“Thanks to the willingness of the medical centre to publicise the breach, a lot of other practices took notice and implemented security measures.” Sid Verma
To add that extra layer of security, which is now more or less a necessity, practices would benefit by investing in a more secure DMZ solution, which is now available on the cloud. Practices that are being accessed remotely from multiple locations are more vulnerable to external cyberattack unless appropriate security measures are in place. There are faster and secure enterprise grade solutions available at a fraction of the cost. Remote desktop connection (RDC) is an easier and faster way to connect to your practice. However, proper security measures have to be in place to safeguard against potential threats or attacks. We prefer to implement a highly secure, “defence grade” security layer on top of the practice to deliver that added protection. Internal security When it comes to the biggest offenders against protecting the information in your practice, internal security beats them all. We regularly find an inadequate password policy, not enough anti-virus protection on all devices, users downloading or installing unauthorised content, and an ineffective software update policy (Microsoft security updates). Practices must ensure that all devices have a licensed and regularly updated antivirus/anti-malware/anti-spam protection. Proper security policies must be in place to
ensure that users are allowed to download and install software only with the approval of the practice manager. Finally, each practice must have a welldocumented security policy. This includes using different passwords for each application and setting them to expire every 60 days. Remembering passwords shouldn’t be a memory challenge, but more of a “system” that not only ensures updating of passwords on a regular basis, but also following a pattern to remember it easily enough. Email Paperless medical practices also mean more electronic communication, and email is still the most widely used tool for communication. Free email services from Gmail, Hotmail and Yahoo Mail have been around for a while. However, these are not the ideal fit in healthcare. With the advent of cloud services, access to secure email services such as Office365 from Microsoft is a cost effective and efficient alternative. The emails can be accessed from multiple devices, is constantly backed up and is easy to manage. Users are spoilt for choice when it comes to using cloud hosted email services. The one that we particularly like to implement for medical practices has “legal hold” capabilities. This ensures that no emails are ever deleted from the
account, even if they have been deleted from the email client (Microsoft Outlook or similar). This comes in handy if there is an audit. Back-up and disaster recovery You can never have enough back-up. And then, back up your back-up. Disc space is cheap, but this does not mean the USB drives that most practices use to do their back-up and swap on a daily or weekly basis. Proper practice involves online back-up to a secure, Australian-based data centre. Automate the back-up. Every practice must have a primary on-site back-up and then a subsequent secondary off-site back-up. Needless to say, backups have to be encrypted and password protected. The case of the Miami Family Medical Centre in Queensland has been reported extensively in the media. This is a practice that was using an onsite server with backups and thought it had everything in order. However, the practice’s network security was compromised, the server was locked and the back-ups encrypted. Instead of paying the ransom, the practice chose to restore from its back-up, which they had copies of off-site. Even so, it took the business two weeks to get new hardware, re-install all the software and then restore their back-up. Thanks to the willingness of the medical centre to publicise the breach, a lot of other practices took notice and implemented security measures. However, a lot more can still be done. There are several back-up and disaster recovery solutions available. We always implement a system wherein a full image of the server is taken on a regular basis. In the event of a disaster, this image can be restored onto another machine and get it up and running within hours instead of days. We also implement a file level back-
Pulse+IT Magazine - Australasia's first and only eHealth and Health IT magazine.