Let me start by asking ‘why good computer security is important to clinics?’
We all know that the security of patient health records is very important under the Federal Privacy Act. We get this drummed home at every conference and in the email broadcasts of law firms and insurance companies. Other than safeguarding against your patients records suddenly ending up in the public domain, what are other reasons why clinics should take steps to secure their computer systems.
Deliberate vandalism of your server / web pages could occur. This would show your clinic in a very negative light and may be the trigger for patients to seek alternate medical care. The vandalism could be racially focused, or aimed to make the clinic look like they sympathise with extreme minority viewpoints. The types of people who commit vandalism on servers and web sites include disgruntled ex-employees, ex-patients, ‘script kiddies’ having some holiday fun, and even some who have an ‘ethical objection’ to the Medical Services performed by the clinic. It could even be that some animal lovers don’t like that the practitioner is a big game hunter in his vacation time. Or perhaps the vandal is someone who doesn’t like your core business, and wants to shame your client list by publically naming them – AshleyMaddison.com anyone?
Low security of computer systems could lead would-be attackers to the private residential addresses of staff including the doctors. This may create safety issues for the personnel involved and their families, at locations other than workplace.
Loss of patient records may present not only legal dilemmas, but may also be outright theft of records by another clinic or practitioner. Patients are likely to become upset if a new clinic that opens in your area suddenly sends them a letter asking them to come in to review their <Enter Chronic Disease of Choice>. Unscrupulous ex-employees may also steal business information and use that in ways that detriment your business, your clinic.
And then there is the good old ‘International Criminal Hacker’ who is intent on installing ransomware on your server so that they can later encrypt your system, and sell back to you the encryption keys to get your data back. In late 2012 we had a few of these targeted at Medical Centres in Queensland. These people don’t want your data, they just want your money.
One attack that we haven’t seen in healthcare in Australia (to my knowledge) that has certainly had an impact on other business sectors is the DDoS attack (Distributed Denial of Service). This would be where some malicious attackers deliberately attack your server from thousands of points of origin (normally via malware installed on random computers around the world) with an intention of making your server crash. There is an Anti-SPAM server in Germany called Spamhaus that was attacked a few years ago in significant DDoS attack that almost ruined the organisation.
The RACGP has a booklet entitled ‘Computer and information security standards for General Practice’. This booklet is in its second edition, and is referenced in the RACGP 4th Edition standards for General Practice in criterion 4.2.2. This booklet contains many requirements and detailed explanations about what is ‘reflected as the minimum level of computer and information security acceptable for this standard’. These are quite detailed and I would recommend that anyone who hasn’t read this booklet, should read this booklet. This booklet should be checked during Accreditation surveys, but my experience shows that this is checked infrequently.
How do we protect our systems?
Passwords. There is nothing so important in good computer security as good password policy. I have been to practices where there is a list of everyone’s logon and password written on a piece of paper, stuck to the side of the server. That is almost as bad as the plan of using the same password for everyone, or using their surname as the login password. This may be a surprise to some, but one of the most common dictionary attacks are on accounts like ‘Admin’ with a password of ‘admin‘. The Ransomware security breaches in late 2012 reportedly used a dictionary attack of less than 100 common English words and names as the account name, and the SAME PASSWORD as the account name.
Physical Security. Don’t leave the server permanently in a space that is not monitored and accessible to the public. If they perpetrators of crimes can simply physically carry the server out the door, whether they can get at the data or not, still leaves a clinic without the data. With physical access to a server, even encrypted files are likely to be compromised easily.
Limiting staff access to relevant parts of the software. I am a fan of Best Practice. Best Practice has an excellent ability to limit what parts of the program each staff member individually has access to. Some of the other clinical software also have an almost granular level of permissions setting, but even those clinical software with limited ability to set granular permissions, have various levels of access for different roles within the clinic. Unfortunately most clinics just completely ignore this, and allow all staff to access all parts of the software.
In my clinics, I have low-level reception staff that do NOT have access to the clinical record. I don’t automatically allow doctors to take a copy (backup) of the clinical database. This is inappropriate for a junior registrar or even for a doctor intent on leaving your clinic and starting their own. Look at the options available to you within your software, and utilise those options.
Keep logs of access, and review these logs. Keeping logs is great because it gives you something that you can go back to when checking after an incident. Checking logs lets your pre-empt incidents, or catch incidents occurring.
What is ‘good password policy’?
Good password policy in my view consists of the following elements:-
- Strong passwords. At least one each of three of the following, upper case, lower case, numbers and special characters. Special Characters are the top line of the number keys ~!@#$%^&*() . You can use short sentences of small words, or the first letter of each word in song lyrics. Don’t use names, names of kids, dates of birth…
- Changes at regular but not too frequent intervals. I’ve seen people with passwords like ‘Matt1’, ‘Matt2’, ‘Matt3’ where the number changes depending on the current month, so that ‘Matt1’ is the January password and ‘Matt2’ is the February password etc. For co-workers who know the code this is easy to work out for the month of December. I like to set passwords to change at say 9,10 or 11 week intervals. This is five times a year. Not too infrequent that staff forget how to change passwords, but not too regular that an easy system can be developed.
- Secret passwords. Passwords should not be known by any other (including the IT person, the nurse and the practice manager). If a password is unknown and unobtainable, then it should be changed to a known password and then reset as per policy. Administrator passwords should be in an envelope in the safe, and not be known by any unnecessary staff. In a modern clinic there is no need for the nurse to log in for a doctor at the start of the day. Doctors are incredibly smart people – they can master password usage. Password secrecy is the only way to guarantee that logged actions are performed by the correct user.