Practice Management Alert

Designate a security officer to check up on Web scams

Staying on top of viruses and hoaxes as they appear, and keeping staff informed about how to deal with them, will go a long way to protect your office's confidential information--from sensitive financial records to patients- protected health information (PHI).

Follow our experts- advice for designing a policy and procedure (P&P) to protect your staffers--and sensitive information--from even the trickiest Internet scams.

Appoint a -DSO-

Someone in your office--an office manager or billing manager--must be aware of what scams are circulating the Internet, says William Hubbartt, president of Hubbartt & Associates, a privacy and security consulting practice in St. Charles, Ill. Your office may have a designated security officer (SO) to keep tabs on the Internet, but most smaller offices do not have a full-time SO.

Try this: Find someone in the billing office and appoint her DSO--Designated Security Officer.
 
Part of the DSO's job should be spending a certain amount of time visiting security Web sites and reading how the newest viruses or scams can be detected and prevented. An important part of this job is constantly checking for software and anti-virus updates,  Hubbartt says.

And, as your DSO develops new ways to fend off e-mail and Internet attacks, she should update your P&Ps to reflect all new approaches.
 
School all staff: A medical office's plans to ward off leaks and viruses will be foiled if just one staff member opens the wrong e-mail or visits the wrong Web site, says Chad Markham, information security officer for Mercy Medical Center in Sioux City, Iowa.

To educate staff, Markham sets up regular security training sessions with his staffers to remind them about P&Ps. Between training sessions, Markham uses newsletters and e-mail reminders to keep his staff members on their toes about the dangers of e-mail and the Internet. The following sample scripts are e-mail messages that Markham has sent out to staffers in the past:
 
Sample script 1: -Immediately delete an e-mail if the subject line, punctuation or attachment extension looks suspicious. Some examples of this are: !HATNow!!, iloveyou, or File.mp3.exe.-

Sample script 2: -Never respond to an e-mail asking you for financial, medical or other confidential information. If the sender looks familiar to you (such as an e-mail from the medical center's or your bank's domain), pick up the phone and call to verify that they need the information--then give it to them over the phone. However, in 99.9 percent of these cases, the e-mail is a hoax or scam.-