4 Big Mistakes Doctors Make in Protecting Patient Data

Paul Cerrato, MA


June 29, 2016

In This Article

Can You Turn Patient Data Into Gibberish?

Mistake #1: Leaving Laptops and Other Devices Unencrypted

Dr Saran's experience illustrates the first of four mistakes that can catch a medical practice off guard: lack of encryption. Encryption, without getting too technical, essentially converts patient data into gibberish until it's unlocked with an electronic "key."

Most clinicians are familiar with the HIPAA privacy regulations, which require them to keep patient information confidential and to have patients sign consent forms to share that information with others. But HIPAA also includes a security rule that spells out several precautions needed to keep patient records from falling into the wrong hands.

That rule requires physicians to take certain measures to protect PHI while it's "at rest"—in other words, when it's sitting on a computer, smartphone, or flash drive—and while it's "in motion," such as when it's being transmitted by email, fax, or any other method.

The best way to keep patient information safe on a laptop or other mobile device is by encrypting it. Large hospitals can spend up to $500,000 installing encryption software—a price tag that's much too high for small- to medium-size medical practices. For offices on a tight budget, there are alternatives, however.

If your computers are Windows-based, you can take advantage of BitLocker, a free encryption program that's already built into many of these machines. In Windows 7, for instance, it's available on the Professional and Enterprise versions and needs to be activated from the control panel by clicking on the "System and Security" button. All versions of Windows 8.1 and some versions of Windows 10 have device encryption in place by default, although you may need to enable it in order for it to function.

Similarly, Apple computers have FileVault 2 installed on them; it can be activated from the Preferences section by clicking on the "Security and Privacy" icon and following the instructions. Either program is an inexpensive way to protect patient records from hackers and nosy employees.

Mistake 2: Opening an Infected Email Link

If you're not familiar with the term "phishing scam," you need to get up to speed quickly. These scams are one of the most effective ways that cyberattackers have to gain access to computers. They typically start with a tempting email to one of your staffers, providing a link to a great shoe sale or a bargain on the new Android phone, for example. Or they may appear to be an urgent message from the local bank manager or someone at the Internal Revenue Service.

The email may even address the person by name, job title, or other personal identifier that leads the recipient to believe that the message was sent by a trusted source—a friend, relative, business associate, or company with whom they already have a relationship.

If a hacker has already infected one person's machine and gains access to their address book, he or she can then send phishing emails to everyone on that list as well. This is how someone in your office may receive one of these emails, which they may assume is from a friend. Once the person clicks on the link or an attachment, they're sent to a website that's infected with a virus or other type of malicious content, which in turn infects your office computers and opens the door to hackers. Once inside your system, they can then gain access to patient records. It's estimated that more than 90% of cyberattacks begin with such phishing scams.[2]

Professional security training is one of the most effective ways to alert staffers to the various types of phishing scams, and how to distinguish between scams and legitimate emails. Many companies provide in-person training, and several online resources are also available. One of the best is a handout called "social engineering red flags," available from KnowBe4.com and posted on many other websites.[3]


Comments on Medscape are moderated and should be professional in tone and on topic. You must declare any conflicts of interest related to your comments and responses. Please see our Commenting Guide for further information. We reserve the right to remove posts at our sole discretion.