benefits and drawbacks to allowing recording of conversations with patients.

Now we will look at the next steps when you allow recording and when you would prefer to not be recorded.

I’ve Agreed To Be Recorded – Now What?

If your patient has requested to record your session, and you’ve agreed, there are some things which will need to be discussed before moving forward regarding appropriate use of recordings.

The patient usually requests permission to record at the beginning of the encounter.

Discuss and agree to the terms of the recording, for example:

• How the recording will be made
• How a recording will be made available to the patient’s health record
• Identify (name) who will be included in the recording and ensuring that the privacy of other people is not affected
• How follow-up questions will be managed.

Document the Encounter

You, as the healthcare provider, may make the recording, keeping a copy for the health record, and share the recording with the patient. Or, you may make a separate recording at the same time of the patient and add the recording to the patient’s health record.

If you will also make a recording, the patient is required to consent in writing to the recording. Include the patient’s consent in the patient’s health record.

In addition to the clinic notes you may make:

• Securely maintain the audio recording in the patient’s health record or in a digital audio file format securely stored on the computer network.
• In the patient’s health record clinic note, include the link to the computer file with thee recording.
• The healthcare provider will record in the clinic note:
  • The conversation was recorded – by whom and who has control of the audio file.
  • Consent was obtained (if applicable)
  • Summary of the conversation

What If I Don’t Feel Comfortable Being Recorded?

If a patient requests to record your session, you may choose to decline their request.

This may just be because you are working to implement policies and systems surrounding recording, but they aren’t quite in place yet.

If a patient request to record your session, and your decision to decline, you will need to make a note of the request, as well as your grounds for denying it, in the patient’s clinic notes.

If the patient is worried about being able to remember of follow instructions, some alternatives to recording may include:

• Provide the patient with information resources including paper handouts, advice documents, or on-line audio or video advice and information resources.
• Allow the patient to invite a trusted family member, friend, or care provider to accompany the patient during the patient’s health care visit.

Workflow Patient Record Appointment

Join Practice Management Success Today!

As a healthcare provider, you need to stay on top of changing trends and technologies-–not just those related to your work, but things in the world which can affect how you manage your practice and patients.

Changing technology is a huge part of that world, and the growing use of cell phones to record conversations is just one aspect of that.

Be prepared when patients ask permission to record their visits with you. Grab the procedure and patient request form template that you can use right away! Become a member of the Practice Management Success Membership!

Practice Management Success offers you access to tools, templates, tips, and training to help solve common problems which may come up in your practice.

It's kinda like having a clinic manager mentor (or a Jeannie) on Zoom! ✨

Reference

Canadian Medical Protective Association [Internet]. Ottawa (ON): CMPA 2017 March. Smartphone Recordings By Patients: Be Prepared, It's Happening Retrieved https://www.cmpa-acpm.ca/static-assets/pdf/advice-and-publications/perspective/com_17_perspective_march-e.pdf

The Dartmouth Institute for Health Policy & Clinical Practice. “Can patients record doctor's visits? What does the law say?.” ScienceDaily. www.sciencedaily.com/releases/2017/07/170710135301.htm (accessed July 23, 2022).

Should You Use Encrypted Emails In Your Practice?

There are many jokes around these days like “Fax machines? Who still uses those? And why are you still using fax machines? It’s the 2020s, not the 1990s!

People who don’t use them regularly may not realize it, but there are still many places which still use fax machines today—from legal offices, to governments, and yes—doctors offices.

This is because fax machines are much more secure than electronic networks such as email.

One doctor’s office asks: As healthcare professionals, we routinely send our referring physicians a report of the patient’s progress by fax. One clinic would like us to send the reports to them using their encrypted email link instead of fax.

Can we do that?

Today we’ll look at the pros and cons of switching to encrypted email as a method to securely send personal health information and try to answer this question.

What Are The Issues With Email?

First, we need to look at regular, non-encrypted email.

Grant Dakin, President of Solid Technology Solutions reminds us:

“When it comes to sharing sensitive information via email it should always be assumed that it is insecure. Basic email is generally open text, and to many email servers out there, especially on the public side, are not setup to handle encrypted email protocols.”

Even if your email service provider offers message encryption while a message is traveling between computers, this often does not apply on either end, and the message in the outgoing sent box and incoming inbox are often left unencrypted and vulnerable.

If information is not appropriately sorted once it arrives in the recipient’s inbox, there may still be issues with storing information in your email.

If the sender and the receiver do not appropriately manage their in and out boxes to ensure that it has limited information, appropriate access to only the right persons, and has been securely deleted, you have only addressed part of the problem.

When sending information to another clinic or doctor’s office, you may ask what practices does the other clinic have for storing information?

The same questions are important for patients as well:

• Does the patient have access to a computer where they can download information?
• Are they using a personal computer or an employer’s computer?
• Do they have a secure place to access the information?

These are all things which need to be taken under consideration before you send personal information by email in your healthcare practice.

Why Are Some People Switching to From Faxing?

So, a referring partner who typically sends the consultation report to you by fax now wants to send it to you by encrypted email.

It’s not uncommon for places to want to upgrade their technology.

Fax machines can be large and clunky, and using encrypted email for consultation reports, referral requests, and more can be attractive to streamline operations. Many people feel that fax machines are obsolete. In early March of 2021, the Government of Ontario announced it would phase out its use of all fax machines by the end of the year.

However, there isn’t a common alternate communication standard across healthcare, private, and public users that is as common as the fax machine.

There have also been numerous privacy breaches in healthcare related to improper use of fax machines. For example, in the Ontario Information and Privacy Commissioner’s 2020 Annual Report, the IPC found that, in 2020 about 58 per cent of breaches experienced by health information custodians were caused by misdirected faxes. 

How Does Encrypted Email Work?

Encrypted email works using an encryption key.

What is Encryption? Encryption is a method to disguise a message into a secret code. Only the people that have the ‘key’ to the secret code can un-scramble the message so that it can be read.

In order to use them, both the sender and the receiver need to have a key—the sender uses it to encrypt the message before sending it, and the receiver needs a key to decipher the message.

Grant Dakin explains: “Encrypted email services are a third-party service that will securely store the message, typically a secure web page, until a verification process is completed. This is key. The recipient needs to prove their identity to be able to view the message. At minimum, this can be a username / password challenge using a verified recipient owned email address. When possible, it is recommended to have multifactor authentication (MFA) employed. The use of MFA is dictated by compliance requirements, the type of information and your user base.”

This might seem overly complicated if you’re not used to using encryption services, which may not be an issue when sending information to another clinic, especially if they’re the ones who suggested using encrypted email.

Encrypted Email Process Diagram

When it comes to sending information to patients, especially those who aren’t very tech savvy, you need to consider if encrypted email is the right option.

Things to Consider When Implementing Encrypted Email

If you’re considering implementing encrypted email into your practice, you’ll want to first do a risk assessment, which should include:

• Discussions with IT vendor / Managed Service Provider
• Assess the reputation of the encryption vendor
• Does the encrypted email meet industry compliance requirements?
• Review your existing policies and procedures
• Update those policies and procedures as required
• Approval from Privacy Officer / Custodian / CEO
• Prepare / update your privacy impact assessment (PIA)
• Training for your staff on how to use the encryption software
• Is there a verification process to ensure that the right person is viewing / accessing the information?
• Verify that there are encryption protocols being used (If retrieving from a browser, verify that there is a valid SSL certificate)

For further guidance on choosing an encrypted email service, Grant Dakin offers the following:

“When looking for an encrypted email service, be certain that the service provider can demonstrate compliance. Most third-party providers base their compliance on HIPAA, which is a US based compliance, but it is very much in line with Alberta's Health Information Act (HIA) and our various Privacy Acts. For us, at SolidTech, the most common encrypted email service provider that we deploy would be Microsoft 365, which is HIPAA / HIA compliant, providing it is set up properly.”

Consider also that if you send information via encrypted email, there will probably be a learning curve for the receiver of the information as well. You may want to offer a basic outline to patients who opt to receive email this way about how it all works.

It may seem surprising at how much time it takes to appropriately and correctly implement an email encryption service in your healthcare practice. But if you will “axe the fax” and discontinue the use of a fax machine, you need to complete a risk assessment and plan an alternate solution.

What Else Can I Use, Instead of Encrypted Email?

If you aren’t ready to make the jump to encrypted email systems but want to get away from using fax machines in your practice, there are alternatives to encrypted email to consider.

Some of these include:

• Portals from electronic medical record (EMR) systems
• Sharing networks
• Secure messaging

PrescribeIT^® enables prescribers to electronically transmit a prescription directly from an electronic medical record (EMR) to the pharmacy management system (PMS) of a patient’s pharmacy of choice. See the blog post, “Using PrescribeIT To Streamline Your Workflow”.

Any changes to how you send personal information, whether to patients or other clinics can’t just be a unilateral decision on your part.

Just because you’re ready to make a change, it doesn't mean that the recipients are ready to receive it in that way. You must communicate with your partners and patients about your plans and ensure everyone is on board.

Furthermore, it’s always good to have a business continuity plan in case your chosen method ceases to work as expected.

I’m Ready To Implement Encrypted Email—What’s Next?

If you think encrypted email might be the right choice for your practice, you might wonder, “What next?”

Getting started with a change like this may seem overwhelming, but you don’t have to do it alone.

Connect with Grant Dakin of Solid Technologies Solutions Inc. 

Also see, “Texting with Patients; Can You Use Text Messaging With Patients?”