Online safety

Your practice should have processes in place to ensure the safe and proper work-related use of internet and email.

Your practice team should be educated and trained in best practice processes when using the internet and email. This includes learning about protection measures against malicious software.

Your policy should cover:

• reasonable private use of internet and email by practice team members during business hours
• how email may or may not be used  to communicate with patients
• how your practice handles requests  to communicate via unencrypted email
• appropriate personal use of the internet  on business devices during business hours
• how downloaded files are scanned for viruses
• details of any internet sites or specific content that cannot be accessed
• internet browser security setting requirements
• access to social networking websites such as Facebook and Twitter.

Tips for safe email use

• If you rely on information in your emails, make sure these are backed up with the rest of your data.
• Do not download or open any email attachments when the sender is unknown.
• Email use that breaches ethical behaviours and/or violates copyright is prohibited.
• Do not send or forward unsolicited email messages, including the sending of ‘junk mail’ or other advertising material (email spam).
• Do not reply to spam mail and never try to unsubscribe from spam sites.
• Remain vigilant: do not provide confidential information to an email (especially by return email) no matter how credible the sender’s email seems (eg apparent emails from your bank).
• Use a spam filtering program.

What is spyware and how do you protect your practice against it?

Spyware is programs downloaded from the internet onto your computer (sometimes without your knowledge) to covertly send information back to the sender.

• Learn how to recognise spyware.
• Know how to safely delete or remove spyware.
• Do not accept certificates or downloads from unknown senders.

Your practice should have reliable protection against malicious software including viruses, worms and trojans. These intentionally seek to corrupt, destroy or steal data, or use your computer for unauthorised purposes.

Malicious software is generally introduced into a system through external electronic communication via email or the internet. It can also arrive in your computer via image and video files, CDs/DVDs, USBs and other portable devices and media.

Your policy should cover:

• the malicious software protection used and enabled on all practice computers
• access to disable, bypass, or adjust the setting on malicious software protection
• how updates of malicious software protection occurs
• the process for scanning all incoming email attachments
• the process for scanning all documents imported into your practice information systems
• how automatic data/signature file updates are managed
• managing the ‘cookies’ feature in web browsers so it is turned off (although some legitimate software may need this turned on to function properly)
• access to training for the practice team in malicious software prevention and how to report all incidents
• automatic upgrades occurring on computers left running out of practice hours.

Your practice may electronically share information via your practice website or social media channels. Sharing information electronically requires a certain level of security to prevent it from being intercepted, changed during transmission, or received by unintended recipients. Health information is sensitive by nature, so any communication of this information via electronic or other means must adequately protect your patients’ privacy.

Communication of clinical information to and from healthcare providers should be from within your practice’s clinical software using secure electronic messaging.

Secure electronic messaging involves two processes: encryption and authentication. Encryption means data is electronically ‘scrambled’ so it cannot be read unless the information is decrypted using a digital key. Authentication means the sender can be verified using electronic signatures.

eHealth information exchange in the Australian health system relies on and incorporates encrypted, secure messaging techniques. The software programs used will handle this function and are required to meet Australian standards.

Your policy should cover:

• how patient-related and other confidential information is sent electronically between healthcare providers
• your practice’s approach to using email to communicate patient-related and other confidential information between healthcare providers and patients
• the maintenance of your website to ensure information is current and correct
• encryption for online transactions such as appointment bookings
• who in your practice team is responsible for maintaining the practice website
• use of social media for your general practice.

Digital certificates

• Digital certificates for electronic communication software (the original disk and serial numbers) should be stored securely.
• Documentation on where certificates are installed should be maintained, and the expiry of each recorded.
• Some software automatically renews your Public Key Infrastructure (PKI) certificate. Other software will require manual reinstalling, so make sure you know how to keep these current.

Risks of running unsupported software or hardware:

• No security patches or updates – most software vendors will release updates and security patches to protect against new security threats. When your software stops being supported these updates stop for your system. Not using supported hardware and software can place your general practice at risk of data breaches and subsequently of complaints being filed, audits and fines.
• Software incompatibility – software vendors may no longer provide support for their software if other software installed on your system is out of date.
• Loss of functionality – software relies on the hardware it is installed on, so running unsupported software or hardware compromises information security.
• Increased data breach risk – the damage to your practice’s reputation if you lose practice information to a data breach can be detrimental.

Third-party software, including ‘add-on’ or ‘bolt-on’ programs, is regularly used in general practice to enhance practice and clinical systems and to transfer clinical information. This includes electronic prescription exchange and secure communications. For example, data extraction tools, administrative products, and online medical appointment scheduling applications are used to analyse and improve business and clinical performance. However, using third-party software can also expose your general practice system to threats including the potential to compromise core database integrity, open up security weaknesses that allow unauthorised access into your practice system, and data breaches.

Security measures need to be taken into account when choosing to use any type of third-party software in your practice. Consider:

• Have you developed policy around the use of third-party software that meets your security requirements?
• How is the third-party software updated? By whom, and will this impact your other systems?
• Does the third-party software meet the necessary APPs requirements? Where and how is extracted and transferred data stored?
• Are you able to test and audit the use of the third-party software?
• What contractual arrangements are in place?

Third-party software often uses practice data to complete functions and produce reports. For example, it can be used to provide health information to external organisations for research or population health planning. Your practice team needs to know what the third-party software is doing with any practice data, as consent should be sought for any secondary use of data – that is, information used for purposes other than for what it was originally collected.