Doctors have much to consider in the way of features, cost, and usability when it comes to selecting new software for their practices. Considering these four commonly overlooked points will help you choose a secure system that can grow with you.

1. Limit staff’s Internet access to avoid and minimize risk.

Most security breaches in the US happen when employees click links embedded in personal emails or use unsafe websites. Statistically, training alone won’t solve the problem, unfortunately. The safest measure is to limit the practice’s internet connection for only critical work matters. Many staff members have a smartphone, so they can use their own device and connection for noncritical or personal business.


2. Factor total cost of ownership for technology solutions.

When you evaluate the cost of technology solutions, resist the urge to become fixated on the acquisition price rather than evaluating the total cost of ownership. IBM found that PCs are 3 times as expensive to manage, and that they save $535 for every Mac. Every Mac saves them money.

3.  Consider the source on advice about technology.

When you hear from a cloud vendor that “everyone is going to the cloud,” think about who that statement benefits. When an IT support company with Windows expertise tells you that Macs are more expensive and that you should not consider a macOS solution, ask yourself how dependent your business is on IT services with PCs. Be sure to do your own research on ransomware affecting healthcare organizations using a Windows platform. How safe do you feel, and how confident are you that your IT provider can protect your patients’ data and your practice’s reputation?


4.  Be wary of claims about cloud security: ePHI is still your responsibility.

When vendors tout the security of the cloud, they assume you’re comparing a cloud offering to a Windows solution for your practice. The cloud is not inherently more secure, and the records on shared servers are certainly higher value targets for cybercriminals. So, cloud vendors’ claims of greater security are based solely on the ability of the host (the company that owns the equipment where your data resides) to employ more and better cybersecurity experts than your practice can. This doesn’t shift your responsibility for protecting ePHI to another party. Even if you have a signed BAA from a hosting company, you share responsibility for protecting ePHI you collect, and you retain sole responsibility for your own systems.