Malware such as computer viruses, worms and Trojans use security holes in operating systems and user programs to take root in a computer. We present you ways to protect your practice PC.
With the increased use of IT in the healthcare system, the risk of becoming a target of data theft and sabotage attacks is also growing. The "WannaCry" attack on hospitals in the UK this year is just one recent example.
Malware such as computer viruses, worms and Trojans use security holes in operating systems and user programs to take root in a computer. It can cause damage there by disrupting functionality, spying on or encrypting data, or even hijacking the entire computer and spreading from there to other systems unnoticed.
Malware is often found in e-mail attachments. But even a link that triggers the download of malware when clicked on or a wrong click while surfing the Internet can bring the malware onto your own system. Malware can also be found in programs that are actually useful, especially if they are downloaded from "foreign" servers.
The practice management system with its network of computers is the basis of existence for a medical practice. The protection of this essential infrastructure is vital for every practice. The protection of patient data has always been a cornerstone of the medical profession.
To prevent your computer from being infiltrated by malware, the Bavarian Association of General Practitioners has put together some tips for you to ensure data security and data protection in the medical practice.
Tips for ensuring data security and data protection
Secure online connections
The safest thing, of course, would be a stand-alone computer with no connection to the outside world. But even then, there is a risk of malware entering through USB ports or data storage devices. Due to the compulsion to update the practice management system and the need for digital billing with KV and HaVG Rechenzentrum GmbH, this isolation is no longer up to date.
In a modern medical practice, the computer must communicate with the outside world. Required "online connections" are the automatic updates of the operating system, firewall and virus scanner, the online updates and remote maintenance of the practice management system and the connection to the HaVG Rechenzentrum GmbH via the HzV Online Key. Even the KV-accounting is online more comfortable.
With proper installation, an attack on the practice EDP is hardly possible due to the establishment of a so-called VPN tunnel with the HzV Online Key and the KV billing via secured connections such as KV-Safe-Net or KV-Ident-Plus, as well as the limitation to the sources of the above-mentioned updates.
E-mail connection and surfing the Internet
If, however, you also want to enable the practice network to receive e-mails or surf the Internet, the logistical and technical effort is significantly higher: each computer must be equipped with an up-to-date operating system and updates of the operating system must always be installed automatically. In addition, a virus scanner and a firewall in the latest version are essential on every PC, and also the browser and all other installed programs (PDF reader, e-mail program, office, . ) must be up to date. This is usually not done automatically and must therefore be followed up manually and closely monitored.
Alternatively, Dr recommends. Marc Metzmacher, deputy district chairman of Central Franconia and member of the EDP and digitization working groups in the Bavarian General Practitioners’ Association, to set up a special Internet computer centrally without a connection to the practice network, where "external communication" can take place at any time. Only one computer is equipped with the above-mentioned requirements; all other computers are prevented from accessing the Internet from a network perspective. "The computer from which you surf in the office must always be secured at the highest security level so that malware cannot successfully attack it," warns Dr. Metzmacher urges.
This one computer then takes over the absolutely necessary external communication with the highest level of protection: billing, HzV online key, and software updates. A much less expensive way that is easy to monitor and allows for the software connectivity sometimes required for older medical devices with older operating systems
Sensitization of the practice team
In order to effectively protect the practice network with the sensitive and inherent data in a digital world from cyber attacks, it is basically necessary to sensitize the entire practice team to this topic. Dr. Jurgen Schott, Deputy District Chairman of Lower Franconia and also a member of the Digitization and IT Working Groups, emphasizes: "The most important thing is for employees to keep their eyes open, deliberately avoid unknown websites and only access the websites they need for their work," he says. "In addition, female employees should make sure to lock their computers if they leave their workstations, so that unauthorized persons are denied access".
Anti-virus programs / limited access to USB ports and CD drives
As already mentioned, all operating systems and Internet browsers used, as well as all programs that have contact with data from the Internet, including the PDF reader, the firewall and antivirus programs, must be updated regularly. But mobile data carriers such as USB sticks or external hard drives and CDs can also contain malware. In order to avoid attacks via such media, all computers (even those without Internet access) must sensibly restrict access to USB ports and CD drives. This can be done with small utilities or (a bit more complicated) with on-board tools of the operating system.
Since inserting the USB stick into a foreign computer is a security risk, you have to think carefully about whether you want to use such a data carrier in the practice network again afterwards. The use of USB sticks belonging to third parties is strongly discouraged. Dr. Schott also recommends checking CDs brought in by patients for viruses and worms on a separate computer before running them on the practice computer, if this is necessary at all.
Since e-mails and their attachments can be gateways for malware, Dr. Schott also urges caution here: "E-mails that are unknown and unexpected for doctors and staff are not opened in our practice, but simply deleted. This ensures that worms and other malware do not enter the computer this way."In addition, you can select a setting in the e-mail program you use so that incoming e-mails are first displayed in a preview window. This way you can see the content of the received e-mail without having to open it, and then you can decide whether to open or delete it.
With the Endecision for an antivirus program, which offers a certain level of protection against computer viruses, worms and Trojans, users can now choose from a number of providers. To find out about the effectiveness and price of various antivirus programs, you can find a list from the Federal Police here. Your practice IT partner is also a good contact in this respect.
The KBV recommends that physicians obtain a KV-Safe-Net connection. This enables you to carry out your documentation, billing and data exchange with the KVs and colleagues who also use KV-Safe-Net in a secure network. As the KBV states, the "Safe Network of KVs" (SNK) is separated from the World Wide Web. It connects individual doctors’ and psychotherapists’ practices, medical institutions and hospitals with each other and with the KV data centers. But here, too, you have to make sure that the communication takes place via the (as described above) protected computer.
This way you can get a KV-Safe-Net connection:
- You can obtain offers from the KV-Safe-Net providers, select the best one for you and conclude a subscriber contract. You can find the list of providers here.(link to the KVB page)
- As soon as the KV-Safe-Net provider receives approval from your KV for the installation, he installs a router in your practice, which you can use to access the KV-Safe-Net. The monthly fee depends on the provider. You can only access the KV-Safe-Net from the practice computer.
You can find more information about the KV-Safe-Net here.
KV-Ident-Plus offers another alternative for the secure transmission of invoices and other data to the KVB. This enables the KVB to establish a secure connection (VPN tunnel) between your practice computer and the KVB’s online services.
How to get a KV-Ident-Plus connection:
- Register on the KVB site via the KV-Ident-Plus service portal with your KVB access data. You will then receive a free token. This small device is needed to generate number keys in order to access the KV-Ident service portal.
- You can also activate this token on the Service Portal and download the necessary software, Netscale.
- Now you can dial into the KV-Ident-Plus network using your user ID and the numeric code generated by the token. The network can be accessed from all computers on which the Netscale software is installed. The first token is free of charge; a second one can be bought for 20€.
More information about KV-Ident-Plus can be found here.
HzV Online Key
In the HzV world, secure data exchange has been taking place for years using the proven HzV Online Key. "The HzV Online Key is completely trouble-free to use, billing is fast and security gaps are non-existent," says Dr. Metzmacher, who has of course been using the HzV Online Key himself from the very beginning. You can find more information about the usage and benefits here.
Security of the browsers through extensions (plug-ins)
When surfing the Internet, the security of the browsers can be improved by extensions (plug-ins). It can be used to block parts of websites that, for example, open other programs or pages. The offer of these security extensions is very wide and varies from browser to browser. But especially when surfing the Internet, the person is the biggest risk.
Possible protection measures at a glance:
- Perform searches on the Internet and e-mail traffic on a separate computer and not on the practice computer
- Make employees aware of usage risks and train them on protective measures
- Protect their online connection with up-to-date firewall and antivirus programs
- Install browser plug-ins that block "active content"
- Do not use foreign USB sticks and do not return USB sticks that have been in insecure environments to the practice network
- Do not open e-mail attachments from unknown senders
Unfortunately, 100 percent protection against hacker attacks, viruses and other malware is unattainable. However, with the protective measures presented, you can minimize these dangers. Further information can be found in the "Recommendations on medical confidentiality, data protection and data processing in medical practices" issued by the BaK and KVB, which can be found here.