In your practice you likely use any number of diagnostic frameworks to help diagnosis and treat your patients everyday. These frameworks or basic underlying systems validate appropriate policies, procedures, standards, and guidelines are implemented to ensure medical operations are conducted within an acceptable level of risk. Yet when we look at our practice data very rarely do we have a proper framework in place to help ensure the confidentiality, integrity and availability of our data.
Our Data Security Framework
More often than not I hear from practice managers and owners that our IT guy handles our backups and anti-virus. However, we would never say to our veterinary technicians. “Did you give fluffy some midazolam?” “Yeah I gave her a small amount”. To maintain the integrity of the health of the animal we would follow a framework to determine the exact dosing amount needed. We would then do our due diligence as the DVM to verify the amount of midazolam that was administered. This would then be entered into the patient record etc. Yet so often when it comes to the health of our practice data we have no framework in place.
Evaluate and apply data security principles
Our practice data is the heartbeat of our veterinary business. This is why it’s so important for us to review the following principles to ensure the confidentiality, integrity and availability of our data. Let’s look at an example practice where it became important for us to implement a proper data security framework.
Alignment of security functions to practice strategy, mission, goals and objectives
How do the data and technology tools we use in our practice today affect our overall practice strategy, mission, goals and objectives? I had a great conversation with a practice owner in Denver, CO. He was very clear that he wanted to leverage technology to increase the overall productivity of his practice.This increased productivity would help to achieve the mission of great customer service and longer one on one time with his clients. With the objective of increasing practice revenue to open a second location. He had a clear goal of how he wanted to leverage technology but hadn’t given much thought to how that data would be protected in the process.
Org processes, roles and responsibilities
We may find a technology solution that increases overall productivity. However in the process we have given every member of the staff administrative rights. While this may increase productivity because every member of the staff can do whatever their hearts desire within the application. We have greatly decreased the overall integrity of the data. We run a higher risk of data loss, corruption or theft from both external and internal actors. While it’s great to have a goal in mind when it comes to your technology, We need to understand the roles and responsibilities of all parties involved with our practice data. How to get them the proper controls to increase productivity while also ensuring data integrity.
Security Control Frameworks
As we look at the technology in our practice and how to better leverage the technology to better suit our goals, mission and objectives. We should build our technology around a framework that helps us to achieve confidentiality, integrity and availability. Whenever you step into the operating room the situation is never the same. Each patient is unique. But we have a framework that helps us to provide the guidance to complete the task at hand. There are a number of different frameworks that we can put into place in our veterinary practice. None of them better than the other. However they are becoming increasingly more important with new regulations of the GDPR and CCPA.
International Organization for Standardization – ISO
ISO 2700 and ISO 27001
Control Objectives for Information and Related Technology- COBIT 5
Covering 5 core principles. Hence the 5
National Institute of Standards and Technology – NIST
The only internationally recognized body of standardization. Not that the others are no good. But this one has international creds.
BISSM – Software Security Framework
Due Care/ Due Diligence
In our earlier example we would never just assume our veterinary technician dosed the correct amount of medication. We would do our due diligence to ensure that the correct amount was given. I can’t tell you the number of times speak with Practice Managers and Owners that haven’t done their due diligence when it comes to their data.
“I think we have all the proper security tools and back ups in place. Our IT guy takes care of it” – Practice Manager
By having a security framework in place we will have a set of standards to ensure there is proper oversight of key aspects of our practice’s data. This may include, user access rights, data backup verifications, security protection reports etc. The importance being that you don’t have to know how these tools work. You just need to know that they are working. It’s your practice and your data. Make sure to do your due diligence to ensure it’s protected.