Super IT Guy

We all want to think the best of everyone, particularly in a smaller office. Officemates become friends, we celebrate birthdays and holidays together, and we tend to trust each other. But in such environments, it is still important to keep a few safeguards in place - specifically around your IT support. You must avoid dangerous situations when your lone IT staffer goes from friend and workmate to ex-employee - and takes the keys to the IT kingdom with him.

Many of you are already saying to yourself, “Not my IT staffer. We have a wonderful relationship.” That response is common and expected. Unfortunately, in cases where small offices are held hostage by disgruntled ex-employees, many of those office managers remember feeling the same way, before the big breakup. So, let’s assume we are talking about a small percentage of bad apples here. Think of it like locking your car doors at the mall. This simply protects you from the one thief cruising the parking lot looking for free loot, not the thousand honest people at the mall that day.

Getting a second opinion

As an IT staffer myself, I have to admit that I am not always keen on having an outsider come poking around the systems I work on, second-guessing my handiwork. However, having an external consulting group can insulate both me and my employer. Hiring a legitimate consultant to be backup support can yield benefits. You can feel safer should unforeseeable circumstances leave you without your only IT staffer. Additionally, having such a group on call even slightly familiar with your systems will allow your lone IT guru to enjoy her vacation. It provides protection to ensure you don’t find yourself between a rock and a hard spot when you and your IT staffer decide to part ways. It may seem uncomfortable at first, but your IT staffer will probably grow to love this arrangement - especially when it comes time for them to head to the beach!

The weak spots

The gates to which IT staff usually hold the keys may vary a bit from office to office, but they can be safeguarded to discourage abuse by a disgruntled ex. Here are a few weak spots:

• Web site identity. Often, small offices host their Web site externally with a low-cost hosting company. No one wants to see the ex-staffer defacing the company Web site after she leaves by replacing Dr. Jones’ photo with pictures of…well…you get the idea. Be certain your Web hosting company has at least two authorized contacts within your company. This is usually done by sending a letter on company letterhead and photo ID to the hosting company. This way, someone else will be able to contact the hosting company, have the ex-employee’s access blocked, and ensure that you have access to your site.

• Routers, servers, and PCs. This is probably the toughest area to deal with, because it’s tough for a non-techie to know if you really are safe. Even honest techs will hesitate to provide other non-tech users administrator-level passwords to these types of systems for fear they will break things. Heed the warning, and use caution with such accounts, but be sure you or your external consulting company also have access to your systems.

• Practice-specific software. Make sure you have registered at least one non-IT office person (the office manager, for example) as an authorized contact with the vendors of your EHR, practice management, accounting, and other systems. Otherwise, you might hear the dreaded, “…and you are who again? You aren’t authorized to talk to us about that system.”

• Physical security. Although we want to hope it is unlikely, physical security is also a concern. Duplicate keys can be made anywhere, so save yourself the trouble, and have your locks changed. If something turns up missing later, and you’ve changed your locks, you won’t hold a grudge against an innocent ex-employee.

• Remote access. These days, most IT staffers (even in the smallest of offices) have set up a system for remote access. Be certain you or your consulting company is aware of, and has disabled, these systems.

• Asset management. IT employees often take laptops or systems home, and your office may have even given them a PC to use at home for work purposes. Always keep good records and update them annually. Have your staffer sign for equipment he uses off-site, and be prepared to ask for it back.

Prepare for dismissal

If it comes down to termination of your only IT staffer, be prepared. While the termination may be benign, reactions later can change to anger. Protect yourself by planning ahead. If you’ve engaged an external IT group as backup support, make them aware and have them ready to come on-site immediately after the dismissal.

Never let an IT person go back to her PC “just to clean something up” when you’ve dismissed her. She might just shut you down in just a few keystrokes. Walk her to the door, and tell her she has a defined time period to return all assets she might have at home. Immediately notify your vendors (including your Web host) and disable the ex-employee’s accounts. Have all users immediately change their passwords in all systems. Request a security audit by your external consulting group or by your replacement IT employee, and carry out recurring audits over the next few months.

As with any employee, hiring quality staff, checking references, and maintaining a good relationship can help you avoid these situations. But just like locking your car doors in the parking lot, secure yourself and your systems, and you can avoid that one-in-a-thousand scenario.

Jonathan McCallister is a client-site IT manager for a major healthcare consulting firm, and he is currently assigned to a 140-physician practice. He has worked in healthcare IT management for more than eight years and in general IT management for more than a decade. He can be reached via physicianspractice@cmpmedica.com.

This article originally appeared in the October 2009 issue of Physicians Practice.