Securing cyber resilience for you and your practice Q&A

Reading time:
Last Modified on 20/04/2021 2:38 pm AEST

Incident response preparation

Selecting secure IT products and services

Where do I stand with email text communication to patients - is a one-off consent ok? I am joining a practice where this is standard.

We cannot provide specific legal advice only information about what a practice should do in this regard and we recommend consulting with a privacy lawyer for tailored advice. But we have provided some general information below.

Generally, it is best practise that patient consent forms contain a robust explanation of how personal information will be used, shared and stored and seek express consent for email communications. Alongside obtaining consent for email communications there needs to be careful consideration of the type of personal information being sent via email. Including:

  • Practices have an obligation to ensure that they are using secure email processes such as encryption, multifactor authentication and secure passwords,
  • Practice need to ensure that personal information is only sent via work email addresses, not personal accounts,
  • That all staff are trained as to the importance of confirming the correct email address before sending an email, and of the data breach implications if personal information is sent to the wrong email address (for example requirement to assess if remedial action is possible and if not potentially report to the OAIC.

More information on this can be found in our session on Digital Regulations( available at MIPS On-Demand Regulation in a digital age. Where possible practices should consider using secure patient intake forms and secure messaging services like Argus instead of email.

See additional questions regarding email communications below.

Is a virtual machine a safety option?

  • A virtual machine is no different than any other physical computer such as a laptop, smartphone or server. It has a CPU, memory and disks to store your files, and can connect to the Internet if needed. VMs are often thought of as virtual computers or software-defined computers within physical servers, existing only as code.
  • As virtual machines run in multiple operating systems, using a guest operating system on a VM can allow you to run apps of questionable security and protects your host operating system. VMs can allow for better security forensics and are often used to safely study computer viruses, isolating the viruses to avoid risking their host computer.

We are required to go online to fill out many forms for our patients. One needs to use google or similar to do this. How dangerous is this? 

  • While the ease of online forms creates great benefits and efficiency for practitioners, there are risks alongside these benefits. The severity of these risks can depend on the security of the websites and applications which require your input. We understand that their security protocols can be outside your control. Particularly where you are required to provide information to hospitals and referring partners.
  • Key risks involve the data you input being compromised by cybercriminals accessing the sites. While you may not be able to control the security of a site requesting patient information, always ensure that you are aware of your cyber hygiene practices. You should always:
    • Use secure and diverse passwords for each online service (using a password keeper like Last Pass, One Pass, Google Password Keeper) can help.
    • Enable multi factor authentication if the application permits it.
    • Check that your virus protection software is updated and that patches and updates have been run on your devices.
    • Be suspicious of unexpected communications or requests from a form service.
    • Ensure your practice has adequate and regular backups of all patient data.
    • You can also send an alert to the business and/or your medical practice if something seems suspicious.

It will be interesting to hear your thoughts about Cloud-based clinical records as many medical practises using services like Clinic to Cloud, Gentu etc.

  • Cloud-based clinical records providers can provide good benefits and efficiencies. It is important to ensure that third parties are compliant with Australian Privacy Regulations and have practice in place to prevent and plan for a cyber attack.
  • Many practitioners are surprised to discover that they bear the onus of responsibility for ensuring that their third parties have built-in consideration of the Privacy Act and compliance.
  • This means when selecting a third party it is critical to be aware of what compliance and protections are in place. The Australian Government has a document that may assist and has been attached.

What is your advice if we receive a SMSish on our phone?

A SMSish is a text message designed to fraudulently get you to input your personal information or credentials by asking you to click on a link or urgently respond to a request). 

  1. If you suspect a SMSish do not click on the link.
  2. Block the number and delete the text.
  3. If you are unsure if the message is fraudulent or genuine, contact the company that it purports to be from. Ensure that you independently verify contact details by checking their website etc. Do not call the number that the SMSish is from or access the website contained within the SMSish.
  4. If you discover that you have clicked on a SMSish it is important to act quickly. A cyber incident response plan is helpful in these scenarios. At a minimum, it is critical to reset passwords, put a hold on banking cards and reset identifications across applications. Actively monitor all devices for fraudulent activity. If a data breach has occurred refer to your data breach response plan to determine if reporting is required.

What about sending information via emails? So many hospital clinics want emailed referrals.

  • Email is not the most secure way to send personal information. Industries that are more cyber mature – like the banking sector, will never send financial or personal information via email. Instead, they use secure, purpose built applications.
  • Problems with email communications:
    • Email can easily be sent to the wrong recipient resulting in a breach of personal data
    • Email is often used by cybercriminals in phishing attempts aimed at deceiving users to send their credentials to fraudulent sites
    • Email can be forwarded or changed without the knowledge or consent of the original sender
    • Email is vulnerable to interception by cybercriminals through business email compromise
  • When using email, we recommend that you:
    • Ensure emails are encrypted, if you are uncertain if your emails are encrypted check with your email provider.
    • Ensure staff have separate email accounts that have strong password protection
    • Enable multi factor authentication across all accounts.
    • Consider using secure patient intake form services where possible instead of email.
    • Train staff so that they are aware of business email compromise, phishing emails and how to detect a compromised email.
    • Train staff to question anything irregular. A workplace where staff are afraid to speak up can exacerbate issues with cybercrime.
  • Some secure applications are being used by the health care sector such as Argus or Referral Net. However, in general, the health care industry is significantly lagging in its approach to secure messaging. This means in many instances there is no alternative other than to send referrals and information via emails. Benefits of Secure messaging services such as Argus etc
  • Secure messaging offers security, auditability and privacy. Additionally, secure messaging offers the ability to be fully integrated with clinical software. This allows for automation in some administrative tasks for practice staff and doctors.
  • We offer regular phishing training and online training modules for all staff accessing personal information in medical practice including via emails and secure messaging. Contact info@resiliencebd.com for more information.

Are there any good password managers available that you could list, please?

Last pass, One pass, Google Password keeper, Dashlane, are all password managers. We recommend ones that require you to pay a fee rather than the free ones. This is because free ones may be using your data to monetise their product.

How does the Australian police work on cybersecurity complaints?

There is a range of federal government agencies that work across cybercrime including the Australian Federal Police, the Australian Cyber Security Centre (ACSC)and the Australian Signals Directorate.

ACSC operates an online portal for which a cybercrime can be reported and they provide communications and advice to the public about known attacks.

You can also report complaints about scams to Scamwatch.gov.au which is operated by the Australian Competition and Consumer Commission

How long should e-medical records be retained?

They should be retained for the same amount of time that legal and AHPRA regulations require a hard copy to be retained for. For example, 7 years for adults or 7 years past attaining adulthood for children.

What backup system do you recommend?

There are a variety of specialist cloud solutions on the market as well as those built into programs. Medical practices should do their own research and speak with their It providers in this regard. In general look for back-ups that

  1. Use remote storage rather than onsite storage. A cloud based or offsite location is critical.
  2. Schedule and automate frequent backups. When establishing a data backup program, consider also using built-in backup programs, like those provided in Google, Microsoft and Apple products.
  3. Ensure that third parties contracted to provide backups are compliant with Australian Privacy regulations.
  4. Best practice should also consider an encrypted secure offline back up as well as an online backup.

Useful resources

RACGP

Australian Cyber Security Centre

MIPS webinars

Keeping up the pace - Regulation in a digital age

MIPS Practice Notes

Related articles

Back to top