With the continuing rise of cyber threats, computer users need to be careful how they use devices, both personally and at work.
There are legal requirements set out in the Privacy Act and Health Information Privacy Code regarding how businesses should protect stored private and personal information. This information includes patient and customer details, such as names, addresses, and medical information, as well as the details of prescribers and your pharmacy's staff members.
Outlined below are the basic recommendations for security; more detailed explanations follow.
Note: Items in red include specific guidelines for Toniq customers.
- Antivirus and firewall software
- Must be installed, enabled, and kept up-to-date.
- Windows updates
- Run updates for Windows and software regularly.
- Replace/upgrade computers with old versions of Windows.
- Data security
- Safeguard loss of data with an off-site, encrypted backup such as Toniq Vault.
- Safeguard access to your data with encryption where possible - including encrypting the Toniq software database
- Passwords
- Never divulge passwords (or personal information) by email or phone.
- Passwords should be used on computers (one or two digits is not sufficient).
- Never leave devices unattended; lock the computer when you walk away (Tip: use Win+L, or Ctrl+Alt+Del then Lock)
- Multifactor authentication should be used wherever possible.
- Different passwords should be used for each website.
- Emails
- Beware of email scams (phishing for information).
- Use BCC (blind carbon copy), not CC (carbon copy) when emailing groups and recipients don't know each other.
- Downloads and popups
- Only download and run programs from the internet that you went searching for.
- Don't trust pop-ups, e.g. those warning about viruses or performance issues, do not "click here".
- Security cards
- Toniq can provide staff security cards to use instead of (short) passwords in Toniq.
Consult your hardware support company for other recommendations. They may have monitoring programs to ensure things are working smoothly.
Antivirus and firewall software
Antivirus software scans files and programs on your computer to ensure they don't perform malicious activity. There are many antivirus packages, both free and paid. The built-in Windows Defender software scores highly on independent tests.
Toniq recommends using the built-in Windows Firewall. We configure it with the permissions Toniq software requires to work properly. Unless you have independent firewall software, Windows Firewall should be enabled at all times.
If your antivirus software includes a firewall component (also known as Security Suite, Internet Protection, or Total Security) then it must be configured by your hardware person to allow the Toniq software to work through the network. This includes allowing DCOM communication, and access to/from the network by specific Toniq executables.
Run updates
Software still under support will have updates for its security to patch security holes. Running updates is critical to stop hackers and viruses from getting into your computer and accessing your data. Windows Updates are released at least monthly and should be applied regularly to your computers, including upgrades to the version of Windows itself.
Pharmacies' connection to the Health Network / Connected Health has a requirement that you should have a Security Policy consistent with the Health Information Security Framework.
Contact your hardware support company if there are any issues with Windows Updates, or if you believe they are not showing for you to run.
The Health Information Security Framework (HISF) 2015 states you will:
- Ensure assets are continuously maintained to an appropriate security baseline that minimises their vulnerabilities and threat exposure, such as regular patching and other activities
- Remove or upgrade unsupported legacy software
Old versions of Windows
As noted above, keeping Windows updated is part of your requirements for the Health Network / Connected Health.
Windows typically receives support for up to 10 years for a major version and 3 years for minor updates.
Running Winver will tell you the version of Windows installed. Windows 10 and above have a YYnn naming system, where the first 2 digits are the year it was released, and the final 2 digits are the month or half of the year, e.g.:
- 1703 was released in March 2017 (and is incredibly out of date.
- 22H1 was released in the first half of 2022.
It is recommended to run a version of Windows no more than 1 year old.
Note: Windows 8, 7, and older are out of support and do not receive updates. These machines should be replaced or could be upgraded if they meet our hardware requirements.
Email scams
For many businesses and individuals phishing scams and viruses arrive by email daily.
Phishing is an attempt to get the user to reveal passwords or personal information about themselves. They may want you to enter a username and password into a fake website that looks like a social media site, a bank, or any other company. They come with all sorts of wording, often asking you to deal with some problem urgently, e.g. a service will be disconnected if you don't act promptly.
If you enter your information into the fake website, the scammer can use these details to log in as you onto any system where you use the same username and password. This can lead to virus emails being sent to customers from your business email address, fake posts to social media sites, and many other devastating outcomes for your business reputation.
Viruses can often be stopped by your antivirus software, but sometimes not until it is too late. Beware of emails that arrive unexpectedly but seem enticing, for example, a payment remittance from a company that you aren't expecting a payment from.
Never divulge passwords or personal information
As above, passwords and personal information allow a hacker to impersonate you when logging on to a website. Common questions asked to prove your identity are along the lines of:
- Your mother's maiden name
- The name of your first pet
- Your favourite food
- The city you were born
- A parent's middle name
Revealing this information to the wrong person will allow them to reset your password on a website, giving them full access to the information stored within.
Use BCC for emails
BCC (blind carbon copy) hides the names of the recipients you have emailed. This is important to your business because it builds trust with your customers and associates.
If you were to send an email out to multiple customers or businesses who do not know each other, then you are revealing their personal information (their email address and probably their name) to the other recipients. This could be in breach of the Privacy Act.
This is particularly important to remember when sending emails to many customers, such as for a sale or promotion.
Only download the programs you went searching for
Many software programs available to download come from shared hosting sites, where software from many companies can be downloaded.
To increase their revenue, some try to take the visitor on a tangent, or display adverts linking to other sites, tempting you with other software you "may be interested in." There is no telling what this other software may do, so be vigilant and only download the software you specifically went looking for.
Don't trust popups
Websites do not search your computer for viruses, nor check the speed of your system. Beware of any pop-up message that claims it has found a virus, or recommends you scan your system for performance issues.
Many websites these days offer to "notify you" or "keep you updated" with information. A lot of the time when answering yes to this, you are allowing the website owner to send you popup notifications whenever they wish. These can be displayed above the computer time, where system notifications appear, and may contain ads for services you may not want, for example, notifications for fake antivirus products, gambling websites, and other services that are not safe for work.
- Think before you allow notifications:
- Why does this website need to send you information?
- Do you really want social media notifications on your work computer during the day?
- Do you need to know when someone has purchased from a website?
- If you only visit a website once or rarely, do not allow notifications.
Never leave devices unattended
Leaving a computer unattended could allow someone to access software, emails and documents, or access websites that have saved passwords. This can lead to the unintended disclosure of personal or health information, such as pay rates for staff, or to malicious posts on social media.
If you have a password on your computer, then locking it when you walk away will stop any unauthorised people from using the computer physically. This can be done by pressing Win+L on the keyboard, or Ctrl+Alt+Del and clicking Lock.
Passwords
Computers should have logon passwords. A reasonable password should also be used for software programs (if possible), such as securing the Toniq software. Do not use a 1- or 2-digit password, or your initials, as this is not secure.
Note: If you want to set or change the password on computers that run Toniq, some requirements must be met to ensure your Toniq software continues to function:
- The computers must be able to authenticate with each other.
- Typically, this means all computers log on with the same combination of username and password. If you wish to have different users set up, those users and passwords must be set up on the Toniq server computer at least, and preferably any computers with shared printers that may need to be accessed.
- If you set or change the user password on the Toniq server computer, there is a Toniq utility that must be run, to configure some Toniq software components with this new information.
Security cards
Toniq can create staff security cards on a key-pull or lanyard, to prevent the use of short passwords in the Toniq software. The security card has a barcode printed on it, which is scanned whenever the staff member needs to log on. The staff member does not need to remember their password or type a long password multiple times each day, they simply scan the barcode.
This requires a barcode scanner on each computer on which staff members use Toniq software.
Different passwords
Passwords should be different for each website. Consider a password manager for making random passwords, and you don't need to remember passwords - it stores it for you. Password managers allow you to access your password from both your cell phone and computer, giving you portable access to your passwords. Some require a paid subscription to access them on multiple devices.
An alternative to random letters and numbers for your password is the "three random words" technique. Think of three random words that start with letters from the website. You can customise this as you wish, e.g. use letters 2, 3, 4, or the last 3 letters, or letters 5, 3, 1. Find random words for those letters and insert numbers or special characters instead of letters.
For example, for socialmedia.com, you might end up with a password of Oct0pus Carn!v0re Impl3ment (with Oct0pus having a number zero in the middle)
Use multi-factor authentication
Multi-factor authentication (MFA), also known as two-factor authentication (2FA), is a method of prompting you for some other information when you log on to a website or perform an action. It is a way of proving that you are who you claim to be, by using some other piece of information or physical device that anyone else should not have access to.
For example, a bank might send you a text message when you pay someone for the first time. If you have successfully logged on to the banking website and have your cell phone to be able to read the text message, then you are highly likely to be the person authorised to make that payment.
MFA should be used wherever it is available - websites and social media, email access, banking, online shopping.
MFA comes in different forms depending on the website. For example, it might send you an email with a code or will ask you to use an authenticator app. Typically an authenticator app such as Microsoft Authenticator, Google Authenticator, Authy, Duo, LastPass Authenticator or many others, will generate a numeric code that lasts for 30 seconds.
If you send emails from your Toniq software - such as emailing debtor statements or repeat reminders - and set up MFA on your email account, then you will most likely need to create an "app password" to allow Toniq to continue to send the emails.
Safeguard loss of data
The Privacy Act 2020 and Health Information Privacy Code introduce the requirement to safeguard information from changes or deletions.
Toniq Vault is a reliable way to achieve this for all types of files. It performs backups on a schedule - typically at least twice a day for the Toniq software database. All information is encrypted before it leaves your premises, and the retention period (how long the old copies of your files are kept for) can be customised to suit your needs.
Saving your documents to an online/cloud system such as OneDrive, Google Drive, Dropbox, Box or similar is a good second choice, but often these only have a 30-day retention policy. If your files are deleted and you don't notice for a month, they can be irretrievable.
Safeguard access to your data
The Privacy Act 2020 and the Health Information Privacy Code require information to be stored securely so that it cannot be accessed by unauthorised parties.
Encryption of information "at rest" means that files are stored encrypted on your computer's hard drive. If someone were to steal your computer, they should not be able to access the information.
Windows 11 helps by encrypting the whole of your hard drive by default. This can stop someone from stealing your computer and reading the contents of the drive.
However, all of the above relies on your computer having a good password for logging on to Windows, so that your password cannot simply be guessed. Once someone has logged on to Windows, the previously encrypted files are readily available, and decrypted, to the user. If you accidentally open an email attachment containing a virus, for example, it will be able to read the contents of your computer.
Enabling encryption on your Toniq database allows the Toniq software to store information directly in a way that makes it appear scrambled. No other party or software will be able to read the personal information in there, such as patient and customer information (names, addresses, NHI, phone, email, etc.), staff member details and prescriber information. The amount of information encrypted will increase over time, protecting more information from prying eyes.
Together, Toniq Vault and Toniq database encryption can vastly reduce the amount of information disclosed from the Toniq database in the event of a data breach and reduce the risk of data loss if you are struck by a computer failure or encrypting virus.
Comments
0 comments
Article is closed for comments.