A security checklist for onboarding new hires

What’s your process for when a team member first joins your practice? From welcome GIFs and gifts, there are a lot of different things you could choose to do. We published a guest article by Andrew Zacharia a while ago about how to make new folks feel welcomed and supported in the workplace, which is essential. But what about the nitty gritty side of getting their technical access set up for your practice management system?

Onboarding new team members correctly will save you a lot of hassle down the road! It’s important for data security, but it also makes the process of offboarding a whole lot easier if an employee moves on for any reason. Here are a few things to keep in mind for getting a new person started on your Cliniko account, as well as some security tips that apply to everyone, regardless of what software you use.

1Make sure that all newcomers to your practice are set up correctly in your Cliniko account.

• Does each employee have the right security role?

Your employees should only have the access that they strictly require to do their job—and this means that not everyone should be designated as an administrator! In fact, we recommend that your practice manager is the only person with this role. It’s not good from a privacy perspective for your bookkeeper to have access to patient notes or for a practitioner to be able to export all your Cliniko data. Cliniko offers a variety of different security roles, so aim to onboard each new employee into the correct role from the outset.

And managing different levels of access doesn’t just end with Cliniko! If you’ve got filing cabinets in the clinic or on-premises computers that have patient information stored on them, safeguard this data so it’s only accessible by the team members who require it.

• Is the account owner accurate?

The person who signs up for the Cliniko account will be marked as its owner automatically, so make sure they're ready to assign this status to another user if they're not the one who should have it. Being the owner gives the user a special status. It means that their account is protected and that they are the only ones who can make changes to their own user account—they can’t be removed, and their details can’t be modified unless they initiate this. Check out our managing account ownership guide to read more about the specifics of account ownership.

But, in short, if someone is designated as an account owner, they should actually be the owner—if they’re not the owner, they shouldn’t have that role. It’s best to get ownership details correct from the beginning to avoid ownership disputes at a later stage (these can be notoriously tricky and time-consuming to resolve for everyone).

The good news is that it is possible to transfer ownership. If, for whatever reason, the ownership details on your account aren’t correct (maybe someone else set up Cliniko for you on your behalf), get them to transfer account ownership to you as soon as possible.

• Implement a regular review process!

Make sure that you’re evaluating the roles and permissions of each team member every so often. You could do this periodically or when a new person joins the team but, whatever you decide, make sure you’re regularly checking this to make sure that it’s all still accurate and up to date. For example, if someone is leaving your clinic, you’ll want to make them inactive as part of your offboarding process.

2Make sure your entire team follows best security practices.

• Set up 2FA for all accounts

If we could beg you, we would! We bang on about 2FA (two factor authentication) a lot, we know—but this is only because it’s so important. As we’ve said before, it’s the single most effective step you can take for the security of your account and all its data. 2FA requires anybody trying to access your account to have two forms of authentication—your password, but also a temporary code you receive on your device—and this provides a powerful extra layer of protection. Even if a hacker gets their hands on your password, it’s highly unlikely that they’ll have your phone handy too, which keeps your account safe.

It’s easy to set up in Cliniko and you don’t need to worry that it’s going to be arduous for you going forwards. Once you’ve got 2FA enabled and you’ve entered the code the first time, you’ll only need to repeat the process in future every 30 days or if you try to login from a browser or device that we don’t recognise.

But it’s not enough if just one person does it. We highly recommend that you require everyone working at your practice to enable 2FA and it’s definitely a good idea to incorporate this as part of your onboarding process when a new team member joins.

• Require your team to install updates

It’s very tempting to let this one slide or keep putting it off. But it isn’t something to be blasé about when you’re dealing with medical information. Upgrading to the latest version of your operating system means you’ll get the latest security fixes—and avoid making yourself a target for ransomware attacks. By using bots, hackers can locate and gain access to anyone who is using an older version of an operating system—they can then exploit the weaknesses in the outdated system to get hold of vital data (think business information and patient records). This enables them to exploit your data or prevent you from being able to access it and make you pay exorbitant money to regain it—it’s criminal, yes, but could potentially have disastrous consequences for you and your patients.

• Encourage your team to have strong and unique passwords

Make sure that your team understands what constitutes a strong password and why this is so important! This might involve you giving them some extra education. We all get taught that a mixture of numbers, letters, symbols, uppercase, and lowercase means a secure password. . . but it’s actually not true. Password length is far more important for security—the longer the better. 

Consider subscribing to a password management system—this is a great way to keep track of all your passwords, but it will also tell you the strength of the passwords you’re using. Read our comprehensive guide for a thorough discussion about passwords. As well as being long, a password should be random, so pets’ names please! Don’t use anything that’s easy to guess, simple, or common. And don’t reuse passwords across different platforms—if your password is compromised on one site, you’ll be vulnerable everywhere. You don’t want your security to be built like a Jenga tower where, if one block slips loose, the whole thing is coming down.

• Keep your devices secure

Ensure your team has biometrics and/or pins in place on all devices that they work from (though it’s good sense for them to take these steps in all areas of their lives). And the same rules as passwords apply here, please don’t choose codes like 1111 or 0000. Come up with something that’s a little more imaginative (and harder to guess)! You should also encrypt your device—otherwise, if it’s stolen, the data could still likely be accessed.

Lastly, it’s worth thinking about the physical security of your device. If you’ve got device locks, authentication, and encryption, it's unlikely that your data can be accessed if you’re the victim of theft. However, it’s a costly process to replace devices and retrieve backups, not to mention being very time-consuming! Play it safe and invest in some physical safeguards too—make sure your office itself is secure, lock things away when they’re not in use, and install security systems if you can.

Of course, there will be lots more for a new team member to learn when they join your practice, from how to tame the coffee machine to getting the hang of your workflow. The tech side of onboarding is just one aspect of the process, but it’s an important one nonetheless and we hope this has been helpful!