Risk Management Tip: Security of Patient Information and Health Information Technology

MLMIC Risk Management Tip #24 addresses medical professional liability risks related to “Security of Patient Information and Health Information Technology.”

The Risk

With virtually all medical offices and healthcare facilities connected to the internet and using computer systems for the practice of medicine, maintaining the security of computers and other electronic devices, as well as the privacy of patients’ protected health information (PHI), has become critical. The following are tips for staff and providers on securing this technology and information.


  1. Require that staff and providers have strong and unique passwords:
    • Passwords should have a minimum number of 12 characters and include upper and lower-case letters, numbers and symbols.
    • Passwords should be changed at set intervals.1
  2. Do not share passwords:
    • Do not allow others to document in an electronic health record (EHR) under your password, while you are logged on.
  3. Grant staff access to an EH only on a “need to know” basis:
    • Individuals should be granted access only to the information necessary to perform his/her job.
    • If an employee transfers to a different job function, have a process in place to reduce or increase their access based on the new job functions.
  4. Educate staff regarding not:
    • plugging in their personal devices to USB ports on the system’s computers;
    • installing software on their work computers without prior approval;
    • clicking on suspicious links in emails; and
    • allowing USB devices to leave the facility unencrypted.
  5. Position computers and printers away from patient and visitor traffic:
    • Consider the use of screen filters to prevent visualization of PHI by others.
  6. Encrypt all computer hard drives. At a minimum, all laptops and tablets should be encrypted, especially if they are to leave the facility.
  7. Provide frequent and ongoing cybersecurity education and training.
  8. Policies and procedures should clearly define the disciplinary actions to be taken for the inappropriate use of the computer system.
  9. Develop a cybersecurity incident response process to address a security breach or cyberattack, and test it at least annually to confirm that there is:
    • defined procedure for reporting any suspected information security incident;
    • an obligation for employees to report any suspected incident immediately upon discovery; and
    • an individual(s) with clearly assigned responsibilities for managing incidents.
  10. Promptly disable an individual’s access to the computer system upon their leaving employment:
    • For involuntary dismissal, disable access prior to the notification of termination.
    • If access to the employee’s emails, voicemail, etc. is necessary, assign another qualified individual to address any information that requires review or action.
  11. Maintain inventory control of all computerized devices including laptops, thumb drives, handheld devices, etc.
  12. Install appropriate anti-virus software and update devices frequently to protect the computer system from security vulnerabilities.
  13. Perform system back-ups of files and data routinely:
    • Test back-up restoration semi-annually, at a minimum.
  14. Perform audits to assure compliance with health information technology policies and any applicable regulations.

1Current guidelines suggest that if the password length is set to 16 characters, it should be changed annually at a minimum.

This MLMIC Risk Management Tip is available here as a PDF: “Security of Patient Information and Health Information Technology.”