Best practice for securing health data
Presenting to Victoria University's (AU) fourth year Osteopathy students, Cliniko founder Joel Friedlaender details how all health professionals can keep their patient health data safe.
Kate Hunter·
[Video transcript]
Joel Friedlaender: Thank you very much, I'm super pleased that our designer at our company did this avatar for me that I could for my slides. I had one other alternative available to me. I have a five year old daughter and she went to Kinder and they were drawing pictures and she had to draw a picture of her dad, which she did and I don't mind to share. But I don't like it as much as this one here. I wish this was not real. So I go with the other one for professional purposes.
Joel: The reason I am today is I was the original developer for Cliniko, I started with my partner who's an Osteopath. We started [Cliniko] in 2010 now. Have people here heard of Cliniko?
Audience: Yep.
Joel: Have people used it?
Audience: Yep.
Joel: Okay, awesome. So it's a kind of funny thing where you're obviously all osteopathy students here. I don't have a health background, but I kindly get invited to talk to these things because I built some software for the health industry. But really what I can sort of bring to the party here is not on the health side, but on the tech side. That's what I want to talk to you about today. Also while I'm doing this, if you have questions, you don't need to wait, you're welcome to put your hand up, yell out, whatever you like. If you've got a question let me know as we go along. I will provide these slides to you as well, but my slides are usually very brief so I don't know how useful they will be, but if there's something out there that you want, you don't need to take a note, you'll get them.
The main concept I want to talk to you [about] here is usually if you're talking about securing health information, we're talking about stopping other people gaining access to them. Particularly people that might be doing malicious things on the internet. And a concept to be aware of and context for this talk is that people that want to hack your information and gain access to it, they're busy. There's a lot of people to hack and they want to choose the right person to do so. This becomes really obvious with ... you guys have probably heard of these emails from a Nigerian prince that has money for you, and they send you an email telling you how you can get this money. Has anyone here received an email like that?
Audience: Yep.
Joel: So you might wonder, when everyone knows there's this Nigerian prince scam, why do they still keep claiming to be a Nigerian prince? That's stupid, right? Because you know, that's obvious. Now, what it is is they send this email out to millions or billions of people and they don't want to waste their time. They don't want people that are savvy or know the scam to go back and waste their time. What they want is people that are really gullible and the best way they can do it is to use a known scam that most reasonable people know of. And those that still haven't heard of it, still don't know it and fall for it, they know they're a good target, and they know they are worth their time. So, It's not a stupid thing they keep using the Nigerian prince one, they do it on purpose. It culls the audience down of who they're going to be speaking to and hopefully get a target.
So again, what I want to talk about here in this talk, part of it is being secure, but part of it is just making sure that you're not actually the target for them. There's kind of two ways we can go about not being the target for this sort of hacking. One, you can improve your security -, probably a good way. The other, you can sabotage others'. So if you know that they're going to go for the weakest link, if that's not you, well, you'll be all right. And I kind of equate this to the idea that if you are in the forest and there's a bear chasing you, you don't need to be fast enough to get away from that bear. You need to not be the slowest person in your group. Right?
That said, I will talk about the first way for this talk, which is securing in your information. I think that it's more ethical, and it's actually easier than sabotaging everyone else in this room. So what I want to do with security, there's a lot we can talk about, there's a lot that can be quite technical. What I actually want to talk about is focusing on really simple things and focusing on things that make sense. I have this hypothesis that, as people generally, we don't do a good job of just doing the simple things that make sense. I have sort of a thing that occurs that I always find quite strange. Have people here heard of the saying, knock on wood? Does anyone here actually do it when you say something that you want to come true or something bad you don't want to happen and then you knock on wood? Can I see, how many people would do that?
Quite a few. And of all those people, how many of you know why you're doing that? Like the origin of that. It's what I thought. There is a problem with this knock on wood thing. And that is the origins of this is people used to think that there was little wood spirits hiding in the wood and they were malicious little things, and they wanted bad things for you. So what would happen is if you said something good that you wanted to happen in your life, and they heard it, then they would go out of their way to use their magic and stop that thing happening. But the problem we have now is we kind of do this thing but we don't really understand it, we don't know why we're doing it. So we say something that we want that to happen for us, and then afterwards we'll do the *knock knock knock*... straight after we've said it. So in this case, they've heard what you've said and now you're just annoying them with like ...(more) *knock knock knock*
So what I would suggest with a lot of these internet security practises is the same thing. You might've heard of things, ways is to keep things secure. Or have ideas, but you don't really understand it or know that it's a good idea, you could be doing more harm than good with the practises you have. So we're focusing on simple things that make sense.
Now the number one thing I want to talk about with this is installing security updates on your devices. So you probably all see them, it pops up on your screen. It says you should update and you snooze and you tomorrow and not now and all that kind of thing and delay it, probably, months. But this is the number one thing you should do on your devices to keep them secure.Has anyone heard about ransomware? Which is when businesses get their systems sort of taken over and they can't access the data, it happens a lot in the health space, so a lot of medical clinics ... this an example of one that happened earlier this year, they just turned up to work one day and all of a sudden all of the information in their system, all their health records are not available to them.
They're going to see patients that day. They need to access previous treatment notes, any medical alerts, things like that they don't have available to them. The number one way to prevent these ransomware attacks is installing those security updates. Typically, the way these attacks work is they're not someone explicitly doing it. They're actually just bots crawling the internet, trying to find a vulnerable target to encrypt and doom. The way they work is they encrypt the information on your system and then charge you a ransom fee to get it back. If you pay it, you may or may not get your information back afterwards.
The way they work is they exploit vulnerabilities, particularly in Windows. Windows is probably the most exploited operating system. They find a vulnerability and they'll exploit it with this. They'll get in there and they'll do. This particular company here that had it happen to, and most of the companies that have had happened to them, haven't installed those security updates and if they did, they would not be affected by it. The other thing with security updates, is let's say Windows comes out and says, "Here we've got a security update for this particular vulnerability." All of a sudden every malicious hacker in the world knows about this vulnerability because it's just been announced and they know there's a fix for it and they know people aren't going to install these updates. So on your phones, when there's a new version that comes out, usually most of the updates that come out, come with a lot of security fixes. So I wouldn't be snoozing it on your phone, on your computers, whatever devices you have that have operating system updates, install them as quickly as you can. And you'll find that on Apple you just have to tick an option that says automatic updates. The same goes for Windows and your phone will automatically prompt you for it as well. The key thing on your part, is just don't snooze it, make sure you actually go ahead and do those updates when they come out.
The other most important thing to do for your security is passwords. So hopefully the things you use have passwords to protect them. So it's important to have a good password. The other thing to consider is if someone actually had your password, and knew it, what could they access? What things would they gain control over if your password was easy to guess or accessible in some way? What is it that they would be able to get into it? I think one of the main things that they could get access to, which people don't often consider that such a bad thing, is your email. So you might think that your emails just full of like funny jokes that people send you, and cat pictures or something like that. But actually most services you use online, if you forget your password, you just go to a link and say, forgot my password and it will email you something to create a new password for that service.
So if someone gets access to your email, they can go to all your other services, you forgot your password, get all these reset links into your email and then go and get access to all those services too. Not only that, they probably know all the services that you use because you've got all those annoying emails that come into your inbox all the time from them. So with your passwords, and with email particularly, it's an important one to keep secure. If they get access to your email, they probably get access to almost everything you have online.
So, in terms of having an actual secure password, the number one thing and the first thing is it shouldn't be easy to guess. So I think that most people know of common things that we don't want to do with our passwords. You don't want it to be your pet's name, the street you live in, your date of birth, something like that. I think we're past that point. There's also other things, there's common passwords. So in 2018 these were the most common passwords used, and they're used a lot. So this isn't a case that like 1 or 2% of people are using these passwords. There's a lot of people on the internet using these top 15 alone, and statistically a lot of people in this room are using those top 15 passwords there. So people that look a bit nervous at the moment. You might want to go and change your password.
Audience: *laughter
Joel: I actually don't know why 'princess' is up there now. If something changed because year on year usually the common password stay pretty the same. The top few there are always the top few. But for whatever reason, 'sunshine' and 'princess' have come out of nowhere in and made it into the top few.
So, if they're not good passwords, these are common passwords that everyone uses, so if someone's trying to hack your password, they're going to try those 15 first. And we don't want to use something obvious to guess. So then what does a good password look like? So I've got a couple of examples here. One is the word 'osteo', but I have been tricky here and I've put a zero as the 'O' and a '3' and I've got a capital 'T' and an exclamation point so I could have a symbol in there as well. Then I've got another one because I was getting hungry and one is 'when is lunch?' Now can I get people, perhaps show of hands ... for the first one up there, is that the most secure one? How many people think the 'osteo' one is the most secure? And what about the second one? Just so I know how many people are putting up hands? Good.
Joel: So with that, if someone's giving me a guess as well now, what I'm interested in, is if I was going to run a computer programme to force hack these passwords. And what that means is it tries every combination it can just over and over until it can get this password. Does anyone want to have a guess how long it takes to get the 'osteo' one at the top? You can just shout out if you have an idea.
Audience member: An hour.
Joel: Sorry I didn't hear one over here.
Audience member: Three seconds.
Joel: Three seconds.
Audience member: A minute
Joel: A minute. And what about the bottom one here, 'when is lunch?'.
Audience member: Ten hours.
Joel: Ten hours.
Audience member: A week
Joel: A week. So I'll show you the answers to these two passwords here. The reason that the second password is so much harder for a computer to crack is just that it is longer, the only thing that matters for a computer trying to crack these codes is how many characters are in your password. Longer is better. The osteo one there, it does use symbols, it does use numbers. The computer doesn't care. It just rotates through all the options for each letter. So the top one, really no more secure than just be normal letters. The second one being much longer in size, just takes the computer a long time to go through every option for all those characters. The other thing about these two passwords is that first one can be hard to remember, and that second one, if you're hungry, is pretty easy.
Joel: If we put another phrase in there, it could be a line from a song, it could be some words that mean something to you or just an idea you like, whatever it might be. If you actually just put a short sentence that you type in, you'll remember it, and it's way more secure.
Now there is some systems you'll use that do force you to use a character or a symbol or an uppercase or something like that. Typically for myself, if I'm going to use a password like this, I'll just add that stuff at the end because it doesn't matter. I might just throw in one at the end or an uppercase case letter at the end of whatever I do to meet their requirements because I know that part is irrelevant to the security of my password. So I'll do the phrase that I want and then I'll just put something at the end to tick the box if I need to.
The other tricky part with passwords is that you should use a different password for every single thing you use. That obviously is going to be tricky, right? But the problem is if you go online and you want to buy some shoes and you go to some dodgy looking websites that have cheap shoes and they force you to make an account to buy those shoes like so many of them do. As in you put in your password, the same one you use for your banking, so you've put in your email address and your password onto this site and that site gets hacked, like it will because it's a crappy site. Now they've got your email address and your password and they'll go and try your email. They'll try your banking, they'll try whatever other things they think that you might've used that same combination for. So, the problem with using the same password and username on all your sites is if one gets exposed then all of them are in trouble and it happens really commonly. You probably hear about breaches where this many million passwords were exposed, or this service or something like that. You really want to be in a position where only that service is the one for you that got hacked. Not everything you use.
The obvious next question, is how you're going to do that because if you use 50+ services, whatever it might be, you're not going to remember all of those. I recommend using a password manager. So, this one here is 1Password. I have no affiliation with them, but it's the one I use. I find it very good. What it is is you actually set up one password, so make that one really secure, make it very long. It's basically a vault to create and store passwords for all the other services that you use. So that way ... for me personally, I have a password for my Gmail. I'll have password for Facebook. Password for Twitter. Everyone is a different password and I actually let 1Password itself generate those passwords for me. When it generates a password, it makes 30 character stream with just random letters. And I don't care because I'm not going to remember them because every time I go to login I use this tool to log in for me. So I don't even need to know what those passwords are. But I have a long secure password for every single service I use.
Now, the obvious other thing with this is "well what if they get hacked?" Then you're in trouble. It would be bad. They haven't been so far and I think that it's impossible to have a secure password if every site that's different, without using a tool like this. So yeah, there's a risk, but it's a far better risk that I'm prepared to take, than using the same password on all my sites because I think that's the only alternative. You'll never remember all those passwords otherwise.
So there's 1Password, there's another one ... I think 1Password is a paid one. There's LastPass that might be a free version as well and it's still very good. There's probably others out there but they're the two that I know are client reputable. I have it on my computer. So whenever I go to a website on my computer, I've actually got a browser extension and if it asks me to log in, I just click that button and it logs in for me using one of these passwords. It's faster to log in, and more secure. I have it on my phone as well, so I have access to all my passwords there. You can just copy paste them in or use the tool as well. So it's more secure and I actually find it faster to log in to all these things as well.
Once you have a secure password we might as well use them. So protecting your devices, making sure there's a passcode on your phone that secures it. Making sure there's a password for your computers. Again, keeping in mind how important email is and what people could access if they got access to your email, then you want to make sure you have this protected and usually your emails open once you enter the device. So make sure your device is protected. The other thing you can do, and this greatly enhances security, but it is an extra step, is two factor authentication. Have people heard of that phrase before? It's basically ... usually it's two different things you need to log into something. Usually something you know, being a password, and something you have, a physical device like your phone or something like that.
So these are different versions of two factor authentication. The middle one, your bank might give you a little thing that generates a code, so that's when you log into your banking, what you know is the password, what you have is this little device. Most commonly now it's just an app on your phone. So you can get one called Google Authenticator, and that works for most apps that do two for two factor authentication. Some apps will also use SMS to send you a code rather than having you use the app as well because they know that if you have the phone and the password, it's more secure. So two factor authentication is usually something you opt into. So on Facebook you can, certainly on Gmail you can turn it on and I'd recommend it.
Joel: Again, the focus on keeping your email secure. Usually two factor authentication just asks you to use it about once a month and then it will store it on that computer that it's okay for a month. So it's not terribly inconvenient, but it does mean even if someone had your password and you're username, they still can't login unless they have your phone. It's a great enhancement to security. So, I'd probably say with two factor authentication, use it on your important things, use it on your email. Next year, if you're using practice management software, use it with that, use it wherever you have something really important you need to protect. Oh, like these things.
The next thing is encryption. With all your devices, let's say all your laptops that you've got here today, so if someone wants to get access to information on your laptop, maybe you do have patient information on that laptop. At the moment, they need your password. Hopefully, you've all got passwords on there and it's a strong password. They need your password to get in, or they just take the hard drive out of your computer, and then read everything off it. That's what happens if you don't have it encrypted. Your computer's really secure with its password, but the hard drive, the thing that stores all the information on it, is just storing it all, easily readable. So anyone can open on the back of your computer and take out the hard drive, plug it into their own computer and read everything off it. Encryption is the thing that stops them being able to do it.
What encryption is actually doing is just sort of jumbling everything on that hard drive and then un-jumbling it to present it to you on your computer. Your computer has the key to un-jumble it and it happens seamlessly. So if you're using a Mac, I can see plenty of Mac screens at the moment, so it's called FileVault on a Mac and you go to system preferences, security and privacy, FileVault and you turn it on and you're done. That's it. And now your computer's encrypted. Like I said, I will give you these slides so you can get those instructions again, and that's just done. It doesn't have any impact on how you use your computer operationally. It just works in the background and it's completed. It looks like that when you get there to turn it on. And then for Windows, same kind of thing, but it's called BitLocker, and you just go into settings, BitLocker, drive, encryption and turn it on, and it looks like this.
The only caveat for encryption is a can affect recovery. So that means that if your computer breaks and you've just got to get the hard drive out of it to save some data, you can't, it's encrypted. Or if you forget your password, you can't just read off it. The only thing is when you encrypt it, it will ask you to record a pass phrase some sort of code and that code does help you in those situations. So when you encrypt it, if you get that pass phrase, you can put that on a piece of paper somewhere or something to store that securely somewhere. And that's the way to recover if need be. For myself personally, I have backups and other ways that I store my information so I don't even bother with that. I want my computer encrypted to keep it safe. And if my computer, I can't access it anymore, I'm going to have other ways to get that information anyway. So the recovery for myself, I don't mind.
When you're on the internet, it's really simple to know if you're relatively secure or not on the internet. And that is to have a look for HTTPS up in the URL. Or a lot of URLs are now hidden, and they'll just show a box symbol instead. So what that actually means is that from your computer to wherever that website is, things are encrypted in between. That's all that's doing. It's encrypting whatever you do on that website to where it goes, in between. So if you're thinking about entering your credit card in to a website. You probably don't want everyone in the room to know what your credit card is. If you right now go into a computer here and you're on the network of the university and you enter your credit card into a website without HTTPS and if I wasn't doing this talk and I was on my computer and felt like snooping, I could just get your credit card very easily. So anyone on your network can read the information going from your computer to the server if it's not on HTTPS.
It's not so important when you're just browsing random stuff. But if you are putting your credit card, if you're working on a practice management system and you're storing health information or anything like that, it's really important to check that HTTPS is there to stop anyone snooping in the middle and, like I said, it's super simple. You can download a tool that will just let you see what everyone else in your network is doing, if they're not using something like that. So the key thing, if it's not HTTPS, it's not secure when you're on the internet and you just have to work out if what you're doing needs that security or not.
I also want to talk about specifically storing client or patient records digitally because there's a lot of laws around securing patient information and you're going to be custodians of it. The number one thing to make sure of is to use the right tool for the job. So you really want to make sure that you're using something built or designed to have patient information in it, that that's going to be okay to store in whatever system it is. And for a lot of services you use, you're going to need to read their privacy statement or their terms of service to check if that's applicable. So this is ... Cliniko obviously, we're designing this for patient information, you would hope that we meet the privacy rules in Australia and is a good place to store it. Likewise, other practice management systems, we're obviously not the only one that are built for health information, my guess I haven't looked into the all, I guess is they all meet privacy requirements in Australia and they're a pretty decent place to store this information.
Something else that's often questioned, is storing patient files in Google drive or something like that. For a long time I've been saying Google drive is not a good place to store that information, but they've done a lot of work to actually meet the Australian privacy principles. Now, I need to disclaimer this with, I am not a lawyer, and maybe like Antony and others that may have looked into this more, would be aware. But there's a Google white paper now on how storing information in Google docs can meet the Australian privacy principles, which is what you need for patient information. The caveat is, and a lot of people don't know, you actually have to go into your G Suite and sign what's called a data processing addendum. That kind of holds Google accountable and makes them meet the requirements that you need them to meet.
So, if you're storing patient information and you're going to be doing it in something like Google, it's worth reading the white paper about the Australian privacy principles. And you do need to make sure to sign this extra agreement to have them compliant. But anytime you are using anything that's not really designed for patient records, you're going to have to do that due diligence with it and make sure it is suitable for you.
I think the last main point for keeping patient records is to not lose them. And this is the bit what I was talking about before where I don't care about the recovery on my computer, because I know that I have this stuff backed up and that I'm not going to lose it. So backing up your data is the obvious thing. How many people here do backups of their information? Like schoolwork, things like that? A few, but not as many as I thought might. It's a dangerous game you're playing. Of those people that do, how many of you have tested your backups? Well that's a lot less. I've been working in the IT space for a long time and I hear a lot of cases or people that have been diligently backing up their systems every day, every week, and going through these ... a lot of time and effort to maintain these backups and then when they finally need it and something goes wrong, they check and it wasn't actually working and they might have spent years backing up their data diligently - daily, weekly, whatever it might be just to find out it wasn't actually working.
So if you’re backing up things, and the things you're backing up matter, just test it at some point, go and have a look and see if you can actually recover or restore or read what is in those backups. The other thing, now that we know about encryption, is you want to encrypt your backups. If you're storing it on a hard drive, you're storing it on a USB stick or wherever it might be, you need to encrypt those. Because if you've got it on a USB stick and someone gets access to that physically, then they can just read everything on it if it's not encrypted. I'll show you how to do so in a minute as well. You need to store them in a safe place physically, hopefully people are aware, don't just leave it at the front of your house or something like that.
Ideally not in the same location, so if you're trying to prevent in case of a fire or a flood, a theft or something, a separate location is a good idea. And just quickly, some recommended tools for it. So on Mac they have a thing called Time Machine which can back up to pretty much any sort of storage device. You can use that and it has an encryption option in there as well under the 'options' so you can get that to encrypt it automatically for you. You can also use a USB stick or something like that. If you're on Mac, you just have to right click the device and say encrypt and that will use FileVault like on the Mac as well, and that will encrypt that USB stick for you. Now every time you use that USB in the same computer, it will just work, and if you use it somewhere else, you'll need to use the pass phrase that comes when you encrypt it to check it.
And on Windows as well, similar kind of thing. You can buy a digital portable hard drive thing. It comes with software that encrypts it and automatically backs it up. Or you can use a USB stick on Windows, same thing, right click on a USB stick and turn on BitLocker and that will encrypt that device as well. Same as before.
So the only really tricky bit with all this advice for the security stuff is you really got to do it all. If you have part of it done, then you just have a terrible password that everyone knows, well you're in trouble. Or your email is unsecured, you're in trouble. So all of these things, each in their own right, they're not terribly difficult, but it's important to do all of them. And this will really plug all of those gaps so that you're not the target for someone. When people are out there trying to do this malicious hacking, if you do these things, you won't be their target because most people aren't doing these. So that's all I've got, if anyone has any questions about this or if you want to ask me about Cliniko, or whatever you want, go for it.