Loading... Please wait...

An 8-step cybersecurity strategy for your GP practice

Posted by

In our last blog post we highlighted the extent of the problems caused by the lack of cybersecurity in primary care. Although it's an issue that probably needs to be tackled with a bigger budget than the average £23,000 spent by NHS trusts annually, there is plenty that your GP practice can do to help ensure the safety of your patients, online data and computer systems without breaking the bank.

In this blog post, I'll outline an approach that is being used successfully in a couple of practices. This is a step-by-step strategy to ensure that cybersecurity remains as a priority in the hearts and minds of your employees, as well as being accepted as part of everyday work procedures.

1. Create a mindset of cybersecurity

It's important that you instill a culture of cybersecurity within the practice. This culture will lead to individual and group working practices that are habitual (such as logging off computers when leaving your desk). There are four things in particular that you can do here as a practice manager:

  • Set a good example by following the actions and attitudes that are required
  • Ensure that cybersecurity is discussed at every team meeting (perhaps with the latest news, or examples of good data security practices)
  • Conduct regular training sessions aimed at ensuring good cybersecurity procedures
  • Make sure that cybersecurity is seen as part of the core values of your practice, and included in induction training

2. Use good computer habits

Put in place daily and weekly system management activities that include:

  • Automated software updates
  • Monitoring for critical software updates, and acting on them as needed
  • Disable user accounts of former employees as soon as practicable
  • Archive old files
  • Uninstall defunct software
  • Always reconfigure setups from their standard when downloading software
  • Uninstall any non-essential software (games, instant messengers, etc.)
  • Only allow work-related software and applications to be used on work computers
  • Sanitise computers before disposing of them

3. Use strong passwords and change regularly

Ensure that passwords are not easily guessed (at least eight characters, a combination of upper and lower case and numbers, with at least one special character). Don't include dates of births, marriages, driving license numbers, and so on, and nor should passwords include names of family members or family pets.

Where systems are used on a 'need-to-use' basis, such as e-prescribing, use a multiple authentication process – this might include answering a secret question, for example, after the password has been entered.

Configure systems and software so that password changes are required regularly (at the very least, monthly).

4. Use a firewall and anti-virus protection

A firewall is a must-have. Take advice on whether you should use a hardware firewall or software firewall, or both. Ensure that you maintain your firewall on a daily basis, downloading the latest updates.

Ensure that your anti-virus protection updates automatically, protecting against viruses, malware, and any code that can attack your system through software downloads, email CDs and flash drives.

5. Control physical access

  • Keep all mobile devices in a locked room, limiting the possibility of being lost, stolen, or tampered with.
  • Devices should be signed in and out.

6. Control network access

Ensure that your Wi-Fi is set up to operate only in encrypted mode, and change the password for access weekly (and any time that a member of staff leaves). In addition:

  • Review all file sharing applications before installation.
  • No software to be installed without approval.
  • Use a hierarchical system that limits access to the network by function and/or responsibility.

7. Protect all mobile devices

It's likely that your practice will have a number of mobile devices, such as laptops used by doctors on home visits. This is one of the major areas of concern:

  • Ensure all mobile devices have strong password and access controls.
  • Only use encrypted messages to send information across public networks.
  • If a mobile device doesn't support encryption, bar its use.
  • Ensure that all protocols, policies and procedures are complied with.

8. Plan for the unexpected

However good your cybersecurity policy, and however well practice employees stick to it, there will always be something that goes wrong. That's the way that Murphy's Law works. You can reduce this risk by planning for the unexpected:

  • Back up your system and files at least weekly (automatically, if possible).
  • Make sure that all necessary data is captured.
  • Make sure you know how to restore the system to a restore point.
  • Back up to a separate system if possible.

Your backups should be protected by the same restrictions, rules and protocols that are used for all your systems and data.

Put in place a 'disaster recovery plan':

  • Know what was backed up, when, and where it can be accessed.
  • Have the correct equipment to hand to be able to affect a restore.
  • Put in place procedures and policies to be adopted by all employees in an emergency and as part of the disaster recovery plan (this may need some training, and a regular trial run).

Are you prepared for a cyber-attack?

The above strategy has proved to be effective in helping to prevent and prepare for a cyber-attack. It will instill a culture of cybersecurity, make your employees more aware of the risks, and help to keep your patients safe.

  • What policies and procedures does your practice have in place?
  • Is it prepared for a maliciously placed virus on its systems?
  • Do your healthcare workers change their passwords regularly, and keep their password details secure?
  • When was the last time you took part in a cyber security training session?

If the answer to any of these questions is "no", "none", or "I don't know", you may need to review your cybersecurity policy.

eSupplies Medical is a trading name of Williams Medical Supplies Ltd, a DCC business