Data security has become one of the top priorities for healthcare practices, and it’s not difficult to see why. In the UK, one small business is successfully hacked every 19 seconds, and in both the US and the UK, 38% of organisations lose revenue every year due to security breaches.
When it comes to personal health information, the stakes are even higher. Aside from what a security breach can cost your practice, the penalties for GDPR and DPA 2018 set a maximum fine of £17.5 million or 4% of annual global turnover – whichever is greater – for infringements. So, data security is not something that health practices can afford to ignore.
In this article, we’ll cover how to use Power Diary to protect client information, some general tips to improve data security in your practice, and an overview of Power Diary’s commitment to data security.
Power Diary and Data Security
The security of any system is dependent on the people who use it. While Power Diary has significant measures in place, ultimately, the security of your data relies on your users.
Here’s how you can tighten up your security using Power Diary:
1. Never give your login information to anyone
The security of any system relies on the ability of users to keep their login details confidential.
2. Ensure that each team member has their own account
There should be no account sharing; each team member should have their own unique username and password.
3. Set up 2-factor authentication
To further improve your security, you can turn on 2-Factor Authentication (2FA) for users. This means that, in addition to entering your Power Diary username and password, you will need to verify the login using 2FA.
4. Review user access
Manage the Master User Account
The master user has total administration rights and can make changes to any user account.
Revoke Access
When a team member leaves a practice, there should be a protocol in place to remove their access to any systems, including Power Diary. You should also review their activity, such as data exports.
Restrict Access
There is a list of permissions that you can use to grant or restrict access on a user level. This includes access to:
-
- People menu
-
- Communication menu
-
- All client notes and forms
-
- Setup and configure Power Diary
-
- Delete appointments
-
- All client file uploads
-
- Client invoices and payments
- And many more.
Check Logs
Regularly review who has access to what, check who can export data and what data has been exported.
5. Migrate Away from Paper Records
If your team still takes written notes of sessions or writes up their clinical notes in Word on their computers, consider making the switch to the built-in note-taking function in Power Diary. By doing this, you will ensure that all client notes are in the right place as well as providing an extra layer of security against a potential breach.
General Practice Data Security Tips
In any practice, in addition to your practice management software, you will have other potential security threats.
To reduce your risk:
1. Document Your Compliance
For compliance to run smoothly in any practice, it requires implementing written policies, procedures, and standards of conduct. Your team needs to know the standards that they will be held accountable to, how they should process their paperwork, and what they should be on the lookout for.
2. Ongoing Best Practice Training
This would include:
-
- Avoiding accessing patient files unnecessarily
-
- Closing computer programs with sensitive patient information when not in use
-
- Scheduling regular back-ups
-
- Never sharing passwords
-
- Regular software and anti-virus updates
-
- Avoiding patient discussions where they might be overheard
- How to identify and avoid phishing scams
3. Assign a Data Security Point-Person
This could form part of a team member’s job description. They would focus on security standards in the practice and review how patients’ protected health information (PHI) is handled.
4. Identify Potential Weaknesses (and Address Them)
Verizon published a Data Breach Investigations Report, which identifies the six most common causes of a data breach, with phishing (or pretexting) coming up time and time again.
Phishing is one of the top causes of data breaches, and it can usually be traced back to an untrained staff member. This potential weakness can easily be addressed in a training session (and you could use this resource, and this one, to get started).
Power Diary’s Commitment to Data Security
Power Diary’s advanced security systems give you access to:
1. 2-Factor Authentication
This extra layer of access security makes it less likely that a user’s account will be compromised.
2. User Account Controls
The login and authorisation of each user are processed over a secure and encrypted connection, and you can also limit user access.
3. User Activity Recording
The user activity log file creates an automatic record of user activity, so you can see when a user logged in, what they viewed, and what changes were made.
4. Data Transmission
All information transferred from your browser to our services is encrypted using 256-bit SSL technology. You also benefit from added protection with our Domain Validated Security Certificate.
5. Infrastructure and Design
Amazon Web Services is Power Diary’s infrastructure provider, which exceeds the standards defined by the HIPAA Security Rule. Power Diary also has an AWS Business Associate Addendum in place.
6. Backup and Encryption
All data in Power Diary is backed up hourly to separate, secure storage devices, and an additional separate daily backup is made to AWS S3 storage.
7. System Monitoring
Our security systems monitor user behaviour in real-time, making early identification of security threats possible.
8. Compliance
We are compliant with the relevant legislative and regulatory requirements in the main markets in which we operate; Australia, New Zealand, UK, Europe, South Africa, USA, and Canada, which includes compliance with the GDPR, HIPAA, and PIPEDA.
9. Credit Card Processing and PCI Compliance
Power Diary enables customers to process patient credit card payments via a secure and validated integration with Stripe Inc. Stripe is certified as a PCI Service Provider – Level 1.
10. Regular Technology Updates
As technology continues to evolve, we regularly update our infrastructure, security systems, and software to ensure we are also providing the highest levels of protection at all times for our customers.
* * * * * * * * * * * * * * * * * * *
With cybercrime on the rise, as a practice owner, you can’t afford to be complacent. Power Diary makes compliance with the strictest standards accessible to practices as you can benefit from the latest security updates (like two-factor authentication) without the need to invest in the technological development yourself.
And, because we’re at the forefront of the latest data security developments, you don’t have to be. You can focus on taking Power Diary’s security features and applying them to your practice, rather than worrying about the intricacies of cybercrime and how to protect your business.
