Closer to home, the CSIRO reported that in 2008 almost 5.4 million Australians were victims of cyber-crime. The story of the Gold Coast family practice being hacked and held to ransom was also widely reported in the media. So what does this all mean? Is it all doom and gloom? Are we resigned to the fact that getting hacked is just a matter of time and as such why bother? Not in the slightest. As mentioned earlier, over 92 per cent of security breaches could have been prevented. So, if we are able to identify those specific areas at risk and put the right solution in place, things start to look a lot more secure and in control.
Identifying the risk Whether you are a sole practitioner, a small practice or a large multi-disciplinary medical centre, the same privacy laws apply. However, an increase in size is proportionately related to the level of associated risk. As more staff work at the practice or in more than one location, areas of risk open up. Ineffective use of passwords, improper and unsecured connectivity between sites and an inadequate back-up system are some of the usual suspects. For older practices that still haven’t migrated across to a paperless system, the paper files stacked in shelves (often unlocked or open access) pose an even greater risk. The recent case of the Pound Road Medical Centre in Melbourne, where sensitive medical records and Medicare claims information were found in a garden shed, demonstrates that even after taking proper care, an inadvertent oversight meant that the personal sensitive information of 960 patients was exposed. As a business that regularly implements paperless medical practices, we come across some typical scenarios. It is almost
“Practices that are being accessed remotely from multiple locations are more vulnerable to external cyberattack unless appropriate security measures are in place.” Sid Verma
a pattern symptomatic of the three main “profiles” of practices: 1. Sole practitioner. Usually a single laptop-based practice, sole practitioners are typically at maximum risk. Clinical and practice management software, emails and documents are stored on a single device. Back-ups are typically non-existent or at best copied onto a USB stick/drive, but usually only when the practitioner remembers to do so. 2. Medical practice. For a medical practice, the risks start to increase as there are more employees. The practice typically has a server and a few computers. Each device that is added on to the network adds to the risk. Different people use and access the computers in their own way. Some access public email sites such as Gmail, Hotmail or Yahoo Mail. Some users store files on local machines often not backed up properly. Over time, data gets spread across multiple devices, and is stored in an unstructured manner. There is also the increased risk of inadequate network security – firewall, anti-virus and antimalware. 3. Medical centre or clinic. The bigger end of town means a larger network, multiple locations, more IT infrastructure, multiple staff – all of which adds to the complexity of the situation. These organisations have a
lot more invested in their IT infrastructure, and in most cases have a reasonable level of control over the information in the practice. However, while most large clinics would like to believe that they have effective measures in place, this is often not the case.
Addressing the risk When it comes to protecting the information in your practice, there are five main areas to look at: external security, internal security, email, back-up and disaster recovery, and infrastructure. External security When we conduct IT security audits or accreditation audits for medical practices, almost 90 per cent of the sites we visit still have the default login (username/ password) details for their internet router. This is an open invitation to anyone with a half decent knowledge of computers to get access to the network (servers, computers, back-up etc.). Medical practices must change the default login details for their internet router. In addition, use a business-grade, fully managed and monitored firewall with content filtering. This will ensure that all data traffic entering or leaving the practice network is checked.
Pulse+IT Magazine - Australasia's first and only eHealth and Health IT magazine.