You may have noticed that Facebook was down last week. Not only Facebook but, Instagram, WhatsApp and many of its other applications. This left many organizations that relied on Facebook tools debilitated. Apps and websites that rely on Facebook logins were inaccessible. Companies and individuals that rely on the communication tools in Facebook, WhatsApp or Instagram were suddenly unable to communicate with their clients.
While this outage may not have affected your office directly, it has some direct takeaways that your office should consider.
- 1. If Facebook with its army of engineers can go down, so can your office.
HIPAA recognizes that there is no 100% failproof way to prevent your office from going down. What HIPAA requires is that you identify the potential risks to your office and patient data and take steps to mitigate that risk.
- 2. Have a Break Glass Policy in place.
One of the reasons it took so long for Facebook to get its systems back up is because the security engineers’ digital codes to get into the server area stopped working (https://www.nytimes.com/2021/10/04/technology/facebook-down.html).
If your office’s password to login to your EHR system doesn’t work, how will you get into your system? First you can call your EHR company and have them help to reset the password. However, that option is fallible. The EHR company may have gone down. (With last week's event you can’t discount an outage.) The customer support line may be busy, the phone lines may be down, the company may have gone out of business, etc. One of the three pillars of HIPAA is the availability of patient data. If the patient records are not accessible when treating your patient, how will you be able to make a proper treatment decision. Inevitably it is your office’s responsibility to have a “Break Glass Policy,” of how to access your data if your password is not functioning.
- 3. Make sure that your office has a backup system in place
For the duration of the Facebook outage users were unsure of what the outage would mean for the data. I will admit that I was concerned over the potential loss of photos saved on my social media. Fortunately it does not seem that my data or anyone else’s’ data has been loss but the loss of data is not something your office should take lightly.
A backup system is separate from where your office’s data is being hosted. That way if something were to happen to the original data such as an outage, malware attack, corruption, etc. the backup can restore the most recent version of the data before the incident occurred. This may mean you have a remote backup system or a local drive that you back up to and unplug daily.
- 4. Human error can be the scariest threat to cybersecurity
Facebook has announced that the outage was a result of a configuration change to its routers. Despite the vast security systems at Facebook’s disposal and contingencies built into its network, this configuration change brought Facebook and its applications to a grinding halt. Errors happen, but I would not want to be part of the team that gave the go-ahead for that configuration change.
Help your staff help you. Make sure that you and your staff are properly trained and educated on HIPAA by attending annual HIPAA training courses. Keep up to date on changes in HIPAA by subscribing to our weekly newsletter.
- 5. Mitigate outages in your office
While an outage in your office may look different that the Facebook outage, what would your office do if you were to lose power? What would your office do if you lost internet connection?
Let’s start with electricity. Are you tracking how often your office has power outages that affect office operations or patient treatment? A power outage is a risk to your office. Without power how are you able to access patient records for treatment or billing purposes. This also affects the availability pillar of HIPAA. In addition it can affect a patient’s right of access under HIPAA. One way to mitigate this risk is by having a backup generator in your office.
A power outage also has a risk of corrupting patient records. If you have a patient record open when a power outage occurs, the file may get corrupted because you were unable to save it properly. Plug your computers and especially your server(s) into battery backups to provide enough power to properly save any open records.
Moving onto internet, again are you tracking how often your office has internet outages that affect office operations or patient treatment? As a risk to your office, you should be tracking these outages. Especially if your patient records are in the cloud, a loss of electricity can affect the availability of patient records. To mitigate this risk your office may get multiple internet providers or have a mobile hotspot in the office to utilize if the internet goes down.
Do you have any questions on how your office can implement these takeaways in your office? Contact TLD Systems at (631) 403 6687 or firstname.lastname@example.org to find out how we can help.