Of course, anti-virus (AV) software is important. Sophos, a provider of AV software, claims that this year saw 10,724 new viruses introduced, 52 percent more than in 2003. The Internet Storm Center, which tracks security attacks, reports 7.6 million attacks in the U.S. alone.

No doubt these are alarming statistics. However, while virus attacks grab the headlines, numerous studies have shown that the most successful attacks come from within the organization itself from disgruntled current and former employees.

This means organizations are at risk not just from outside security threats, but also internal ones. The fact that your office may be using medical billing software or other computer system means sensitive information about your practice and patients is being stored in electronic format. So it is critical that you take steps to ensure its security.

Unfortunately, misconceptions, driven primarily by a lack of understanding, abound in information security. Many practices believe installing AV software or a firewall is enough. Some believe that by simply not having Internet access or email in the office, they are immune. Worse, many smaller practices are guilty of "security by obscurity": "We’re a small practice," the thinking goes. "We’re located in a small, unknown town. We’re not at risk."

Recently a Maryland-based rural family practice discovered that several employees – employees who had been employed for 10 to 15 years – were sabotaging the practice’s medical billing system. Checks disappeared, claims went unbilled, payments were not posted and false data was entered. By the time the practice figured out what was going on almost six months later, cash flow had been severely impacted, and the practice was facing a financial crisis.

For your practice to succeed you need to let employees and business partners access your computer system. This inherently creates risks. Information security is about balancing these risks with the rewards of doing business electronically.

The HIPAA Security Rule, which comes into effect in April 2005, establishes standards to "safeguard the confidentiality, integrity and availability of electronic protected health information (ePHI)." This means you need to put into place mechanisms that secure the data that resides in your office computer system. These mechanisms may be in the form of administrative procedures, technology, and physical safeguards.

Identify your risks. Determine what are your practice’s most critical information assets (electronic patient records, billing data, documents, etc.), and how to protect them. If necessary, hire a third party to evaluate security risks within your practice, and make sure you are provided with concrete recommendations on how you can improve security within your practice.

Get personally involved. There is a tendency to hand off security issues to an employee who may not be well informed or in a position to make decisions. Don’t make this mistake. If you want to foster a culture that values security, show that you deem it important by getting involved – good security starts from the top.

Put someone in charge. Of course, you may be too busy to do the legwork in terms of coordinating the security efforts. Put someone in charge of doing this, but be sure that person understands your concerns and objectives, and follow up consistently.

Raise awareness, implement appropriate administrative procedures, and educate employees. Effective administrative procedures establish defined, repeatable, culturally supported processes that ensure everyone in the organization is working toward securing ePHI. These procedures can establish things such as how often passwords are changed, limiting access to sensitive information only to those who need it, deleting user accounts when an employee leaves, educating employees on the importance of information security, and affirming why every employee’s role is vital to protecting ePHI.

Stay updated. Stay informed. Make sure someone stays updated on the latest developments and new threats. This may be you personally, someone you assign within your practice, or someone trustworthy you can partner with who will keep you informed. For example, find out if your medical billing software vendor provides such services.

Install AV software. Viruses not only spread via email and the Internet, but also through corrupted floppy disks and CDs. Make sure to install AV software on every machine in your office.

Keep your virus definitions updated. As new viruses are released, AV software vendors publish updated virus definitions that help the AV software to detect these viruses. Many organizations install AV software, but forget to update their virus definitions on a regular basis. Be sure to always download the latest virus definitions.

Make sure you upgrade your AV scanning engine. The scanning engine is the part of the AV software that does the actual detection and removal of infections. Keeping the scanning engine updated is crucial, because only an updated scanning engine can read updated virus definitions. For example, Norton AntiVirus 2002 may not be able to read the virus definitions available in 2005.

Install a firewall. This is especially important for medical offices with broadband Internet connectivity, such as a cable, DSL or T-1 line. A firewall can prevent malicious attacks from outside to enter your computer network. Without a firewall, your office network is left exposed and completely vulnerable to intruders. A firewall is always the first line of defense.

If you have a network router in your office, it may already have a rudimentary firewall. This may be enough, although depending on the features you need you may need to get a separate hardware device. Talk to a knowledgeable technology vendor about what you may need.

Optimize browser settings on every machine. The more popular web browsers, such as Internet Explorer, Netscape and Safari, have advanced security settings that allow you to specify things like the security zone, whether to allow "cookies," how to deal with ActiveX and Java scripts, digital certificates and encryption levels, and other permissions. Be sure to set these appropriately. In addition, be sure to regularly clean out your cookies and cache.

Keep service packs updated. Download security updates and hot fixes. Microsoft regularly announces new service packs, security updates and hot fixes for its various operating systems and applications to plug newly discovered vulnerabilities and eliminate new threats to its software. Be sure to regularly download the correct updates from Microsoft’s website.

Stop adware and spyware. Spyware and adware are discrete software programs that get downloaded to your computer without your knowledge. Once on your hard drive, they can send you spam, track and transmit your movements across the Web to a malicious third party, slow down or crash your computer, or even steal your personal information. (Read: identity theft!) These programs are designed to compromise your privacy. So be sure to have the right tools to help you block them.

Perform routine maintenance. Just like cars, computers require routine maintenance to ensure continued optimal performance. It improves reliability, and reduces the chances of vulnerabilities and errors creeping into your computer system, as well as protects you from catastrophic failures, like a system crash or data corruption. Disk defragmentation, disk cleanup, and scan disk are just some of the routine maintenance tasks that you should be performing.

Don’t write down or give out passwords. A recent survey by Infosecurity Europe 2004 revealed that 71 percent of employees are willing to give out their password for a chocolate bar. Sounds unbelievable, but this chilling statistic highlights the necessity of safeguarding passwords. Many workers write them down on pieces of paper or "sticky notes," and leave them on their desks or attached to their computer monitors. Revealing passwords is a fundamental security breach that must be addressed. Many security attacks are possible simply because someone revealed their password.

Perform regular and redundant data backups. Not having a proper data backup system is probably one of the most cardinal mistakes in health care information security. Data loss due to a system malfunction or security attack can be catastrophic. Any security policy is useless without reliable data backup.

Data backups can be performed in-house manually using traditional media, such as tapes, Zip disks or CDs. However, a growing number of organizations are now performing remote data backups. Often the office staff does not have the expertise or the time to manage data backups, and traditional media based backups are not inherently redundant. A strong data backup procedure will involve storing multiple copies of your data, including off-site. A remote backup service inherently involves off-site data storage, and ensures the security and availability of your data, while reducing the total cost of ownership of your data backup process. Contact your medical billing software vendor to find out if they offer this service, or a compatible third party service.

When it comes to information security, there is no silver bullet. Planning and preparation are required. Find a trusted partner who understands implementing information security in a health care practice, be it a consultant, a technology vendor, or a caretaker for your office computer system. The goal should be to find the best solution for your information security needs.