I want to start off by saying I am not writing this as an opportunity to slam lawyers or doctors. It has just come to my attention over and over again how abysmal security is in some of these offices. I believe this is through a combination of reasons common to “high status” professions. I will try to go over some of what I observe going on in as tactful a manner as possible.

There will be a couple follow on posts to suggest some solutions, (so I will offer some ways to fix this) but first I think we need to address the root of the problem a bit. I want to be clear that these characteristics are an overall generalization and of course can vary greatly from individual to individual.

Problem 1) Slow to ask for help, or at least help from a computer professional. Then doesn’t take the time to actually interactively discuss what needs to be done.

- These high status professionals are surrounded by various talented office workers who are very skilled at their jobs. Billing specialist, paralegals, insurance specialists, and office managers. There is a tendency to rely on these computer power users to be the network administrators. There is no one working on the computers that really understands how to deploy an effective and secure computer network. The network environment for the office usually ends up looking like one you would see at a very big house with a bunch of Windows XP installations sharing EVERYTHING with everyone. In some of the worst cases, the people who were designated as administrators have created unsecure portals to their home computers and back-doors to login to the system should they ever get locked out. When there is a problem, the doctor or lawyer often does not know how (or that they need to) take the extra measures to completely shut down the former administrator’s access. I have seen this over and over again in small and large businesses alike. It simply highlights the need for the senior executives to have at least a general understanding of how the system operates and what to do in the event of an “incident.” But that is for another post….

-Once the hacked together network which was designed for home use, not organizational security, becomes completely dysfunctional. They lose data, or get hacked; then a computer professional is called. When this computer guy comes in, he finds a huge mess. Not only will this mess take a lot of time to fix, but will probably require new software and hardware (server, server OS, firewall, anti-virus, intrusion detection…). This causes the initial quote for fixing things to result in complete sticker shock to the doctor or lawyer involved.

-Generally, the initial evaluation and quote is further complicated because the doctor or lawyer is “too busy” to take the time to be personally involved in evaluating what they want or need. The job of working with the computer guy to “just make it work” is delegated to the para-legal or office manager. This prevents an interactive discussion of the best ways to set things up, costs, and options with the actual decision maker.

-If the doctor or lawyer does get involved in the discussion process, there is generally a very rushed air about the conversation that conveys they really don’t want to be there and they are irritated to be spending time/ money to talk to someone. Since the discussion is outside their expertise area, they don’t seem to want to expend the mental energy to understand the problem and solutions. It is often this lack of willingness to understand the situation that has led to the problem in the first place. My wife is the perfect example. I am the web administrator for her practice, and I cannot tell you how often I have heard her say to me–”I don’t care how you do it, just fix it.”

Problem 2) They are tired of the sale.

- Doctor and lawyers are frequent targets of sales people of all kinds of products. Sometimes, they have already bought various pieces of software, services, or hardware that were sold for WAY more than they were worth and didn’t solve the problem. This leaves them very jaded and skeptical of your advice. Again, it is usually far, far less expensive to have a trustworthy IT person who can evaluate and explain the pros and cons of the different options. One company I worked with was developing a tele-mental health program. I developed a solution for them that would cost about $16,000 per year to handle the secure video conferencing, and secure email and chat at three clinic locations. The IT Director got sold on an out-of-the-box “solution” for $40,000 that only handled the encrypted video. He was told by the sales person that he needed a certain resolution to have insurance accept it. That was totally false, but he did not do his research. To this day they have $120,000 of equipment sitting in the IT department and have not deployed anything.

Problem 3) Doctors may not understand there legal obligations to secure networks and data.

-We have all experienced the medical professional that upon being asked any question states, I can’t tell you that because of HIPAA. Which if very confusing when you are asking for where the water fountain is?? Seriously, though even though almost all doctor’s offices have stuck the HIPAA forms into their patient packet they don’t really understand it in regard to computer security. (Although, I have to admit it is a bit fuzzy to everyone.)

- The big point to understand is that the doctor has an affirmative responsibility to secure patient data in house, in transit, and that is handled by business associates with similar safeguards. This includes faxes, email, chats and standard snail mail. But, what does it mean to “secure it?” Good question. HIPAA and HITECH don’t spell out exact technology standards. It is clear that doing things like sending patient data in unencrypted emails is probably not allowed. Further, even if your email is encrypted on your computer, that does not mean that it is encrypted in transit. Email containing patient information must be encrypted at both ends and everywhere in between.

- The fines for not securing patient data, especially in a large practice could be quite large.

Problem 4) Lawyers tend to think in terms of someone accessing their data in a manner that is legal.

I have been exposed to attorneys who argue to medical professionals that sending patient data in unencrypted email is alright if you add a line saying it is illegal to read the message if you aren’t the intended recipient. Coming from a law enforcement background this is laughable to me. I imagine the computer criminals I interviewed… I am sure that after they hacked a server, computer, or network to get to an email….they will not read it if you add a line telling them not to! (I am being sarcastic if you didn’t get that.)

A law practice computer network houses a ton of confidential data. There is a lot of the data that is protected by attorney-client privilege. If someone tried to compel a lawyer to disclose a privileged communication in court the attorney would fight the disclosure to the end. Many of the same attorneys routinely send their attorney-client privileged communications through unencrypted email. The thought process is no administrator on any system between my client and me will read the message, because “That is illegal.” You get the idea.

Problem 5) Computer Techs and System Administrators are at fault for not sticking to their guns for what they need to do.

Especially as a younger computer guy, it is very easy to get intimidated into making bad decisions. Especially by professionals that tell others what to do all the time. For instance, you know the doctors office needs a business class firewall, anti-virus, and intrusion detection system. You tell the doctor this is what is needed, and it will cost $2,000 dollars to buy the system you need for this office. The doctor responds he is not paying that price. Why don’t you just put a free firewall and anti-virus on every computer. It works for me at home, just “make it work” here.

An experienced computer guy, who probably has a thriving customer base and doesn’t need the work as bad, would probably say he isn’t going to be responsible for a hacked together system with sensitive information on it. An inexperienced tech who really needs the work will probably try to hack together a solution for zero dollars. He will probably continue indefinitely having to hack solutions, to which the doctor will complain that this he is being billed too many hours. An untenable and bad situation will get worse and worse.

Ultimately, it is the vital that professionals work together to build a secure and use-able network.

I will follow up this article with some tips and resources that I advise clients to use.

My wife, Dr. Dawn-Elise Snipes, has accepted a position in the Washington, DC area. We are moving the family and all the associated business elements to the Manassas, VA area. We are all very excited about this impending move. It will take us and all of our business undertakings into a much bigger market. We feel that we are leaving Gainesville, FL with strong training and experience to provide quality services to Northern Virginia and Washington, DC area. We will continue services to the Gainesville, FL area as well. (Frequent flyer miles anyone? )

We are choosing to base additional operations out of Manassas for a few reasons. Quick access to DC, close to Dulles International Airport, rapidly growing, and just a really nice town. Dulles, and the Manassas general aviation airport, will allow us quick and affordable travel to destinations throughout the United States.

In the course of this expansion, we are maintaining a business presence in Florida. We also have an eye on a office in the Research Triangle of Raleigh-Durham, NC. We feel that all three markets offer the chance of long term growth.

We anticipate being fully up and running in Manassas by early August 2011. In the meantime, I look forward to beginning the process of making business contacts and friends in the area. Additionally, we will be back and forth to the area in the meantime. If you believe I can be of service to you, don’t hesitate to contact me before August.

This is not goodbye Gainesville, just turning the page to a new chapter and expanding into more markets.