Manage access to your systems and your data – passwords and administration rights
C6.4C Our practice’s clinical software is accessible only via unique individual passwords that give access to information according to the person’s level of authorisation.
You should reduce security risks in your practice by introducing access controls. Practice team members only need access to the data required to do their work. Access management ensures accountability and allows you to ascertain who has entered or altered data.
Your practice team should have access to appropriate training in the relevant software, potential risks associated with the software and how to identify errors or abnormal software behaviour before access and passwords are provided.
Your information systems should be set up to generate audit logs providing details of who is accessing, downloading, changing and deleting information. The audit logs should be reviewed periodically and retained in case information is required following an information security incident.
It is good practice to separate your data on different servers, if possible. Ensure your clinical data is on a separate network and server to your website and other business data. Data separation helps contain the risk of data exposure across your entire system.
Create a policy: Administration rights and access to systems
Your practice should develop a policy specifying who has administration rights and access to specific systems. Access to systems should be consistent with the responsibilities outlined in the position description of your practice team members.
Your policy should cover:
- password security to ensure passwords are not written down and placed near practice monitors - keeping written records of passwords introduces unnecessary risk to your information security
- how often passwords are changed – the longer the same password is used, the greater the risk it will become known and used inappropriately
- who in the practice team has the authority to reset or disable user passwords
- restriction of who in the practice team can create and remove users on each practice information system
- a process for recording different access levels and software access for your practice team members
- an established password structure (numbers, characters and symbols)
- the need for each practice team member to create their own password and be responsible for keeping it secure
- not using a shared common password
- the need for passwords to be changed immediately if they have been or are suspected to have been compromised
- the implications when practice team members terminate their employment. Ensure these accounts are deactivated, remote access disabled, and computer equipment, backup media and any access devices (such as keys or entry swipe cards) as well as practice name badges are returned.
The power of passwords
To ensure access to systems is controlled and secure, establish a strong and unique password policy.
While passwords are the most common form of access authentication, password management can be complex as users often have multiple passwords to access various systems.
Remember - keeping written records of passwords introduces unnecessary risk to your information security. Each team member is responsible for creating and remembering their own passwords. Should a password be forgotten, an authorised team member should be able to organise password reset. Most software will allow new passwords to be generated in such cases.
Tips for software password settings
Most software will allow password requirements to be set up so all users can create safe and secure individual passwords.
Software can be configured to require:
- default user account passwords to be changed on first login to the system
- a minimum password length (i.e. number of characters)
- a mixture of alphabetic (lower and upper case) and numeric characters and symbols
- that passwords do not use familiar and family names or words that can be found in a dictionary
- that passwords be set to expire to enforce periodic changes
- that dates of birth are not used
- that passwords are not reused
- multi-factor authentication (a combination of two types of authentication) if appropriate for your practice
You should also be able to customise how automatic password saving is addressed in browsers, and whether this function is disabled across the practice network