Are you keeping your patient data safe?
In June this year, a healthcare organisation in the States was hacked. The hackers accessed the health records of up to 2 million people.
The personal and sensitive data of nearly 2 million patients was harvested in minutes!
Hackers typically use this information to carry out identity theft and fraud.
If you use electronic patient records, are you clear on how they are kept safe and secure? Are you clear on the technical and organisational measures your software provider takes to ensure the security of the data?
If you’ve made the decision to utilise software for your patients data, you’re required to ensure it’s safe and secure.
Here are three questions you should ask your patient record software provider.
1. How is my patient data protected when it’s “in transit”?
Often, patients click links in emails, fill in their forms, click submit. The data is moving. What security measures are in place whilst it’s on the move between the link in that email to their patient record?
2. How is my patient data protected when it’s “at rest”?
Once your patient has had their consultation, you’ve uploaded sensitive and personal data to their treatment record and clicked save, do you know where that data is stored? What levels of encryption, if any, are used? Where is the key stored to decrypt any information?
3. What is the biggest threat to my patients data and what measures have you taken against this?
Your software provider should know what the potential sources of a data breach are, and should have measures in place to mitigate these.
How does GlowdayPRO look after personal and sensitive data?
We take the security of you, and your patients data, very seriously and have built multiple layers of protection into our systems.
1. How is my patient data protected when it’s “in transit”?
Patient personal and sensitive data is not sent over email or in linked files. Patient data can only be accessed in two places: the patient secure account and the practitioner secure account.
These are both email verified accounts. Log in is handled by Microsoft Azure B2C. GlowdayPRO doesn’t have access to practitioner or patient log in credentials.
Data “in transit” between these two accounts is transmitted securely using SSL. SSL is an encryption technology that keeps sensitive data between two devices secure.
2. How is my patient data protected when it’s “at rest”?
Data “at rest”, i.e. once forms/patient notes/file uploads have been completed, they are stored encrypted in FIPS 140-2 Level 2 compliant HSMs.
This is the standard set by the US government for holding sensitive but unclassified information, like personal healthcare information.
Encryption should be used by any software that collects, stores, transfers, shares or disseminates sensitive information. This prevents unauthorised users accessing and changing sensitive information. It also detects error immediately, BEFORE sensitive information has been damaged or compromised.
This means access to the the information you add to your patient notes, the files you upload, the markups are held securely, locked away and encrypted, until you open the patient record card. They are then drawn from the cloud, decrypted using a protected decryption key, and presented to you.
Additionally, when you hand over your device to a patient in clinic to sign forms, we require you to enter a PIN to lock access to the platform, preventing patients accessing any data that isn’t their own.
3. What is the biggest threat to my patients data and what measures have you taken against this?
The biggest threat to your patient data in your GlowdayPRO account is probably you!
You leaving a device logged in, unlocked. We try to minimise this by automatically logging you out of GlowdayPRO after a period of inactivity.
You sharing patient information. We minimise this by not enabling the mass download of sensitive information outside of the platform.
You sharing your log in credentials. There’s not much we can do about this! But you have a duty to keep patient data secure, so would suggest you think carefully before sharing log in credentials with others.
As electronic patient records become the norm, it’s important for you to understand your responsibility in ensuring the software you use has the necessary technical and organisational systems in place.
Don’t assume they have.
