Protect It – Step up your website security
Any healthcare organisation that consumes or provides services using websites must take ownership of the services that they provide or pass-on to patients. Patients First is especially focused on helping you to reduce cybersecurity risks in your businesses and organisations, and urge you to review and improve your website security as a matter of priority.
Four basic steps to website security
As part of the Protect It campaign, CERT NZ has provided some practical steps you can take to keep your website safe and secure. The four priority measures to get underway now are outlined below, or you can read the full list of steps to protecting your website.
1. Protect it – Secure the data transmitted on your website
Your patients and customers trust you to keep their information, and the communication you have with them, confidential and safe. HTTPS keeps the information transferred between you and your patients or customers confidential by encrypting it. This stops attackers from getting the login details or personal information users submit on your site.
HTTPS is a basic requirement and should be enabled across your entire website.
2. Update it – Update software and apply patches
Give yourself one less thing to think about by automating as many tasks as you can, including updates. Updates not only add new features, they fix issues or vulnerabilities that allow attackers to get the valuable information on your website.
It’s your responsibility to make sure your website’s software is updated and any security patches are applied.
3. Secure it – Guard online payments
Payment Card Industry Data Security Standard (PCI DSS) helps ensure the online transactions on your website are safe and secure, and that your users’ card data is protected from attackers. Being PCI DSS compliant means you’re well-placed to avoid a security breach that can result in loss of revenue, trust and reputation.
While most patient-facing websites do not currently allow patients to make online payments, we anticipate this will change in the future. So even if it’s not relevant to you now, it’s worth being prepared for.
4. Keep it – Renew your domain
When you registered your domain name you obtained a licence to use that name for the registration period, but you don’t own it. If your domain licence were to expire an attacker could claim it and set up their own scam website selling fake goods or serving malware using your business’ name. Ask your domain provider about auto-renewing your domain, and read the Domain Name Commission’s advice about domain name registration.
A stitch in time saves nine
These simple recommendations from CERT NZ are easy to implement and are guaranteed to save you – and your patients or consumers – a lot of time, hassle and worry. Basic website security measures will keep confidential information secure, ensure patients and consumers have access to your service, keep your finances and reputation intact, and protect the integrity of your website and associated systems.
Most of us know about recent cybersecurity incidents in New Zealand; these unfortunate situations have negatively impacted individuals and businesses. But reading about it in the news and crossing your fingers for good luck won’t protect your patients or your business from the same fate – you need to act now to prevent it from happening to you.
We can help you to improve website security
It’s important to work with a trusted advisor who knows what they’re doing.
So, if you have any questions, doubts, concerns – please contact Patients First. Likewise, if you don’t know what to ask your service provider, we can help you ask the right questions or think about these risks in the right way.
Patients First can also help in other ways, such as a free one-hour vulnerability assessment for PHOs – just get in touch with us.
Another valuable ally and trusted partner is Medical IT Advisors. They offer a free online self-assessment; if you haven’t assessed your cybersecurity in the last 6 months you should make time to do it now.
And stay tuned for regular tips and tricks from Patients First! This year we will provide plenty of guidance and advice in this area.
Important reminder: New Zealand Health Information Security Requirements
An organisation that does not have a health information security policy cannot assure patients their information is being treated and protected appropriately.
The New Zealand Health Information Security Framework (HISF) standard – HISO 10029:2015 – supports organisations preparation and maintenance of such a policy and framework. It provides advice about procedures, minimum requirements and technical standards. Compliance with the framework’s risk management section has been required since 1 July 2016 for any organisations managing health information.
HISF compliance requires time, skills and resources that many small and medium health organisations do not have, leading to a challenging, risky situation for their healthcare services. Here are a few resources to simplify the HISF compliance journey:
- Initial online quick HISF self-check – estimate your “gross” risk and compare against the community baseline
- Internal and External Assessment – Download the template.
If you have any questions, doubts, concerns – please contact Patients First on 04 473 9168 or [email protected].