I received an email the other day that made my Tracker Senses tingle. An office was discussing the proper way to setup a generic “Dental” user in their security settings. The proper way to setup such a user is to never do that. When I am at an office and the boss asks me how to setup a generic user I always suggest naming it ‘Notme’ because when you ask who did something that is the answer you will get.
Each and every person who touches your practice management software should have their own profile with rights assigned by management. Their password should be of their choosing and nobody else should know it. That includes management. This avoids any shifting of blame. Each employee is responsible for what happens under their account for good, or for bad. If a computer is left unattended and logged in it is an invitation for anyone to do something they will not be responsible for.
Temps should not be given a generic profile either. If something is discovered even years later the exact user should be identifiable. When a staff member leaves their account should be inactivated immediately. Under no circumstances should a profile be deleted.
Deciding what rights to assign to users can be a daunting task. My advice is if you are not sure if a right should be given don’t. There is a chance the staff member will never need use the feature in question and if they do need to do it always ask why. I have had doctors complain that they are trying to drill teeth and their receptionist is asking for a password several times a day. That is a great sign that there may be a process issue which can be addressed through training.
One of a least favourite stories involves the ‘Mary’ account. *Names changed to protect the guilty. A longtime client bought a new office and asked me to investigate some irregular billings and payments done by their receptionist Lisa. After investigating I found $30,000 in questionable write-offs done by Lisa and another $5,000 done by Mary. I was then informed that all of that was done by Lisa. Mary had left years before, but because they had 2 computers at the front they left the other one logged in under her profile if anyone needed to use it, so they were sure Lisa was responsible for that as well. I informed them that there was no way they could even accuse her of that because she was not the only one with access and they should stop doing that right away. It was a very unpleasant experience for everyone involved. Including me. I never want to have to investigate this type of behavior on behalf of my clients and the easy fix is to take security seriously.