You have a medical office in Canada. You are thinking about starting to computerize your office. However, you are concerned. There are obvious benefits, but there seem to be a lot of risks. How can you navigate the path and not crash?
At Beyond Programs, our team will help you to manage your medical office IT requirements from in-office support to telehealth and software management needs.
As you will notice from the resources within this article, there are government-mandated requirements for protecting patient data. We help you to understand the requirements and implement solutions that work for, you, your staff, and patients.
Privacy Legislation
You are familiar with existing Canadian personal information privacy legislation, such as PIPEDA (Personal Information Protection and Electronic Documents Act) at the federal level and several provincial general or healthcare-specific additional legislation. Overall, these acts mean that regarding patient data you:
- are accountable for the data you collect,
- should only collect agreed-upon personal information,
- can only use it for the agreed-upon purposes,
- only keep it for as long as it is needed,
- keep it up to date,
- protect it,
- make it available to the individual as appropriate,
- demonstrate compliance to privacy when required, and
- ensure that organizations you share data with meet your standard of care.
Office Security
You have likely already addressed physical security for your medical office. You have ensured that the building is locked and protected when you are not working, your office is secured and covered by a security system, and your file cabinets are locked. When the office is open, you have role-based access control to files to ensure that information is only accessed by those who need to.
Computer Security
Computerizing your medical office will make it easier for you and your staff to run your office. But it also adds risks that others may get access to your patients’ data. This article goes over how to ensure that your computers and your computer network are secured so that you continue to meet your obligations under Canada’s PIPEDA type legislation.
Device Security
Just like staff needs keys to open the file cabinets, passwords protect your devices in your computerized office. Only people with accounts set up on a computer can use the computer. Once staff has signed into their computer, they should sign in to the various applications on the computers. Programs like billing systems and electronic records systems provide access controls that can enforce the rules just like you have in place for your physical records. By having various office application accounts set up with role-based security, you can ensure and demonstrate that staff only has the access needed to do their job. The janitor cannot log into the computer and cannot access electronic patient records. The receptionist and your nurse can.
Sidebar # 1
The Canadian Medical Protective Association (CMPA) has produced an Electronic Records Handbook. In the context of medical office steps to protect electronic records, page 15 of the handbook states:
“Robust security features and policies must ensure information in an eRecord is only accessible within the circle of care to provide patient care, or for other purposes that are authorized by law or with the express consent of the patient. This can be achieved through the use of secure login protocols. In addition to having security mechanisms that limit access to authorized persons only, where possible it is prudent to consider equipping the eRecord system with controls that restrict access based on the user’s role and responsibilities.”
Network Security
Your medical office devices interact with each other using your local network. You need to make sure that your network is secure. Your network administration software should be password protected. As well, your computers will not be like an island, so you will need to connect them to the internet. Firewall software should be installed and configured to restrict your office computers just like your office door controls office physical access. Appropriate firewall configuration allows only approved network traffic to flow between your devices and external sources such as internet sites.
Security Software
Your computer operating system provides many security features. To keep your computers safe, you need to ensure that patches are applied to the operating system to continue to combat the latest threats. As well, your applications on each computer need to be patched and kept up to date. Building on that security foundation, virus and malware protection software is necessary to protect your devices from additional threats. Such programs snoop into data files and messages to look for things that may compromise your security. By installing virus software and keeping it up to date, you have better protection from these threats. Based on a 2020 industry survey, Statistics Canada reported that in 2019 “…about one-fifth (21%) of the overall Canadian business population reported being impacted by cyber security incidents… .” You must take care to ensure that you adequately protect your patient data.
Data Protection
With the steps discussed so far, your computer and its data are likely well secured. However, what if someone steals your computer or its hard drive? What steps should you take to protect patients’ private data in that scenario? Computer drives can, and should, be encrypted so that “data at rest” cannot be read outside of your security controls. Encryption programs convert plain text into unreadable forms for those who don’t have the encryption key.
Internet Interactions with Patients
You would never do a patient consult in the middle of a busy coffee shop. If you do not take appropriate steps, interactions with clients via the internet (e.g., email or telehealth sessions) are sent in plain text and can be intercepted by bad actors. Such individuals can “overhear” your discussions just like the person beside you in the coffee shop could. Encryption programs can also protect “data in transit.” You should use only email services that support encrypted connections. Telehealth sessions should also use encrypted sessions to protect your patient’s privacy.
Sidebar # 2
The Doctors of BC’s Doctor’s Technology Office has an IT Security page that provides information relevant to this article. This information includes their “Physician’s Office IT Security Guide” publication. The Technology Safeguard Chapter (page 14) of that Guide focuses on providing a more in-depth discussion of the last few topics. The chapter covers:
In the office, all clinic staff should understand the importance of and implement these routine safeguards:
- Using strong passwords.
- Applying a setting for auto logoff after a period of inactivity.
- Using a password-protected screen saver.
- Locking mobile phones when inactive.
- Protecting mobile device data with a username and password.
- Transmit personal information safely (e.g., protocols for fax, email).
- Maintaining backups.
Other best practices safeguards will require IT support, including:
- Keep firmware, operating systems, and all software security patches up to date.
Hardening servers.
- Applying strong encryption to protect data at rest and in transit on both clinic computing systems and mobile devices.
- Installing firewalls and antimalware, such as anti-spam or antivirus software.
- Restricting cookies.
- Installing a hardware or software intrusion detection system for your wired and wireless network.
- Installing a data leakage/data loss prevention system.
- Configuring the operating system.
- Implementing access control.
Mainstream Usage
Electronic medical records (EMRs) are the computerized version of your patient records. At some point in your computerization journey, you are likely to convert to EMRs. The Canadian Medical Association (CMA) and Canada Health Infoway recently completed a 2021 survey of Canadian physicians to “better understand the use of digital health and information technology among physicians in Canada.” They concluded that the use of EMRs has increased to 87% of Canadian physicians. Therefore, your journey will not be blazing new trails but could follow a well-laid path. However, if you are concerned about finding that path, our project managers could help you.
Setting Things Up and Keeping them Running
Setting up computers and networks is not your strength. Neither is maintaining them in peak operating condition. The more you rely on computers, the more critical they become in the operation of your office. To keep your office running smoothly, you need to make sure that they keep working. Unless you have a large enough medical office to warrant your own IT team, setting up a support contract with an organization to provide timely help to you is essential. When you give a support organization access to your computers, you must ensure that patient data remains secure. They must have policies and practices to protect patient data privacy. Make sure that you research your support options and ensure that you have a privacy agreement in place to demonstrate that you have applied due diligence for Canadian data protection. We can help you with your IT support needs.
If your computer breaks down and cannot be fixed, how do you get access to your data on the computer? The best way to address this is to have backups stored at a remote location. Many organizations can back up your data over the internet. You can then restore the data from there to a replacement computer. However, using those services means you now have another party that has access to your data. You need to enter into privacy agreements with such service providers to ensure that they respect and protect your patients’ private data. You need to think carefully about where your data is stored. If your backups are not in Canada, can the local government use its laws to force your provider to release your data? In some countries, this is the case.
Making it Work
This article has covered some foundation setting considerations to protect patient data when you start computerizing your office. Just like your physical office has layered security (building, office, and file cabinets), your IT security is similarly layered (internet, local network, computer, and application). You have many responsibilities around protecting patient data. Selecting the right path to computerize your Canadian medical office can help you meet those responsibilities and safely receive the benefits of office automation. If you need help in finding that path, our project managers would be glad to help.
ABOUT THE AUTHORS
Noble Hurst BSc, PMP, ITIL
Over 15 years of experience from the US and Canada from startups to Fortune 500 companies. I bring decades of experience from a range of industries including technology, film, construction, marketing, and logistics.
