Best Practices for Maintaining and Securing your ABELMed System

Health Information Custodian Responsibilities

It is the responsibility of the Health Information Custodian or Agent of Health Information Custodians to protect the collection, use and disclosure of Personal Information (PI) and Protected Health Information (PHI). This protection extends to ensuring Patient’s PI and PHI is secured in transit and at rest according to industry best practices.

An “agent” of a health information custodian includes anyone who is authorized by the health information custodian to do anything on behalf of the custodian with respect to personal health information. These actions are for the purposes of the health information custodian and not the agent.

The Health Information Custodian or Agent can be any number of individuals or organizations who have custody or control of personal health information such as: doctors, nurses, hospitals or other health care providers.

• Doctors, nurses, hospitals or other health care providers
• Employees of the health information custodian
• Persons contracted to provide services to the health information custodian where the person has access to personal health information (e.g. copying or shredding service, records management service)
• Volunteers or students who have any access to personal health information

Encryption Requirements

When your ABELMed data is at rest, including production systems, backed up data in storage and when being migrated from the source EMR, it must be protected using a means of encryption.

Encryption for Data Export / Migration / Transfer

PI and PHI data must be protected using encryption when being migrated from the source EMR.Steps for encrypting your data prior to migration or transfer:

1. Prior to performing your data migration, select an appropriate encryption product and install it upon the computer containing the source of your data.
2. Use the encryption tool to create an encrypted file containing the source PI and PHI.
3. Generate a decryption key for the file during the encryption process. Protect this key.
4. Transfer or migrate the encrypted data to your destination.
5. Use the decryption key to decrypt the data for authorized access.

The following are recommended encryption products which provide 256-bit AES encryption. The end user has the ability to export and encrypt the data themselves and will be in possession of the decryption codes.

• PGP/Symantec Endpoint Encryption
• PK-Zip
• 7-zip

Data at rest

Ensure that data at rest is protected using encryption such as Microsoft BitLocker. BitLocker is a full disk encryption feature included with Microsoft Windows. It is designed to protect data by providing encryption for entire hard disk volumes. It provides 256-bit AES encryption.

To access the Microsoft Support article for enabling BitLocker, Click Here.

Learn more about ABELMed’s Data Encryption Requirements on MyABEL.

ABELMed leverages the industry standard Microsoft Windows operating system for authentication, password rules, etc. There are several products available that provide two factor authentication for Windows logins. Given the very sensitive nature of Protected Health Information, and the high risk and cost of privacy breaches, we recommend implementing one of these technologies to strengthen security around user authentication in your practice.

ABEL recommends business grade router/firewall appliances that have features like Intrusion Detection and Intrusion Prevention capability IDS/IPS. While having such appliances in place helps it is best not to “set it and forget it”. Ideally monitoring and checking of alerts and logs, both appliance and computer logs, should be a regular ongoing practice. This allows detection follow-up and adjustment when required. When such activity is performed regularly and properly documented, incidents can be quickly detected and acted upon. There will be no question that you have been performing your “due diligence” should a breach occur. Most practices do not have suitable expertise on staff to review these alerts and logs. Third party Managed Detection and Response (MDR) services are recommended for this role.

The importance of installing Windows Updates

Ever wondered why it’s important to install the Windows Updates?

Most of them include security updates. Security vulnerabilities can be exploited by malware or hackers. These types of situations are regularly identified in various parts of Windows – ActiveX, Internet Explorer and .Net Framework are just examples.

Other updates address other bugs and issues in Windows. Even though they are not responsible for security vulnerabilities, they might impact the stability of your Operating System, or impact applications you are using.

Windows Updates also come with new features, while patching some known issues.

Most computers have Windows Updates set up to “Install Updates Automatically”, which is the recommended setting. However, you also have the option of manually checking for updates if preferred.

It is highly recommended to keep all of your computer workstations updated with the latest Windows operating system versions and service releases.

Ransomware and the failure or theft of an office’s computer, hard drive, network or operating system can be catastrophic for a practice. In addition, environmental threats and hazards such as fires, storms, floods, power failures, and electrical surges can cause serious – sometimes irreparable – damage in the absence of proper planning.

What’s at risk?

The loss of financial records, patient files, documents, appointment schedules, and more! Once this data is gone you may not be able to replace it without a proper contingency plan.

For your Peace of Mind, we offer Remote Data Backup and Disaster Recovery Virtual Server Services that provide an efficient, affordable way to put systems in place to help recover your valuable practice data.

It is strongly recommended to implement a secure internet based data backup system to help protect and recover your valuable practice
Data in case of any disaster. This should be in addition to any on-site data backup systems you may already have in place.

The Data Backup solution you select should provide you with the following:

• safe, advanced encryption of your data in transport and in cloud storage
• an automated, online, remote service with no manual effort required on your part
• access to your data backup when you need it
• a retention schedule preserving data for up to 1 year
• summary reports emailed daily