3

My apologies if this question has been asked before.

How does a medical practice assure patients that the practice follows excellent computer security practices?

Conversely, how does a patient find this out?

Some initial questions:

  1. Do any of the computers in the office run Windows XP? If so, are they air-gapped?

  2. Ditto for Windows Vista.

  3. Does each computer use full-disk encryption?

  4. What is office policy about BYOD devices?

  5. Is there a written security policy? What documents do employees sign?

These questions, and more, would be answered in a security audit. Can medical facilities provide a statement to patients about their security practices, without revealing specifically what they are?

An interesting link:

http://krebsonsecurity.com/2014/09/medical-records-for-sale-in-underground-stolen-from-texas-life-insurance-firm/

NOTE: I think that a "medical audit" does not cover security issues. A "medical audit" covers proper diagnosis and coding of medical conditions according to the ICD-10-CM (International Classification of Diseases, Tenth Revision, Clinical Modification). See http://www.cdc.gov/nchs/icd/icd10cm.htm

Bob Stromberg
  • 31
  • 2

2 Answers2

5

As Schroeder has mentioned there are a few security standards and frameworks which can be used. One thing you absolutely are REQUIRED to comply with by LAW in the U.S. (I see you live in New York) is HIPAA.

Aside from that the ISO 27001 can provide you with a certification that you have a controlled security organization. There are different bodies that can provide this certifications, such as EY CertifyPoint or BSI.

Lucas Kauffman
  • 54,169
  • 17
  • 112
  • 196
3

There are a number of regulatory bodies that provide standards and auditing procedures to provide this kind of assurance (of varying degrees and focus):

  • ISO 27000
  • COBIT
  • NIST

As you speak of 'patients', you need something short, understandable, and recognized. Laying out all the procedural details (like air-gapped workstations) isn't useful to anyone.

Select an assurance standard and perform 3rd party audits, and make the results available.

schroeder
  • 123,438
  • 55
  • 284
  • 319