Security

Physicians need to be aware that e-mails and web servers
are not secure. Physicians should not send personal
health information by e-mail without express consent to
do so from the patient. Service providers such as Rogers
or Sympatico do not provide secure e-mail systems.
Web-enabled e-mail, such as Hotmail, is completely
unsecured. There are systems that provide an acceptable
level of security; those physicians who wish to send personal
health information by e-mail should use an
encrypted or otherwise secure system.
Wireless Internet access causes other security concerns.
If physicians are using such a system, it is highly possible
that others in the vicinity can “eavesdrop” on the
information being accessed. Document and system
password protection can delay or prevent unauthorized
access but physicians using wireless Internet must be
sensitive to the security issues.
All hard drives fail eventually. It is mandatory for
physicians using electronic records to ensure that they
are using an effective back-up system that is updated
frequently. Furthermore, an off-site back-up system is
highly recommended (for example, a CD or other
mass storage device). This will protect patient records
in the event that the physician’s computer or office has
been destroyed.
While electronic records offer opportunities to
enhance patient privacy (by restricting office staff
access in a way that is impossible in an office using
paper records, for example), they may also be vulnerable
to intrusion. Physicians should document protocols
about who in their office has access to which
records and should ensure that the system being used
restricts access to those entitled to access. This would
apply even more acutely to physicians using systems
that allow them to share records with hospitals and
other care facilities. In such circumstances, it is essential
that physicians ensure that adequate security
measures are in place.
A physician is more likely to take his or her laptop out
of the office than all of his or her paper records. For
physicians who take records out of the office or access
their electronic records from a location other than
their own office, it is imperative that they take the
appropriate measures to restrict access and maintain
the privacy of patients’ personal health information.