A Cybersecurity Professional’s Perspective
As a person with disabilities, I can spend a lot of time “visiting” numerous medical practices, emergency rooms, and related facilities. As a cybersecurity professional, I notice things that relate to my work at each one if I can pay attention. As part of my job, I look for potential vulnerabilities, problematic practices, and security awareness opportunities that I can use for my blog posts.
Over the past few years, I have noticed how the reception areas for many medical providers, hospitals, and dentist offices are set up physically. There are flow paths, waiting rooms, and patient information collection areas. For this post, I want to discuss some of the better setups and some that are not so good for privacy and security.
What Happened?
When we go to an emergency room or our doctor, we are likely to be sick, hurting, or need assistance related to a disability or illness. We are looking to feel better, be better, or even be given a cure. We do not pay much attention to who is in the reception area or if they are paying attention to us and our conversations with the reception staff.
This could be an issue.
At almost every facility I have been to in recent years, there is a primary entrance, reception area, and waiting area or room set aside for those that have yet to be seen. Doors or partitions separate some areas, while some layouts are open spaces. These spaces tend to be fairly quiet, barring the occasional TV or radio playing at low volume in the background.
So, when you first enter and let the staff know you are there, it is expected that you will have to provide certain information before you see your provider. Depending on the situation, this can be information such as:
- Social Security number
- Date of birth
- Residence/mailing address
- Medications you take
- Your reason for the visit
- Insurance, or financial information.
In my experience, questions are asked at the reception desk or in the waiting room when a staffer comes out with a computer or tablet and does the intake.
There is seldom, if ever, a private room or area set aside for a client’s immediate intake.
Let’s talk about what that can mean.
Privacy
Your medical privacy (your personal health information) is protected in the United States by the Health Insurance Portability and Accountability Act (HIPAA), as well as Health Information Technology for Economic and Clinical Health Act (HITECH).
[See our HIPAA Compliance and Your Practice and The HITECH Act posts for more.]
These laws are specific to your health-related information and how technology is used to gather, store, protect, and process it.
These regulations are geared toward ensuring that healthcare providers, insurers, and their business associates are responsible with your information. Most states also have laws and regulations that pertain to these items. We won’t cover those here because they are specific to those states alone.
Financial or Insurance
You also have protections for your credit and payment information, some under HIPAA. Still, two of the primary laws related to this are:
- Gramm-Leach-Bliley Act (GLBA) which requires data sharing practice disclosure and information protection,
- And the Sarbanes-Oxley Act (SOX) helps to protect against financial fraud.
Another regulatory item would be PCI DSS, which stands for the Payment Card Industry Data Security Standards. This is specific to credit card transactions and firms, but I have seen other organizations at least pay passing attention to it as a guide for their own internal standards.
What might be better?
There are likely to be excellent reasons for the layout of these intake areas, such as space availability and simple process efficiency, but I would prefer that some of the following minor considerations be made in the interest of greater privacy and security.
- Gather information about a client or patient via electronic means, such as a tablet, that can be used without speaking and is also portable enough that the patient can enter the information themselves. This allows the client to enter the information more securely and privately, while still obtaining what is required.
- If questions must be asked, either provide a separate, closed, room to ask them or a partitioned area where the patient can speak normally and not be heard beyond it.
- There is always a private screening area where more information is gathered about symptoms, blood pressure, medications, etc. This area can be used to gather any sensitive personal information related to insurance and payment at the same time. It should not be set up to allow more than one patient to be dealt with at a time.
- Have security personnel, such as a guard, watch over the intake area in person or via camera to ensure the best possible protection and to watch for anyone that might be taking advantage of the situation to gather information.
We, as clients of medical professionals, or as practitioners, should always be cognizant of how we are accomplishing our tasks and taking care of our needs. Being able to look at an area, understand how it affects our privacy and security, and work to improve it, are all good ideas for anyone.
How will this Affect You?
If you are a patient, know your rights and responsibilities as it pertains to your personal health and financial information. You do have a right to ask questions, and to request a more private setting for an intake. There may not be any other options, but it doesn’t hurt to ask.
Providers should always continue to look at their practices, processes, and facilities for better ways to serve their clients. Stronger security measures and protections are always viewed in a kind light if they are effective but also are not too restrictive or intrusive. For instance, offering a tablet to a patient for data entry, but also offering to provide someone to type in the information if necessary, is a great way to give comfort during what can be an unsettling and uncomfortable time.
Northstarr Recommendations
- Conduct a thorough security assessment: As a managed service provider, we recommend carrying out a comprehensive security assessment of your medical facility, focusing on reception areas and patient information collection processes. This will help identify potential vulnerabilities and areas for improvement.
- Implement secure electronic data collection methods: We suggest implementing secure electronic data collection methods, such as tablets or kiosks, for patients to input their personal information. This can help maintain privacy while ensuring the accuracy and security of the information provided.
- Enhance physical privacy measures: Consider redesigning your reception area to include separate, closed rooms or partitioned spaces for patient intake. This will provide patients with a more private environment to discuss sensitive information with reception staff.
- Train staff on privacy and security best practices: Offer regular training to your staff on the importance of patient privacy and security, as well as how to handle sensitive information in compliance with relevant laws and regulations.
- Establish clear access control policies: Develop and enforce access control policies to ensure that only authorized staff members have access to patient information. This includes implementing secure password policies, user authentication, and regular audits of access logs.
- Monitor and respond to potential threats: Implement security monitoring systems, such as security cameras or guards, to watch over the intake area and detect any suspicious activity. We can also help you establish incident response plans to handle potential security breaches and minimize their impact.
To find out more about how we can help, visit our website or give us a call at (888) 767-2210 to set up an appointment. We look forward to meeting with you!