Because we love you, we wanted to give you a bonus edition of 11 Questions this month (our piece with Dr. Elizabeth Loboa ran...
You probably know you shouldn’t send personal information about yourself, a friend, a patient/client or any other contact through email. And you might have even heard of email encryption. But if it seems like protecting your confidential information is something that would be necessary only in a spy movie, think again. It’s important not only to avoid identity theft, but also, in some industries where client confidentiality is legally protected, it is required by compliance.
Hackers are hitting closer to home. Let’s break down the basics of digitally communicating secure information, and I’ll provide you with a solution to protect yourself, your clients and your business.
Enforcing compliance policies
When you send an email, the message leaves your email provider’s server and travels over the Internet. It’s easy to see that security could be an issue if you are using a public Wi-Fi hotspot (such as the local coffee shop), but protecting your information can also be an issue when sending emails over your home or work networks.
Another point of concern is your old or archived email messages. I’d be willing to bet very few of us delete every email that comes through our inbox. Important emails are typically read, filed and saved for later reference. These emails are vulnerable to hackers even if you’ve password protected your email program.
But there’s a bigger issue here to consider. Although you can encrypt your email server connection, and you send your email out over encryption protocols, it’s not always possible to make sure the recipient has the same set of security practices in place. Your information might have gone out secure, but that does not always mean it stayed secure and was delivered secure. Because you can only control your company’s practices, it’s best to have a companywide policy on what is and what is not acceptable to be sent over email. Once this policy is created, it must be enforced, and there should be checks in place to make sure everyone is staying compliant.
Staying secure with third-party service
So how do we accomplish sending secure information and ensuring it stays secure while also being readable to the recipient? Sometimes this simply means not using email. In terms of HIPAA and HITECH compliance, patient information, which includes dates of birth, Social Security numbers, credit card information, bank information or any personal patient data including diagnosis, should not be sent out via email. Instead, it is recommended to use a third-party service to send out this information. Two of the many products that allow the collaboration and sharing of information are Citrix ShareFile and Box for HealthCare. These two products allow you to upload this data over a secure connection to a third-party secure site.
You then set up permissions and access restrictions. Some of the options you can set are related to the people who are authorized to download the document, the amount of time the documents are available to download, the number of times the document can be downloaded or if the end user can upload additional documents. You can change these parameters as needed or completely delete the item if necessary. I recommend thinking conservatively when setting up these options as you can always relax the parameters as needed on a case-by-case situation. Sticking to your company’s policies will help protect you, your employer and your client’s information.
Once this is all set up, you then send a link to this site from the online portal. Recipients will then receive two emails. The first will have a link to set up their account on the site using their email address for authentication. They will be asked to set up a password the first time they access the site. Because the recipients are setting up the passwords, and you are not, they are also able to reset it without you having to do it for them. The recipients will then need to open the link on the second email and sign in with their email address and their newly created password. Users can then view, download and/or upload information to the site over a secure connection depending on the parameters you have defined. Once the data is downloaded on the recipients’ network, it is then their responsibility to ensure the information stays within the appropriate compliance.
On your end of a Citrix ShareFile and/or Box for Healthcare account, you will always use the same username and password no matter which of your clients or contacts sends you information. This makes it easier to collaborate with multiple people without needing multiple unique usernames and passwords.
The next time you are tempted to send someone personal information over a shared Wi-Fi hotspot at Kaldi’s, stop and put on your spy mask. Wait, set up an encrypted account and do this right. Your security and adherence to industry compliance might just depend on it.