6 January 2015
6 January 2015,

At TherapyAppointment, we take the security of patient information quite seriously: it is our number one priority, superseding all other goals. Achieving this goal takes the combined efforts of our company (to write secure software), our server service (to maintain secure hardware) and you (to practice “safe computing”).

What we do:

  • We are well versed in HIPAA regulations and go well above those requirements for data security and integrity. Staff members are required to take HIPAA refresher courses annually.
  • Our software ensures that all transmissions to and from the system are encrypted at the 128-bit level. You can’t log in to TherapyAppointment except through a secure connection, and each subsequent transmission to our system is double checked for encryption security. Your information is encrypted before it leaves your computer, and is not decrypted until it has entered our server system.
  • Certain sensitive information is re-encrypted before it is stored in our database. This includes your passwords; this is why we can’t tell you your passwords if you forget them.
  • We supply a signed HIPAA Business Associate to each customer at the onset of our relationship with them. This document is our promise that we will adhere to the highest level of professional standards as we deal with PHI.
  • All of our software is written with HIPAA regulations in mind. For example, we ensure that any communication over the Internet that contains PHI is encrypted, and that appointment reminders are delivered in adherence with the special regulations established for these messages.

What our server management company does:

  • To ensure continuity of online services, we employ TWO side-by-side web servers, joined by a “load balancer.” Once per second, the load balancer checks to make sure both servers are functioning properly. If there is a problem, the bad server is cut out of the system until repairs can be initiated.
  • Each one of these servers has more capacity than is needed to run the entire system. This ensures true redundancy and provides rapid response times.
  • Each of these servers is scanned for security “loopho​les” on a regular basis.
  • We employ TWO database servers, one of which exists purely as a backup device. The database is backed up to the second server on an ongoing basis; this ensures the least possible disruption should that device fail.
  • All servers employ RAID arrays as hard drives. Four extremely reliable hard drives are present on each server; any two of these four hard drives on a server could fail SIMULTANEOUSLY and there would be no loss of data whatsoever. A technician would simply replace the failed drives while the server was still running, with no disruption of service.
  • The database server is backed up to a THIRD remote device each evening. A separate hard drive containing uploaded documents and other forms is also backed up each evening.
  • Our web servers are connected to the Internet through 13 separate connections. Each connection has 5-tier security. This includes three layers of firewall protection, intrusion detection and prevention system, and an enterprise-class anti-virus system.
  • The physical plant is protected from human intruders by a biometric security system (fingerprint plus badge system).
  • The physical plant is protected from fire by a Halon fire suppression system, and from power outage by an on-site backup diesel generator.
  • We have purchased a special HIPAA compliance package to ensure that all HIPAA regulations are followed and monitored.

What you can do:

  • Create complicated passwords. Do not use simple words, the name of your clinic, pet names, children’s names, etc. A password like “therapy” can be broken via a “dictionary attack” in less than one minute. A password should contain uppercase letters, lowercase letters, and numbers. “CLINIC123” is a terrible password. “9PrWT78T49rR” is a great password.
  • Don’t keep your passwords adjacent to your keyboard. If you want to write down your password, find a good hiding place. Write it on the bottom of a desk drawer with a Sharpie, put it between pages 100 and 101 in your favorite textbook on the shelf, etc. Even then, don’t identify it as a password, or indicate which website it is used for.
  • Don’t use a password keeper–software that fills in your passwords automatically. This is the equivalent of having no password protection at all.
  • Log out when you finish for the day, or go out for lunch. If you access the software from home, use heightened security. Teenagers can be curious about patient notes!
  • Make sure your own computers are scanned regularly with a virus scanner like Microsoft Security Essentials or another product.
  • If you choose to back up TherapyAppointment data to your own computer, be aware that HIPAA regulations suggest that this data be encrypted on your hard drive.
  • Don’t disclose your passwords to others.
  • Change your primary password periodically.
  • If an office worker with an admin account leaves your employment, discontinue that admin account and establish a new one (with a new username and new password) for their replacement.
  • Be particularly careful with cell phones, tablet computers, and laptops that are used to access TherapyAppointment. History suggests that the majority of data breaches have occurred using stolen or misplaced portable devices.
  • Make sure that the wireless router in your office requires a password for logging in. Though our data cannot be intercepted this way, it is possible for a virus infection to creep on to your office network through this channel.

Remember that one of the least secure ways to store patient information is to keep paper records in a filing cabinet in your office. Anyone who owns a sledge hammer and a crowbar can gain late night access to paper records in under 10 minutes. Congratulations on your decision to use a system that offers as much privacy and security as is technically possible.

Comments are closed.