Securing your organisation's clinical data

Even if you are using a dedicated occupational health software product like Orchid Live, there are still plenty of things that you need you need to consider within your own organisation to ensure the safety of your clinical data. Here are the common cyber security and information security ‘gaps’ that we see.

• Using email for clinical correspondence - there's the risk of attaching the wrong report, or cc’ing someone incorrectly, or perhaps less obviously, a sensitive email being autoforwarded when someone is on holiday. In Orchid Live there is a secure messaging function which allows you to bypass email altogether - we always recommend this as your primary communication tool to minimise the risk of an accidental data breach by email.

• Not using multi factor authentication to secure your Orchid Live account, email other applications - potentially allowing a hacker to force access to your account and pretend to be you. Although many software applications, including Orchid Live have mechanisms in place to prevent 'brute force' password guessing, best practice is always to configure multi-factor authentication whenever you can.

• Sending password protected documents and the unlock password to the same email account. Whilst you might think that password protecting a document gives you additional protection, almost all of this enhanced security is immediately compromised if you then send the password to the same email account, since should a hacker have access to the email account, they have everything they need to unlock your file. If you must share documents in this way, the password should be communicated by SMS message, verbally, or through a different form - eg written on a document in a shared folder.

• No firewall or VPN installed - this can leave you vulnerable to unwanted access to your device and internet traffic when using the internet, especially public wifi networks. Windows and MacOS both have free firewalls and free/cheap VPNs are easy to find online.

• Anti virus, operating system or apps out of date meaning that security patches and virus updates haven’t been applied, so you are vulnerable to the latest malware innovations.  You can often set your anti-virus, operating system and applications to auto-update to make sure this is taken care of in the background.

• Not encrypting hard drives of laptops - leaving them vulnerable to interference and someone accessing your data if they get hold of your device.

• Leaving laptops open/unlocked when you go to the toilet or grab a coffee in a public space or even in the office. A non-clinical colleague seeing a sensitive email pop-up on your screen whilst it is unattended would still count as a data breach.

• Not having a staff training program covering the basics of cyber security / info sec / phishing / data protection responsibilities. Many members of staff won't be aware of the basic concepts to ensure they keep your data safe - make sure they're up to speed.

These are just some points for starters, and in no way represent a comprehensive plan for securing your organisation's data and cyber security. As a first step you might want to consider becoming Cyber Essentials accredited, and then as next stage look at the Cyber Essentials Plus certification. Finally you might consider ISO27001 to ensure you have a comprehensive information security management system in place.