4 Big Mistakes Doctors Make in Protecting Patient Data

Paul Cerrato, MA


June 29, 2016

In This Article

Convenience Is Not Always an Asset

Mistake #3: Relying Too Much on Weak Passwords

Using an easy-to-guess password to get into your office computer or mobile device—or not using a password at all—is another way to invite hackers and snoops to view sensitive patient information. For example, Rainbow Hospice and Palliative Care, located in Illinois, found itself on the OCR's list of data breaches when an employee's laptop was stolen.[1] Although the facility had a policy of encrypting and password-protecting its computers, access to this particular computer didn't require a password most of the time. The computer contained the PHI of approximately 1000 individuals, including names, addresses, dates of birth, phone numbers, Social Security and Medicare numbers, medical records, and commercial insurance information.

A password would have helped keep attackers out in this instance, but only if it were strong enough. Too many of us continue to use "1234" or another easy-to-guess password that hackers would have no problem figuring out, such as a spouse's or child's first name.

Many attackers use password-cracking software that scans millions of common passwords per second. These tools typically include virtually every word in the dictionary, as well as common phrases from popular and classical literature. The best way to beat these programs is to create a password that's easy to remember but hard to guess. It should include lowercase and uppercase letters; numbers; and special characters, such as @ or $.

For example, you can choose a phrase or short memorable sentence and then shorten it by using initials—so "I live at 485 Maple Avenue in Cleveland" becomes Il@485MAC. Of course, in this type of example, it's best to choose an old address, not your current one.

Mistake 4: Failing to Update Your Computers and Antivirus Programs

Most medical practices know enough to install an antiviral program. Some even realize that a sophisticated antimalware program is more effective because it scans for a variety of other malicious "bugs," not just viruses. But many practices don't see the need to update these programs or their computer's operating system (OS) regularly.

A case in point: Anchorage Community Mental Health Services found its way onto the "Wall of Shame" website and had to pay $150,000 for violating the HIPAA security rule. The PHI breach, which affected more than 2700 individuals, was caused in part by the group's failure to regularly install security updates and running outdated, unsupported software. That resulted in malware compromising its records system.[1]

To help avoid this kind of breach, make sure you regularly update your antimalware software. (Most programs have an auto-update feature, but you may have to turn it on to schedule the downloads.) And never let your antimalware subscription expire. Even a single day with an outdated program makes computers vulnerable to all the new bugs that have been created since the program expired. About 315,000 new malicious files appear every day, according to one estimate.[4]

You also need to update applications and the OS on your computers, smartphones, and tablets. Microsoft frequently sends out notices to tell users about security updates needed to protect the Windows OS against new threats. Keep in mind, however, that if you're using an old computer with an outdated OS, such as Windows XP, the system needs to be replaced. Microsoft has stopped supporting XP, so it doesn't issue security updates for it anymore. That hasn't stopped hackers from creating new bugs that can penetrate the XP system, however—so take care.


Comments on Medscape are moderated and should be professional in tone and on topic. You must declare any conflicts of interest related to your comments and responses. Please see our Commenting Guide for further information. We reserve the right to remove posts at our sole discretion.