Keeping your information safe from online threats can be complex, with new threats and new solutions emerging all the time. For many practices, working with a good IT support provider is one of the best ways to make sure your computers and website are safe.
These five key areas cover points where your practice’s IT may be at risk from online threats.
1) Staff awareness of online security
An ‘acceptable use of information technology’ policy, developed in consultation with staff, can do more to keep your workplace computers safe than any piece of software. Your acceptable use policy should guide staff and volunteers to use the internet and other communications technologies appropriately and cover topics such as which uses of email and the internet are acceptable, how to handle sensitive data, keeping equipment secure, how to use the internet safely and what to do if working off-site. You should run through it with new staff and train them in safe use of technology. There’s more on training staff on the Australian Government site, Stay Smart Online.
UK practice Get Safe Online has a sample acceptable use policy which you can adapt for your practice. You can also download and adapt Infoxchange's acceptable use policy to suit your practice's needs.
2) Desktop and device security
Keep your software up to date, particularly the operating system (e.g. Windows). The highest priority updates come in the form of security patches. If you are responsible for the system, ensure you are being notified about these patches. If you have a contractor looking after the system, assure yourself that these patches will be applied as soon as possible (preferably immediately).
Ensure you have anti-virus and anti-spyware software and they are up to date. These software check incoming data for viruses, scan your computer for existing viruses, and make sure no one is installing data-collecting software on your computer without you knowing. Choose a reputable program and set it to auto-update, and most of your security work is done for you.
When you’re using mobile devices, such as phones, tablets or laptops, to do your work you need to make sure they’re kept safe. If you’re keeping work data on your device or have a device which connects to office files, losing that device means unauthorised people can access your practice’s information. Password protect all mobile devices to make it harder for others to use them if they’re lost or stolen. Don’t leave devices unattended in your car or out in public. If you’re storing data on the device (or if you’re using portable data storage such as USB drives or removable hard drives), get advice from an expert on how to encrypt that data.
If you use your home computer for work, talk to your IT person about how to make it secure. You may need to install additional software to make sure that it complies with your workplace’s IT policies.
3) Email security
Because of its heavy use, email can unfortunately be a security risk. Staff may unintentionally install harmful programs by opening links to dodgy websites or opening infected attachment. This may lead to the loss of data, or external parties having access to private information. Email scammers put a great deal of effort into creating believable, hard-to-ignore messages, so you really do have to be on your guard every time you get a message from someone you don’t know (and sometimes when you get a message from someone you do know – if someone has hacked a friend’s email account, that account may be sending you suspicious messages without your friend knowing).
Remind staff and colleagues about the risk of clicking links in emails or opening attachments (especially when they’re from an unknown email address).
To reduce the risk:
- First hover on the link with your mouse pointer, and look at where the link is taking you.
- Take a second to think. Any link or attachment that is not from within your practice or immediate network, or a recognised friend, should not to be clicked. When in doubt, either call or email (in a separate email) your friend or the organisation asking them to confirm that the email is legitimate.
- Only click if you’re sure it’s safe.
- Know who your IT support person is in case of an emergency
Email isn’t a good way to send sensitive information, and in the case of some information, such as when you’re dealing with patients’ health data, you’re required to use a secure messaging system instead.
4) Network security
Protecting your practice’s network would generally need to be done by an experienced IT professional. One of the key ways you can add an extra layer of security to your network is to use a firewall. Firewalls can act as a gatekeeper between the internet and your network or computer.
There are software and hardware firewalls. Hardware firewalls are better. For example, a good broadband router will have a built-in firewall, and it blocks unwanted traffic getting past it and through to a computer. Whereas software firewalls (which are installed as software or configured in the operating system settings) only kick in when the traffic has reached the computer.
Depending on your security needs, you may want to purchase more robust firewalls or be more stringent in the settings available to you in any existing firewalls you may already have.
5) Working safely with online applications, websites and the cloud
If you are using internet and cloud-based applications, including a website, hosted email, databases or collaborative documents, you should also check if those are being kept properly secure. Contact your application provider and find out:
- whether they have a backup plan, whether you’ll still be able to get your data if their site goes down, and whether they can recover your data if it’s lost
- what your responsibilities are for keeping data secure
- whether they regularly update their software and servers to protect from threats as they emerge
- whether there are additional tools or add-ons you should be using to enhance your data security
- how they dispose of data if you stop using their service.
If your practice has a website, talk to your internet service provider or the practice hosting the site about what they do to make sure it is secure and isn’t being used to pass on viruses or other malware to people who visit it.
Taking the next step with security: professional help
Security is one area where professional help can really add value. You should either have external IT support, or an internal IT support team or person with IT skills, up-to-date knowledge and a passion for maintaining your IT. If your support is external, someone within the practice should have responsibility for making sure the business takes security seriously (uses passwords, does backups and so on).
Talk to your IT support service about security and ask them:
- do we have security software, including a firewall, anti-virus and anti-spyware? How often should it be updated and whose responsibility is it to do that?
- is all our software from reputable sources and is it being regularly updated? Is it our responsibility to update software or does it happen automatically?
- are we using spam filters for our email? What can staff do to make sure we stay spam-free? (there is more on email security below)
- are you being updated about new threats to online safety and security? What responsibility should staff take for keeping updated?
What’s Next?
Because you store personally identifiable health information, security is very important. Here are other resources on various topics that could be of use in tightening up your security and supporting policies:
- Review the Australian Privacy Principles to see what is required of you.
- If you have a breach of data with personal information, you must notify the Privacy Commissioner.
- Get help on cyber security:
- RACGP: guide to Information Security in General Practice.
- Australian Digital Health Agency: Cyber Security Centre, particularly the Information Security Guide for small healthcare businesses.
- Australian Government: cyber security guide.
- Ensure your backups are working. If you are hit by a ransomware attack, your backup may be the only thing that saves you. You can't be held to ransom if your data is available from another place.
- You can also discuss challenges and ideas with other practices and the digital health team at your local PHN.