Data security has become one of the top priorities for healthcare practices, and it’s not difficult to see why. In the UK, one small business is successfully hacked every 19 seconds, and in both the US and the UK, 38% of organisations lose revenue every year due to security breaches.
When it comes to personal health information, the stakes are even higher. Aside from what a security breach can cost your practice, the penalties for HIPAA non-compliance alone can be as high as $50,000. So, data security is not something that health practices can afford to ignore.
In a recent Power Talks webinar, Power Diary’s co-founders, Damien and Paul Adler, spent an hour unpacking security and privacy must-do’s for health practices, as well as discussing the tight processes Power Diary has in place for keeping the software safe and secure for clients.
In this article, we’ll present an overview of Power Diary’s commitment to data security and how to improve data security in your practice. The article has been completely revamped for 2022 and covers an updated set of simple measures that your practice can put into place to protect yourself, your team, and your clients.
Right, get yourself a coffee, and get comfortable.
This is a longer-than-usual read, but the simple steps we outline for you to put in place combined with the not-so-simple steps that we take to keep your data safe have the potential to prevent the majority of breaches and hacks.
Think Differently About Security
As Damien puts it, “we need to be thinking much more broadly about security, because people often picture a sophisticated hacking group that is trying to hack into a system. That certainly can happen, and it’s something that we are very mindful of. But thinking about security and privacy is much broader than that and goes beyond the technical things that we do to make sure that data is secure and locked down.”
If you’re serious about security, you might need to adjust your thinking.
It’s not just… External parties trying to access information, there are internal breaches, whether accidental or deliberate, where things can really go wrong. This risk could be reduced with the adoption of internal policies and procedures.
It’s not just… Data access, you also need to think about availability and how to make data consistently and readily accessible- cloud storage, back-ups and data recovery procedures are essential here.
It’s not just… Skillful hackers trying to break into your system, phishing or data theft, many incidents are exploitations of vulnerabilities that could easily have been avoided with regular updates, unique passwords and best practices security training.
In the webinar, Paul uses the analogy of a house. Yes, in some cases there may be a targeted break-in of a specific property that is carefully planned and executed. But, as with home break-ins, most hacks are opportunistic. If you’ve gone out and left your front door wide open, it’s much more likely that your home will be broken into by a criminal who is driving up and down the street looking for an easy target, and likewise with security breaches.
The Power Diary Approach
Power Diary makes compliance with the strictest standards accessible to practices, as you can benefit from the latest privacy and security updates like state of art encryption, two-factor password authentication, account user permissions, and privacy mode functionality without the need to invest in the technological developments yourself.
And, because we’re at the forefront of the latest data security developments, you don’t have to be. You can focus on taking Power Diary’s security features and applying them to your practice, rather than worrying about how, what, where and when the next breach might come from.
“What we do is pick out the strictest version of the requirements for that specific feature and then we build Power Diary to meet the highest level of security framework available.”Damien Adler, Power Diary
Here are some of the ways we’re making your privacy and security our top priority:
1. Governance, Risk and Compliance Platform
Power Diary uses the GRC (Governance, Risk and Compliance) platform. The GRC platform monitors privacy laws and regulations like HIPAA, GDPR, PIPEDA and CCPA as well as security frameworks like ISO 27000 and SOC II which means we’re constantly assessing our compliance and security status against regulations and frameworks to flag inconsistencies between existing and new requirements. When there are proposed changes to regulations, anywhere in the world, we receive advanced notice so we can ensure proactive changes are rolled out before they become a requirement.
We are compliant with the relevant legislative and regulatory requirements in the main markets in which we operate; Australia, New Zealand, UK, Europe, South Africa, US, and Canada, which includes compliance with the Australian Privacy Act, GDPR and UK GDPR, HIPAA, and PIPEDA. As technology continues to evolve, we regularly update our infrastructure, security systems, and software to ensure we are also providing the highest levels of protection at all times for our customers.
2. Infrastructure Security and Compliance
Power Diary utilises Amazon AWS which provides an infrastructure environment that is optimised to run applications like Power Diary. The system means that we can split the data into different locations and ensure that it is spread across multiple data centres, so that we’re not likely to be impacted by an event that might happen in one area.
In addition, all Power Diary data hosted by Amazon infrastructure is backed up hourly and separate in secure storage devices with an additional separate daily backup.
Amazon complies with worldwide privacy regulations like GDPR, HIPAA and PIPEDA and security frameword like ISO and SOC 2. I.
3. Automated Security System Alerts
Our system alerts are based on best practice processes outlined by the US Department of Defense, and our software applies the highest level of security framework available.
This includes automated alerts and monitoring for any unusual activity. Our security systems monitor user behaviour in real-time, making early identification of security threats possible.
We also have an audit trail of all modifications that are made to anything, whether that be code, configuration of systems or something different. This means there’s a log that’s maintained automatically tracking everything and it can’t be turned off.
4. Continuous System Testing
Power Diary contracts a third-party company to test for vulnerabilities. They check for deficiencies, for example, in operating systems, then check whether that deficiency makes the Power Diary software vulnerable. And it happens automatically, multiple times a day, and we receive notifications about all the checks and the implications for our software.
5. Logging and Monitoring
Power Diary’s advanced security login systems give you access to:
- 2-Factor Authentication – this extra layer of access security makes it less likely that a user’s account will be compromised.
- User Account Controls – the login and authorisation of each user are processed over a secure and encrypted connection, and you can also limit user access.
- User Activity Recording – the user activity log file creates an automatic record of user activity, so you can see when a user logged in, what they viewed, and what changes were made.
6. Data Transmission and Cryptography
Power Diary utilises the latest commercially accepted encryption protocols to secure data in rest and in transit. All information transferred from your browser to our services is encrypted using 256-bit SSL technology. You also benefit from added protection with our Domain Validated Security Certificate.
7. Credit Card Processing and PCI Compliance
Power Diary enables customers to process client credit card payments via a secure and validated integration with Stripe Inc. Stripe is certified as a PCI Service Provider – Level 1.
9 Things You Can Do (Right Now) to Improve Your Practice Security
The security of any system is dependent on the people who use it. So, while Power Diary has significant measures in place, ultimately, the security of your data relies on your users. And this simple truth extends far past just the practice management software you use.
Here’s what we recommend:
1. Never Share Passwords (and ensure that each team member has their own account)
This applies to Power Diary specifically, but it’s also the minimum level of security that you should have for any program or device in your practice.
There should be no account sharing; each team member should have their own unique username and password. Paul puts it like this, “if you ever find yourself needing to give out your password for somebody else, alarm bells should ring.”
2. Use a Strong, Unique Password (and use a password manager)
A password manager is a superhero that you didn’t know you needed. So many people use a variation of the same password for their emails, online shopping and work, but you’re setting yourself up for a fall if you do. If an online retailer has a data breach (and it happens all the time), hackers now have at least one of your passwords and a good idea of your email address and, with that information, the sky’s the limit for them.
A password manager can turn it all around. We use LastPass and recommend it to anyone who will stand still long enough for us to extoll its virtues. It and other similar software, store passwords for you and will generate long random passwords that are close to impossible to guess. And, for users, keeping track of your passwords is simple: you can access your vault of passwords with a single master password.
3. Set Up 2-Factor Authentication
To protect against keystroke trackers that track what you enter into your keyboard, you need to use two-factor authentication. This way, even if a hacker has your username and password, the program will ask for the second factor to authenticate your login which requires a second device that the hacker can’t access.
It‘s something that government organisations are turning to as a solution to dramatically reduce security breaches, and it’s something that Power Diary will progressively be ramping up in the coming months. If you want to access certain areas of the system, you’ll have to use two factor authentication to do so.
Activating 2-Factor Authentication (2FA), in addition to entering your Power Diary username and password, exponentially improves your security. But, this advice isn’t just for Power Diary. You should turn on two-factor authentication for every system that offers the service. Yes, it is inconvenient, but it’s nowhere near as inconvenient as having a major security issue.
4. Actively Manage The Master User Account
The master user has total administration rights and can make changes to any user account. As the master user, whenever you add a new user, run your eye down the list of active users and do a check. Is there anybody that shouldn’t be on the list? Or is there someone that has permissions that they don’t need? Do a quick clean-up on the spot.
When a team member leaves a practice, there should be a protocol in place to remove their access to any systems, including Power Diary. You should also review their activity, such as data exports.
Your team members should only have just enough access. There is a list of permissions that you can use to grant or restrict access on a user level. This includes access to:
- People menu
- Communication menu
- All client notes and forms
- Setup and configure Power Diary
- Delete appointments
- All client file uploads
- Client invoices and payments
- And many more.
Regularly review who has access to what, and check who can export data and what data has been exported.
The Power Diary log tracks everybody’s user activity, so you can see who made the appointment, who moved the appointment, who cancelled the appointment, who viewed it and who edited it. There’s an electronic trail for every step of the way and this has an important security element. In addition to showing all the actions that have been taken, and by whom they were done, you can quickly see if there’s any unauthorised surprise access, what time those changes were made, and what their IP address was. This way, even if someone was to get hold of a colleague’s username and password and login, the IP address could still be traced to them which provides an audit trail.
5. Use the Power Diary Private Mode Button and Screensaver
Private mode is a feature designed to help keep your sensitive client information private. Occasionally, you might want to show availability to your clients, or the screen or monitor might be visible to clients – in these situations you’ll want to hide confidential client information.
You should also use a screensaver that comes on when your computer is not in use, and it should have a password required in order to clear the screensaver. This way, if your computer is stolen, or somebody walks past while you’re not at your desk, your password is still needed to get into the computer.
6. Migrate Away from Paper Records
If your team still takes written notes of sessions or writes up their clinical notes in Word on their computers, consider making the switch to the built-in note-taking function in Power Diary. By doing this, you will ensure that all client notes are in the right place as well as providing an extra layer of security against a potential breach.
Don’t forget to securely dispose of all your paperwork, notes and files in accordance with your practice’s records retention policy. Shredding is a common way to destroy paper documents and is usually quick, easy and cost-effective.
7. Update Your Software (and use an antivirus while you’re at it)
Microsoft might phrase an update as a suggestion, but it shouldn’t be taken as one. It’s something that you need to do, and you should do it as soon as possible because included in these updates will be countless small security fixes.
Then use antivirus software that’s built into your operating systems. There is any number of different antivirus software options and, while they won’t keep everything out, they’ll go 90% of the way to closing off that virus doorway.
8. Document Your Compliance
For compliance to run smoothly in any practice, it requires implementing written policies, procedures, and standards of conduct. Your team needs to know the standards that they’ll be held accountable to, how they should process their paperwork, and what they should be on the lookout for.
This would include at the least:
- Ongoing Training
- How to identify and avoid phishing scams
- Legal and professional obligations, and the importance of privacy and security
- How to safeguard client data
- How to identify and respond to privacy breaches and security incidents
- Policies and Procedures
- Password policy best practices
- Software and anti-virus updates
- Back-ups and Data recovery
- Data Retention and Disposal
- Staff Confidentiality Agreement
- Practice Privacy Statement
- Best Practice
- Avoiding client discussions where they might be overheard
- Closing computer programs with sensitive client information when not in use
- Avoiding accessing client files unnecessarily
Assigning a Data Security Point-Person
This could form part of a team member’s job description. They would focus on security standards in the practice and review how clients’ protected health information (PHI) is handled.
9. Identify Potential Weaknesses (and address them)
Verizon published a Data Breach Investigations Report, which identifies the six most common causes of a data breach, with phishing (or pretexting) coming up time and time again.
Phishing is one of the top causes of data breaches, and it can usually be traced back to an untrained staff member. This potential weakness can easily be addressed in a training session (and you could use this resource, and this one, to get started).
If you’ve scrolled to the bottom because you’re an 80-20 kind of person, here’s the absolute minimum you need to take action on if you just want to get started with the basics…
Ensure that you:
- Never share passwords (and ensure that each team member has their own account)
- Use a strong, unique password (and use a password manager)
- Set up 2-factor authentication
- Actively manage the master user account
- Use the Power Diary private mode button and a screensaver
- Migrate away from paper records
- Update your software (and use an antivirus while you’re at it)
- Document your compliance
- Identify potential weaknesses (and address them)
If you have any questions, whether it’s about how we do things at Power Diary, ideas you have, scenarios you’d like us to walk you through, or something you’d like us to expand on, please send an email to [email protected].
We’re here to help, answer and assist in any way that we can.
Missed the webinar? Here’s the link, you can watch it right now!