How can I keep OfficeEMR more secure?

The world of healthcare technology is an ever changing landscape.  These rapid changes often lead to hackers and others who attempt to take advantage of these changes in an attempt to exploit security vulnerabilities. iSalus Healthcare does most of the heavy lifting related to security through our rigorous security requirements implemented at our tier 1 data center. 

However, there are some things that only you can do to decrease the risk of a security breech. It is always best to periodically review your current security requirements and improve those where necessary.  This article will review several of the security related configuration options available to you.

While the below guidelines address changes that can be made to the software, several other techniques can and should be implemented at your practice.  Be sure to check out AMA's guide for some of these recommendations: https://www.ama-assn.org/practice-management/sustainability/physician-cybersecurity

Access

Access defines exactly WHO can get into the system and WHEN. 


Action Item: Review WHO has access to your system. 

Remediation Plan: Deactivate users that should not have access.

Remediation Steps: Activate/Deactivate a User

You should periodically review the list of all users that can login to the system and deactivate any user that should no longer have access. It is also a good idea to have a process of removing this access whenever a person is no longer employed with your practice.


Action Item:  Review WHEN users have access to your system.

Remediation Plan:  Modify login times based on need.

Remediation Steps: Modify Login Times for a User

It is good practice to limit users access to the system to correspond to their actual need. By default, all users can login to the application at any time on any day.  For some, this makes sense, for others, it may not.  

Authentication

Authentication determines HOW a user that has been granted access can login to the system.


Action Item:  Consider implementing two-factor authentication.

Remediation Plan:  Setup two factor-authentication for all users.

Remediation Steps: Setup Two-Factor Authentication

Two-factor authentication requires a user to login with both a password and a token that is sent to a device that the user owns.  This additional security measures ensures that users can not login as you if your username is password is compromised because they must also have access to a device that you own. Security experts highly recommend implementing this feature.


Action Item:  Consider implementing a more strict password policy for your practice

Remediation Plan:  Harden password policy by changing the password policies in the application.

Remediation Steps:  Set the following company settings:

  1. Company Setting: Maximum number days password is valid, (0=always)
  2. Company Setting: Minimum password length
  3. Company Setting: Most recently used password count