Best practice for securing health data
Presenting to Victoria University's (AU) fourth year Osteopathy students, Cliniko founder Joel Friedlaender details how all health professionals can keep their patient health data safe.
When you’re working in healthcare, you can never be too careful with your patients health information. Here's the five things we recommend you do to keep your patient records as secure as possible.
Doug Pohl·
Strong security is crucial for any business that stores its clients’ personal information. Your patients depend on you to keep their records safe, and you can’t let them down. Because after all, you not only have a professional and legal obligation to protect their privacy, but the success of your business depends on it.
With this in mind, here are five basic safety measures you can take that will dramatically increase the security of your data:
There are, of course, other precautions you can take. This is not intended to be a comprehensive list. Instead, use the information provided as a guide to help you maintain a minimum level of security so that you (and your clients) can sleep a little easier at night.
No matter which operating system you use, the number one thing you can do to protect your data is to install all updates as soon as they become available. Don’t put it off – no matter how inconvenient the timing may be.
It’s dreadfully easy to select “Not now” or “Install later,” but this is the exact opposite of what you should do. Most system updates include some security fixes, and the longer you delay installation, the more vulnerable you become.
Think of it this way: When a security fix is offered within an update, it’s like a giant megaphone announcing to the world that there is a weakness in the system. Delaying your update will also delay your security fix and make you an easy target for malicious hackers who intentionally seek out individuals just like you.
This is something that frequently happens in the healthcare field. More specifically, due to the high value placed on patient confidentiality, this industry is especially prone to ransomware attacks. You may have heard the term ‘ransomware’ before, but you might not fully understand how detrimental an attack like this could be for your business.
The way it works is hackers create bots that locate and gain access to a vulnerable target. Then, they encrypt all the data and hold it for ransom. In other words, victims of these attacks are utterly helpless. They’re unable to access any of their business information or patient records, and the only way to get it all back is to pay a vast sum of money to these criminals.
Of course, if you pay the ransom, there’s no guarantee they’ll return your data. And even if they do, there’s nothing to stop them from making copies of the information. So, no matter how you look at it, the entire ordeal requires a lot of trust in people who have already proven themselves to be untrustworthy.
Take a moment to imagine what an attack like this might mean for your practice. All your patient records? Gone. Your appointments schedule? Gone. What about your internal communications? Yep, you guessed it – gone. It would be devastating. So, do yourself (and your patients) a favour. Install all updates immediately. To make it easy, just tick the box to opt-in for automatic updates.
Be smart about the passwords you choose. Don’t pick something simple and easy to guess, like your pet’s name or your date of birth. And be sure to avoid common passwords, as well. With such a large number of logins to remember, it’s no surprise that many people make their password decisions based on simplicity rather than security. And, as it turns out, lots of folks choose the same passwords. Don't allow yourself to be a part of the herd. Your information is too important to have flimsy protection.
So, now that we’ve covered what not to do, what does a strong password look like? Simply put, longer is better. When it comes to securing your accounts, the only thing that matters is the total number of characters in your password. Uppercase, lowercase, letters, numbers, symbols – these are all irrelevant. Use whichever characters you like. Just make sure there are plenty of them.
Let’s take the password “OsT3O!” for example. Visually, it looks like it’d be pretty strong, right? It has uppercase and lowercase letters, a number, and a symbol. But despite how it appears, it would take a bot only 5 seconds to hack this password. Yes, you read that correctly – 5 seconds.
On the other hand, the simpler but longer passphrase “when is lunch” would take the same programme 2,000 years to figure out. It sounds hard to believe, but it’s true. And the difference is a direct result of the total number of characters in each password.
For most of us, this idea seems counterintuitive. After all, we’ve been taught that the more visually complicated a password appears, the stronger it is. But that’s simply not the case. Make your passwords long.
Admittedly, longer passwords can be challenging to remember. So, to make things easier for yourself, try writing a short sentence or lyrics from your favourite song. Choose something important to you and easy to recall. If a website requires you to include symbols or a certain number of upper/lowercase letters, just tack them on to the end of whatever phrase you’ve chosen. For example, the passphrase “when is lunch” can easily become “when is luncH?1” to meet a site’s requirements.
Whatever you do, avoid the urge to reuse a password on multiple sites. You need unique logins for every online service you use. Of course, it’s completely understandable that you might want to repeat the same combination of username and password on several (or even all) of the sites you visit. But tread with caution. That is a dangerous practice.
Let’s say, for example, an online retailer forces you to create an account before making a purchase. If that site gets hacked, your login information is now in the hands of the hackers. Hopefully, the username and password combination you’ve chosen was only used on this website. In which case, you wouldn’t have much to worry about. But if you reused a login from another site – let’s say from your banking website – then your potential for a disastrous outcome is exponentially higher.
Presumably, you recognise the importance of making smart password choices. But when it comes to implementing these security measures in the real world, keeping track of so many login credentials can quickly snowball into an unmanageable task. So what can you do to keep it all organised?
Subscribing to a password management system is probably your best option. There are several choices on the market today, but for our purposes here, we’ll discuss 1Password. (Please note that we have no marketing affiliation with this company. However, it is the system that we use, and we find it to be excellent.)
Here’s how it works: You set up one very long, secure password that you can use on any device to access a digital vault. This is where you’ll store the login information for all your online services. Then, when you need to log in to a site, 1Password’s browser extension will automatically recall and populate the credentials for you. That’s right! Log into any account with no typing required.
You can even let the app generate passwords on your behalf. 1Password can provide you with a 30-character stream of random letters, numbers, and symbols that would be impossible to remember. But that’s fine since the only thing you need to memorise is the single password you created to unlock your vault.
Of course, this begs the obvious question, “What happens if the password management system gets hacked?” Well, then you’re in trouble. That would be disastrous. However, it’s a highly unlikely event, and compared to any pen-and-paper alternatives, it’s a risk worth taking. A password management system is the most viable option to safely maintain and access unique, secure login credentials for every site you use.
There’s one more important point to make here. Don’t forget to also protect your devices by using the passcode options to unlock your phone and computer. Yes, it might take you an extra second or two to open it up. But it’s worth it. As an example, think about how devastating it could be if the wrong person got access to your email. Now think about how easy it is to access your email account from your phone or laptop. It probably only takes one or two steps, right? So, be smart. Keep your devices safe.
Another way to significantly enhance your online security is to utilise two-factor authentication (also known as 2FA). If you are unfamiliar with this two-step login process, it requires not only your username and password but also an additional code which is sent to a separate physical device such as your phone or tablet. After entering your credentials, this code must also be submitted to the website before access is granted.
With 2FA, logging in requires “something you know” (your username and password) and “something you have” (your phone). That way, even if your login credentials are compromised, no one can access your account unless they also have one of your devices.
This might be an unnecessary precaution for logging into websites that are more casual and don’t store personal or financial information. But 2FA is a crucial step for protecting your sensitive data, and it’s advisable to implement this feature for your practice management system, as well as your banking website, your email account, Facebook and other online accounts.
Keep in mind that you won’t have to take this extra step every time you log in. Usually, you’ll only be asked to do it about once a month or when you log in from a new device. And if the option is available, you can limit the repetition by ticking the box to “remember this device” (but not on a shared computer, of course).
If someone devious steals your laptop, a secure password should be enough to keep them away from your information, right? Well, not entirely.
Without your passcode, it’s true that they won’t be able to gain access to your operating system. But there’s nothing to stop them from opening the back of your laptop and removing the hard drive. And at that point, they can read all your information by simply plugging it into their computer. So, even though your computer is locked with a secure password, the physical hard drive is still unprotected...
...unless you encrypt your data.
Encryption jumbles everything on your hard drive and then un-jumbles whatever item you want presented on your screen. Think of it like a Rubik’s Cube that is solvable with the touch of a button. Engaging this feature is a simple process, and once it’s turned on, everything happens quite seamlessly. You’ll never notice that it’s working, and you won’t have to fuss with it again. On a Mac, the encryption feature is called FileVault, and on Windows, it’s known as BitLocker. No matter what you use, the process is the same.
However, there is one cautionary caveat to keep in mind. If your computer breaks or you need to remove the hard drive for any reason, the data will be unreadable on another device. So, if you someday find yourself in this position, how can you recover your information?
Don’t worry. It’s easier than you might think.
At the time of encryption, you’ll enter a passphrase or code that will serve as your “key” to un-jumble the hard drive. Since the key is automatically stored on your computer, you won’t ever have to enter it again unless you attempt to access the data on a different device. In which case, all you’ll need to do is enter the key, and you’ll be good to go. Just be sure to make a record of this code and keep it someplace safe.
Your web browsing can also be encrypted for your protection, and it’s easy to determine if you’re on a secure site. Just look at the URL in the address bar. You want to see the letters HTTPS (e.g., https://www.cliniko.com/). The ‘S’ stands for secure, and lets you know that any information shared between you and the website is encrypted. Which means that no one else will be able to read any transmissions you share. If the ‘S’ is not there and you only see HTTP, then your connection is not secure, and it’s ill-advised to share private info with the website. Keep in mind that in many browsers today, the URL may be hidden. In this case, you’ll look for a closed padlock symbol instead. If the padlock is open, the site is not encrypted.
If you’re just casually browsing the internet while using your private home Wi-Fi network, encrypting your transmissions may not be important to you. But any time you’re storing client’s health information or working in a practice management system, it’s essential to check for the HTTPS. It will stop anyone from snooping on what you’re doing and possibly stealing your information.
Always remember that you are the custodian of your client’s information. They have given you their trust, and every precaution should be taken to keep their data secure. With this in mind, the most important thing you can do is make sure you’re using the right tool for the job.
In other words, use a practice management system that is specifically intended to store patient information and follows all applicable laws. You’ll need to dive into their privacy statement or terms of service to verify this. Yes, it will take some time. And no, it probably won’t be much fun. But it’s imperative to check the security of your clients’ information thoroughly.
Most importantly, don’t lose your patient records. It sounds like a no-brainer, but you might be surprised at how many people fall victim to this unfortunate and completely avoidable situation. All you need to do is back up your data.
You can use any external storage device you wish, like a hard drive or USB stick. Just make sure that it is continuously updated with all the new information. If you have a Mac, you can use the Time Machine application, which automatically backs up your data on an hourly, daily, weekly, and monthly schedule. Just set it up once, and you’re done. Windows also has various software available to provide a similar function.
Keep in mind, if you use Cliniko for your practice management software, we automatically back up all your data on our secure servers. So, there’s no need for you to take these precautions. You should, however, back up and encrypt your own personal data.
If you don’t use Cliniko, here are some helpful tips that might someday save you from a big headache:
Chances are, you’ve already taken at least one of the precautions we’ve discussed. Or perhaps you’re even doing two or three. If you aren’t doing all five of these steps though, you’re still vulnerable. It’s important to remember that hackers go for the easy targets. If you’re following all the steps we’ve covered here, then it’s unlikely that they will set their sights on you.
Presenting to Victoria University's (AU) fourth year Osteopathy students, Cliniko founder Joel Friedlaender details how all health professionals can keep their patient health data safe.
This is part of an ongoing blog series that focuses on some of the fantastic features of Cliniko. Today we’re going to look at 2 Factor Authentication. What is 2 Factor Authentication (2FA)?
We get a lot of questions about the security of Cliniko , our practice management software system. I am pretty sure we get asked this question commonly because we are completely cloud-based.