I admit it. When it comes to cybersecurity, I’m not quite a dummy. I’m good at avoiding obvious scams, use strong passwords and know how to deal with a virus infection ! I also know my limits and when to call in the experts!
So why shouldn’t I be able to deal with IT security protocols in my own business?
Answer: time, prioritization and other people.
Let’s look at those in sequence:
- Time: you won’t/don’t have the time to change passwords, prioritize access of other users to servers and organize the hierarchy of access to restricted areas.
- Prioritization: running a clinic and being part of the clinic team is where you put your energy and your intellect. All things cyber are tedious and you only pay attention when they go wrong!
- Other people: creating and maintaining rigorous protocols and then ensuring that they adhered to by other people is a chore. So is training new people in IT security procedures, issuing them with passwords and making sure they know what to do when the IT system is strained or compromised/under attack.
The danger period is when the business goes through a necessary fast expansion to get it to the level required for optimum performance/yield. The expansion creates a flux of change and because of the three priorities listed above, IT provision stands still. For sure, more PCs are added, the networking needs increase and server volume is enhanced, but the security protocols remain the same.
The thinking becomes:
“So, what if the operating systems on half the PCs/Macs are not up to date? We’ll update them as and when that becomes a problem or the PCs die.”
“So, what if staff are sharing passwords, because the boss is too busy to come over and log them in to restricted areas? I trust the staff.”
“It’s OK, staff are reading each other’s emails when one of them goes on annual leave. It means they’ve got each others’ backs covered.”
“And don’t talk about the anti-virus, it doesn’t need to be fully up to date. I’ll do a system install/update when I get the chance”.
The IT professional and the IT champion
In an ideal world each small business would have access to an IT professional. But the truth is that these professionals are not needed all the time in a clinic. Yet the business still requires access to expertise for protection from cyber threats and to make sure that everyone is adhering to best practice in terms of IT protocols. A good solution in these instances is to implement a system whereby the business has access to:
- An external IT professional: many companies offer IT servicing and maintenance contracts. This is ideal in terms of covering potential server issues, networking, email protocols,and external security issues without the financial burden of having to employ someone full time. Usually these companies offer a phone-in service and most problems can be sorted quickly via remote access to the networked system
- An internal IT champion: although one may not have access to an internal IT professional, it is very useful to have a team member who has expertise in aspects of IT. This need not be a primary focus of their job description, but it should be included as a clause! IT champions can usually be found in the administration functions of a clinic but can come from other technical functions, where an understanding of computer systems is a prerequisite.
The IT champion can be tasked with general upkeep of the internal system such as :
- Ensuring password integrity, ensuring correct access levels for different staff, policing security protocols
- Making sure that hardware is fit for purpose (e.g. that PCs are adequate for their tasks, that printers’ function correctly, and that Internet accessibility is correctly enabled)
- Making sure that software is fit for purpose (e.g. that operating systems are up to date, that antivirus software is effective and updated, and that licences and appropriate versions of software are present and correct.
The other main duty of the IT champion is to liaise with the external IT professional when troubleshooting or advice on software/hardware upgrades/replacement is required.
So, what are the basic security protocols that need to be in place for IVF clinics to protect their own business, their patients and their data from growing cybersecurity threats?
Ten steps that can protect your business
- Train employees in security principles
It is important to establish basic security practices and policies for employees. This includes:
- Strong passwords
- Establishing appropriate Internet use guidelines (e.g. protocols for installing software, downloads etc)
- Establishing rules of behaviour describing how to handle and protect customer information and other vital data, this is a vital component of the management of IVF data: a subject will be treated as a separate subject in a later blog posting!
- Protect information, computers and networks from cyber attacks
Keep clean machines: having the latest security software, web browser, and operating system are the best defences against viruses, malware, and other online threats. Antivirus software should also be set to run a scan after each update. In addition, install other software updates as soon as they are available because updates are often created to counter new cyber threats.
- Provide firewall security for the Internet connection
Firewalls prevent external malign actors from accessing data on a private network. Whereas the firewall can be effective while employees are working in the office. However, employees may not be protected if they are working from home, so this is worth investigating.
- Create a mobile device action plan
Nowadays mobile devices can create significant security and management challenges, often holding confidential information or being able to access the corporate network. Useful security procedures include:
- Requiring users to password-protect their devices, encrypt their data, and install security apps to prevent criminals from stealing information while the phone is on public network
- Setting reporting procedures for lost or stolen equipment.
- Make backup copies of important business data and information
Regularly backup the data on all computers and the main server. Backup data automatically, at least weekly and store instantly accessible copies either offsite or in the cloud.
- Control physical access to your computers and create user accounts for each employee
It is important to prevent access or use of business computers by unauthorized individuals. Laptops can be particularly easy targets for theft or can be lost, so lock them up when unattended!
- Make sure a separate user account is created for each employee
- Require the creation of strong passwords for each user account
- Administrative privileges should only be given to trusted IT staff and key personnel.
- Secure your Wi-Fi networks
Make sure your Wi-Fi network is securely encrypted and hidden with password protection to gain access.
- Employ best practices on payment cards
Work with banks or processors to ensure the most trusted and validated tools and anti-fraud services are being used. You may also have additional security obligations pursuant to agreements with your bank or processor. Isolate payment systems from other, less secure programs and don’t use the same computer to process payments and surf the Internet.
- Limit employee access to data and limit employee authority to install software
Do not provide any one employee with access to all data systems. Employees should only be given access to the specific data systems that they need for their jobs and should not be able to install any software without permission.
- Passwords and authentication
Lazy passwords make life easy for cyber-criminals!
- Require employees to use unique, strong passwords
- Change passwords every three months
- Consider implementing multi-factor authentication that requires additional information beyond a password to gain entry. Nowadays these can often be set up via vendors like Google who can provide mobile phone authentication for log ins that take place off site.
Here’s another last tip, always put IT and cybersecurity as an agenda point at board meetings, which should take place on a monthly basis and invite the IT Champion to present a brief update. This will ensure that the issue of IT does not get buried in any other business at the end of the agenda and that IT remains top of mind for senior management.
Neil Madden, Editor
The Fertility Hub