It is rare today to encounter a physician working as a sole practitioner. Between dealing with insurance companies, reimbursement rates, hospital privileges, and myriad regulatory requirements, the sole practitioner, we could say, is a critically endangered species.
And yet last week I had a conversation with such a doctor working as a sole practitoner. He was an older man who had a distinguished career, but was limiting his workload and, I suspect, looking towards retirement. He mentioned to me his need for an IT security consultant that specialized in HIPAA and who could help him with an audit. I told him that he should consult a security auditor who would review his infrastructure, which consists of a computer, a Wi-Fi network, and a mobile device, and make recommendations. Having worked for the Icahn School of Medicine at Mount Sinai in New York, it just so happened that I knew a thing or two about making an IT infrastructure HIPAA compliant, but would prefer leaving a formal audit to a consultant who has done several of these in the past and is current on the latest HIPAA standards.
Online, a doctor can find plenty of resources on how to make her IT infrastructure HIPAA compliant. However, most doctors—and this was very true at Mount Sinai—are not the most tech savvy. And this makes perfect sense! One should not expect a cardiologist to understand the details of IT security any more than one should expect me to be able to interpret the results of a cardiac stress test.
Windows users
But there are some basic things that a sole practitioner should be doing. Firstly, make sure the office’s computers have the latest updates. If the office uses Windows, then the update cycle is monthly. Every second Tuesday of the month is “Patch Tuesday”, which is when Microsoft releases its software updates. If the computer is not managed by a corporate IT department, Microsoft will deploy the update automatically to the computer systems. All that needs to be done is reboot the workstation or server after the update is applied. Applications installed via the Microsoft Store also get updated automatically as well. Other than regularly patching the computer at least monthly and ensuring third-party software is current, nothing else is required.
I should point out here that powering down the computer (“Shutdown” on the Start menu) is not the same as rebooting the computer (“Restart” on the Start menu). This is because modern Windows computers utilize something called “Fast Startup” that, in effect, puts the computer in a kind of hiberation state. This allows for, as the name states, faster startup. Use the Restart function instead as this will close out all system files and processes, terminate the kernel, and bring everything back up fresh.
Macintosh users
For Mac users things are a little different. Apple does not deploy updates on a regular basis, and apps from the App Store require user intervention to update. Always click the Apple icon in the upper left corner of your screen and look for updates. You will see system updates and app updates. When you see an update, apply it.
One problem is that Apple will try to deploy the latest major release of macOS via the system update process. This has caused a lot of problems for me in the past. System performance has taken a hit, and on one occasion it disabled my ability to use a piece of legacy hardware. The latest major release of macOS is Sequoia, macOS 15, and the lastest version is 15.6. If you still are on Ventura, macOS 13, that goes end of life in October and you will need to either update to the major release or replace your Mac with a new system that can support the latest major releases (Sonoma, Sequoia).
To give an example of the hardware problems that happen when macOS gets updated to the latest version, the new version of macOS, called “Tahoe”, will drop support for FireWire 400/800 devices. That means if you are using a device that requires this, it will not work after upgrading to Tahoe. If you are on Sequoia, this will not be an issue until 2027.
Another thing sole practitioners should be doing is using a HIPAA-compliant email service. Hushmail, Proton Mail, and Paubox are three that are used by health care providers that are HIPAA-compliant and provide good security.
If you are a sole practitioner using Windows, make sure you are using Windows Professional on all of your Windows devices and not the home version that probably came with the computer when you bought it. Mainly you want to enable BitLocker drive protection that encrypts the storage volume on the computer. Device encryption is a requirement for HIPAA compliance.
For your cloud services that may provide billing and electronic prescription submission, make sure you are using end-to-end encryption when connecting to the services and multi-factor authentication when logging into them. Generally the provider will manage the end-to-end encryption for your internet connection. For multi-factor authentication, make sure that is enable and that you are using a tool like Google Authenticator, Microsoft Authenticator, or Duo to generate the MFA code. Do not get the code from text messages because this is not as secure as the authenticator.
Securing paper records
Finally, do not forget physical security. Lock your office when you leave for the day. Do not leave patient notes on your desk where they can be read by others. If you receive a facsimile with patient health information (PHI), retrieve it right away and do not let it sit on the machine. If you are still using paper records, make sure you are storing them in a locked file cabinet. If you think this is extreme, consider the case of Daniel Ellsberg during the Watergate era.
Resources
Here are some resources you can consult:
- American Medical Association (AMA): https://www.ama-assn.org/practice-management/sustainability/physician-cybersecurity
- US Health and Human Services: https://www.hhs.gov/hipaa/for-professionals/index.html
- HIPAA Journal compliance checklist: https://www.hipaajournal.com/hipaa-compliance-checklist/
Leave a Reply