The College of Physiotherapists of Alberta recently heard from a member who was facing a challenging situation. A patient had disclosed some sensitive information about their past medical history. The information was relevant to the patient’s care; however, the patient specifically requested that the physiotherapist not record the information in the medical record.
Sadly, this is not the first time this question has been posed to the College of Physiotherapists of Alberta, and while this article isn’t about the Standards of Practice and what they require you to do in such a situation, the question and the fact that it is not new highlight a concern that bears consideration – the patient’s concern that their information remain private. Being aware of and able to explain the use of administrative, physical and technical controls and how they protect private information is central to addressing the patient’s concern.
Physiotherapists should have administrative controls in place in their practices, such as confidentiality agreements, staff training requirements, and data access rules. Whether the practice uses an electronic medical record (EMR) or not, confidentiality agreements and training to ensure staff aren’t reading charts simply for curiosity’s sake should be the norm.
Similarly, physical controls – like locking filing cabinets and offices where files (electronic or paper) are stored – are not new to most practice environments. But when it comes to technical controls, we may be straying into an area that’s not as well understood by all physiotherapists, or that they may assume is someone else’s responsibility.
What is a technical control?
A technical control or safeguard is a technology-based measure put in place to address the unique security risks present in electronic environments. These risks would include the risk of having a system hacked or being subject to a phishing or ransomware attack. Below are some examples of standard technical controls and a brief description of what they are and why they should be adopted.
Keep in mind this is general information, it is NOT information technology (IT) advice. Speak to an IT professional about your unique system needs.
|Unique user login||
All users should be provided with a unique user ID. This allows identification of the individual accessing the system.1 Only the user and system administrator should have access to this information.
Helps to prevent unauthorized access/hacking. A password using a combination of eight numbers, letters and special characters reduces likelihood of hackers guessing the password. Password cracking tools are easily downloaded from the internet and can crack passwords not following this standard within seconds.6
Change passwords at least once per year, more frequently if there are concerns regarding unauthorized access or a suspected privacy breach.
The system monitors the identity of users accessing the system, and makes changes or updates to information, including identification of changes made, at what time and by whom. The College of Physiotherapists of Alberta Standards of Practice require that EMRs incorporate an audit trail that captures this information.8
|Role based access controls||
Enables administrators to limit the information different individuals may access based on their role within the organization.1 For example, preventing administrative staff from accessing private patient health information.
Prevents unauthorized access by locking the system within a set time if the user is inactive.1 Helps to ensure that users do not document information under the incorrect user identification (in the case where multiple users access the system on the same device). The timeout length should be set by the system administrator based on the risks of unauthorized access (sensitivity of information, likelihood).1
|Two-factor identification for remote access||
This provides an extra layer of protection when accessing information. A password is a single factor for identification. Two-factor identification uses either a device (cell phone, hardware token, fob), or something unique to the user (fingerprint, retina scan) to add a second layer of confirmation that the person accessing the system is who they claim to be.2
|Encrypted communication channels||
The gold standard when sending private information online, such as banking or health information.
The padlock symbol or https:// prefix at the start of a web address indicates the information travelling between the web browser on your computer and the website you are visiting is encrypted or secured (that’s what the S in https:// stands for).3
If an encrypted message is intercepted by hackers, it looks like gibberish.
|Encrypted data storage||
Data stored on a device’s hard drive should also be encrypted and the device password protected (in addition to EMR or other software being password protected).6
Consider the scenario where a company laptop gets stolen. What private or business information was on that laptop? How easy will it be for hackers to get to it?
A second copy of system information, securely stored at a separate location, routinely copied and tested to ensure it is complete, and functioning correctly.1
Backups should be completed on a regular basis,1 with their frequency determined by the rate at which new information is added to the system. If you are adding information to your system daily (as would be the case with many EMRs), you need to back up the system daily.4,5
Ask yourself how many patient notes are you willing to lose? How much business interruption can you withstand while you get things back up and running again?
|Firewalls/Intrusion detection and prevention||
Hackers use automated programs to constantly search the internet for poorly secured devices and systems to attack.6 A business class firewall can help to secure your system and monitor for unauthorized access.5 In the event of a system breach, intrusion detection and prevention systems can lock your system, preventing unauthorized access and a privacy breach.
These programs prevent, detect and remove viruses from your computer system, downloaded files and programs.
Don’t trust your data to a free anti-virus program. These programs are typically light versions of paid software, only offer limited protection and do not address newer threats.6,7
Keep in mind that any time a device (such as a smart phone, Fitbit or other) connects to your system, server, or WIFI it creates a new route into the system. Some people have theorized that there is the potential for hackers to capitalize on this route and use it to breach the security systems you have in place.9 What this means in general, and for physiotherapists in particular, is not entirely clear at this time. However, you may want to consider what devices you allow people to connect to your systems, and talk to an IT professional about the risks these devices pose to your system and how to mitigate those risks.
Why should I care? What should I check?
In fairness, the person selecting any system should have both the authority and accountability to ensure that the system is designed to protect the private information that it will contain. Physiotherapists who are not in the role of choosing these systems may have a limited ability to direct what systems are or are not selected. However, the Standards of Practice put a significant amount of responsibility on the individual physiotherapist to protect private information. So, what’s a physiotherapist to do?
- Be informed. Understand the typical controls, why and how they are used.
- Ask questions. Find out what your system does and does not do. What controls are automatically in place, what options need to be enabled? Have they been activated? If not, why not?
- Educate others. Make sure that the system administrator and other system users understand why technical controls matter, and what the Standards require of you as a professional. Advocate for the adoption of industry standard controls, for routine monitoring of risks and for the development of new controls to address those risks. Encourage those in decision-making roles to stay informed and keep systems up to date.
There’s nothing in this article that is particularly new or earth shattering, and that’s a good thing. The measures discussed are industry standard. Hopefully you already have them all in place. The point of the article is to act as a double check. If something is unfamiliar, or you are unsure if your organization uses one of these measures, go check. Maybe the measure is in use in the background and you just weren’t aware of it, or maybe your system needs an upgrade. The worst-case scenario is that someone decided to turn off one of these protective measures.
Being aware of standard technical controls is an important step, and helps you to know what to watch for or advocate for as your organization incorporates EMRs and other forms of technology into practice.
- Office of the Information and Privacy Commissioner. Guidance for Electronic Health Record Systems. 2016. Available at https://www.oipc.ab.ca/media/701721/guide_electronic_health_record_systems_june2016.pdf Accessed May 23, 2018.
- Griffith E. Two-Factor Authentication: Who Has It and How to Set It Up. February 16, 2018. Available at https://www.pcmag.com/feature/358289/two-factor-authentication-who-has-it-and-how-to-set-it-up Accessed May 23, 2018.
- ITProPortal. Online Security – What Does https:// Actually Mean? September 9, 2008. Available at https://www.itproportal.com/2008/09/09/online-security-what-does-https-actually-mean/ Accessed May 23, 2018.
- Progeny. How Often Should I Backup My Database? Available at http://www.progenygenetics.com/knowledgebase/index.php?/Knowledgebase/Article/View/78/26/how-often-should-i-backup-my-database Accessed May 23, 2018.
- Mitchell C. Ransomware: Understanding and Avoiding System Encryption Attacks. November 30, 2016. Available at https://www.quercussolutions.com/blog/index.php/ransomware/ Accessed May 23, 2018.
- Mitchell C. The Six Biggest SMB Technology Mistakes. March 30, 2016. Available at https://www.quercussolutions.com/blog/index.php/the-six-biggest-smb-technology-mistakes/ Accessed May 23, 2018.
- Symantec. How Free Antivirus Software Can End Up Costing You. April 8, 2010. Available at https://www.symantec.com/connect/blogs/how-free-antivirus-software-can-end-costing-you Accessed May 23, 2018.
- Physiotherapy Alberta – College + Association. Standards of Practice – Documentation and Record Keeping. 2017. Available at https://www.physiotherapyalberta.ca/physiotherapists/what_you_need_to_know_to_practice_in_alberta/standards_of_practice/documentation_and_record_keeping Accessed May 23, 2018.
- Morgan J., A Simple Explanation of ‘The Internet Of Things’. May 13, 2014. Available at https://www.forbes.com/sites/jacobmorgan/2014/05/13/simple-explanation-internet-things-that-anyone-can-understand/#20e178451d09 Accessed May 23, 2018.