EMR security is all about mindset
When you enter into aesthetic medicine you become your client's first and last line of defense against unwanted attention regarding their medical history.
Trust your staff, but understand that human nature makes allowances for the people we spend our days with. You can eliminate many potential problems by starting with a tight written policy that emphasizes the following:
No Sharing Credentials
Office personnel are crucial to a great client experience and, at times, there's a need for non-medical employees to access medical records. Eliminating paper charts and any client data that's not easily secured and traceable is a good first step in keeping the spread of this personal information to a minimum.
You also need an administrator with a security mindset. Since EMR technology has made adjusting individual user privileges achievable in seconds, there's no reason to share credentials between colleagues.
It's a great idea to have someone on site or within easy reach that can manage employee access on a moment to moment basis. Client consent forms and other relevant data can now be shared briefly with seamless traceability. Remember, when it comes to HIPAA violations good intent and adherence to guidelines are both crucial to defending your reputation if a breach occurs.
Individual Email Accounts
Separate email logins are required under HIPAA and it's overall good practice for any business to require that every employee is responsible for the content of their own email correspondences. Asubstantial percentage of both intentional and unintentional data leaks originate inside medical practices, so it's best to be proactive about your security.
This may involve a few changes to administrative policy when it comes to client communication.
Aesthetic Record-Create a User
The best strategies we've seen use separate accounts for each employee, meaning no group accessible email for office staff. Clients typically have better response rates to emails that end with a name, position and business contact information rather than a generic account. This one is a win-win, and worth the extra few minutes it takes to create new users.
It's rare that people share passwords within the medical field, but adding a reminder to your written policy that password sharing is forbidden is an important fallback for Medical Directors. Equally important is the growing need for password rotation (a voluntary or auto-prompted change requirement for one's password).
We fall into the habit of using the same passwords, it's natural, particularly when you have multiple personal and business accounts, emails, and site logins. One of the most notorious cases of the "Everyone Does It" attitude around passwords was Mark Zuckerberg's "dadada breach". The Facebook CEO had several of his social media accounts hacked when he secured them each with the simple "dadada" lyric. Rotation should happen at least once every six months so that we're all required to purge old or overused passwords.
A recent Forbes post regarding cybersecurity also suggests the following:
“Normal accounts should have a password no less than 10 characters;
Accounts with access to sensitive information or which are administrative accounts should have at least 15 characters;
The password should contain uppercase, lowercase, numbers and special characters; and
Do not pick a dictionary word, pick a set of words, a saying or some lyrics”
As you've probably noticed the security practices listed here are only partially achievable through good technology. A written zero tolerance policy is the best tool a Med Spa Director can use to interrupt problem behaviors before they become habits. Make policy the bad guy and be clear that no amount of time saved is ever worth the risk of exposing your people or your business to potential liability.