PHYSICIAN OFFICE IT SECURITY GUIDE

Transcription

1 PHYSICIAN OFFICE IT SECURITY GUIDE 2015

2 The CMPA supports the advice and recoendations contained in this guide and encourages their consideration by BC s physicians. Disclaier: Best practices for IT security depend on the sensitivity of the data and the individual situation, and change regularly with changes in technology. The individual physician ust deterine the degree to which each best practice applies to their particular situation. This docuent is provided for use by physicians as a general guide. It is strongly recoended that you retain a knowledgeable and qualified IT professional to assess and aintain your network on a regular basis. In using this guide, you agree that Doctors of BC accepts no liability whatsoever for any IT or security probles you ay experience or for any clais, deands, losses, daages, costs and expenses ade against or incurred, suffered or sustained by you as a result of those probles, nor any costs you ay incur in resolving any gaps or issues in your IT infrastructure. 2

3 Physician Office IT Security Guide 2015 Following is a list of IT security practices relevant to edical clinics. This list ay not be coplete, but highlights previously observed gaps and issues. It is recoended that physicians use this list as a checklist to generally assess their IT infrastructure. Each topic is described in ore detail in the reference section, with suggestions on ways to address gaps related to that topic. Device Security (includes in-office and reote access devices) All confidential patient inforation on any coputer or portable device is encrypted Operating systes and all plug-in software (e.g. Java, Flash and other plugins) are up to date preferably using autoatic updates Coputers and portable devices autoatically lock out after a pre-defined period of inactivity (e.g. five inutes) All coputer equipent is appropriately disposed of Anti-virus detection progras are up to date with autoatic updates Coputer devices (e.g. printers, onitors) are physically located to iniize unauthorized access and viewing Personal firewall technology is eployed with high security settings Website cookie installation is restricted to trusted sites Auto-coplete password storage for website access is disabled Local Network Security Network ports (wall sockets) in public areas (e.g. waiting roos) are disabled Wireless networks are hardened according to industry best practices Wi-Fi access to clinical local network is not granted to patients and others Networking equipent is located in a secure area (e.g. locked wiring closet) Private Physician Network (PPN) is not interconnected to any coercial Internet services without appropriate security easures PPN service is cancelled prior to oving Local Server Security Servers are hardened according to industry best practices Server equipent is located in a secure area (e.g. locked wiring closet) All requireents under Device Security are also applied to local servers All server back-ups are transferred and stored securely with both physical security and encryption 3

4 User Account Manageent Usernaes and passwords are not shared between users Passwords are required and robust (upper/lowercase characters, length, etc.) Inactive user accounts are disabled iediately User access is controlled by appropriate roles-based access profiles One or ore eployees is assigned to anage user accounts Acceptable Use Users do not record passwords insecurely (e.g. sticky notes, notebooks) Users do not download or install files/progras fro unknown or suspicious sources into the network Users do not e-ail or otherwise transfer confidential patient inforation over unsecure networks, such as the Internet, unless the inforation is encrypted Users do not visit untrusted or potentially unsafe websites Users do not open unknown eail attachents Audit Audit trail is turned on Rando audits are conducted regularly Access to VIP records are audited Personnel Physicians and staff attend regular privacy and security training (e.g. annual) Confidentiality agreeents are in place with staff and contractors A Privacy Officer is appointed as required by PIPA Appropriate written policies and procedures are in place (PIPA sections (5a) and (5b)) Reote Access Any devices or network used for reote access eets the requireents above for Device Security and Local Network Security Reote access uses a secure connectivity solution (e.g. VPN, SSL) that offers high grade encryption 4

5 Physician Office IT Security Guide 2015 REFERENCE SECTION Note: Many of these recoendations require the skills of a knowledgeable and qualified professional IT support person. It is strongly recoended to retain a qualified local IT professional with solid experience in security who can becoe failiar with your clinic and infrastructure. DEVICE SECURITY (includes in-office and reote access devices) All confidential patient inforation on any coputer or portable device is encrypted Any confidential patient inforation stored on coputers (desktops and laptops), obile devices (e.g. laptops, sartphones and ipods), and reovable edia (e.g. USB drives) should be password protected and encrypted. When confidential patient inforation is stored on these devices without encryption there is risk that these devices could be stolen or lost, and the data on these devices could be accessed by unauthorized users. There are a couple of different approaches to secure these devices. One approach is to purchase devices such as desktops or laptops with built-in hard drive encryption or utilizing the built-in encryption software found in various operating systes (e.g. Microsoft s Windows 7 Ultiate version BitLocker). This encryption software can also be used to encrypt a USB drive. If this is unavailable, users ay purchase coercially available software, such as Folder Locker. The second approach is to purchase a USB drive with built-in encryption software. Operating systes and all plug-in software (e.g. Java, Flash and other plug-ins) are up to date preferably using autoatic updates Coputer software anufacturers routinely provide security updates for their operating syste and Internet browser plug-ins to ensure that security risks to their software are iniized. The end user can custoize their operating syste and Internet browser to receive these security updates autoatically or anually. It is recoended to set up the coputers to autoatically install these updates so that iportant security updates are not issed, and to conduct the updates outside of noral business hours as they can take tie to install and would ipact syste perforance until the installation is coplete. It is also recoended to leave your coputer devices powered on and logged off at night so the updates can be autoatically installed (scheduled updates will not happen if the coputer is in hibernation ode). Coputers and portable devices autoatically lock out after a pre-defined period of inactivity (e.g. five inutes) When clinical staff ebers leave a coputer or obile device inactive for an extended period, the coputer or obile device autoatically locks the device fro unauthorized users accessing or viewing confidential patient inforation. Lock-outs can be enabled through either the EMR application or the operating syste. Lock-out at the EMR level 5

6 is very good for EMR security; however, it still leaves the workstation open to access. Lock-out at the operating syste level ensures the entire workstation is locked fro unauthorized access, including access to the EMR application, non-emr applications, docuents and data. Lock-out using the operating syste does have liitations as this feature can be easily turned off by any user; therefore, it is ideal to have both the EMR application and the operating syste lock-out feature enabled. It is iportant to instruct end users not to alter these settings. The operating syste s lock-out feature can be configured by the end user, while enabling the EMR application lock-out typically requires the EMR vendor. All coputer equipent is appropriately disposed of As coputer equipent is replaced in the clinic (e.g. workstation, obile devices, etc.), it is iportant to ensure old equipent does not contain confidential patient inforation. Conventional deletion techniques (e.g. using the delete key or foratting the drive) do not reove the data in its entirety fro the equipent as this data can still be recovered by unauthorized users. It is iportant to use specialized coputer software (e.g. Eraser, HDDErase, DBAN) to reove the data securely fro the device before disposal. Another ethod to ensure the data cannot be access by unauthorized users after disposal is physical deforation of the storage platters (the physical edia where data is stored) inside the hard drive through the use of tools, such as a haer, to cause significant physical daage to the edia. Anti-virus detection progras are up to date with autoatic updates Anti-virus software is a coputer progra that detects, prevents, and takes action to disar or reove viruses. Coputer viruses are progras that are deliberately designed to interfere with coputer operation. They can corrupt, delete data, and spread theselves to other coputers throughout the clinic or Internet. You can protect your coputer against viruses by using antivirus software. To protect your coputer against the ost current viruses, you should update your anti-virus software regularly using its autoatic update feature. Soe anti-virus progras are configured by default to be anually updated, leaving the responsibility of the user to perfor this task. This option increases the risk of obtaining a virus as this task can be easily issed. The end user can configure the antivirus software to autoatically update by launching the application and selecting the Update enu. While the anti-virus software gives the user the option to run the updates daily, weekly or onthly, it is recoended to run the updates daily after noral business hours to ensure it does not interfere with the perforance of other applications on the device (e.g. EMR application). Malware, also known as alicious software, includes coputer viruses. Malware, in addition to viruses, includes progras such as keylogger, Trojan horses, wors, etc. Malware is less interested in attacking your coputer, but ore interested in stealing stored data, which can include personal inforation, user naes and passwords. Malware has the ability to spread or infect other coputers on a network. As this poses a larger security threat, it is recoended that users use alware detection software. 6

7 Physician Office IT Security Guide 2015 Coputer devices (e.g. printers, onitors) are physically located to iniize unauthorized access and viewing Coputer screens in patient areas (such as the reception desk) should be positioned so that they cannot be easily viewed by unauthorized users. If this cannot be avoided, consider purchasing privacy screens for the onitors. Printers should not be installed in public areas where unauthorized users can easily access the printouts. Personal firewall technology is eployed with high security settings To prevent unauthorized reote access to desktops and laptops, and to increase the security of these devices, it is recoended to install and/or enable personal desktop firewall technology on all coputers within the clinic. This software is typically part of the operating syste but is turned off by default or set with a lower security threshold. By configuring this software to a higher security setting, it provides another layer of security protection against unauthorized access. Soe operating systes (e.g. Windows 7) provide built-in firewall protection that allows the end user to custoize to its highest security settings, or the clinic can purchase coercially available personal firewall software (e.g. Webroot, ZoneAlar, Agnitu Outpost Pro Firewall) and configure to its highest security settings. Website cookie installation is restricted to trusted sites Website cookies can be altered by alicious users or software since they are stored on the local coputer drive. Cookies can also be used to steal sensitive personal inforation of another user, which can lead to fraudulent acts such as identity theft. They can also be used for tracking the web browsing history of a user. This data can be sold to advertising agencies, which in turn results in junk eails and advertiseents. To enhance security and protection fro potential fraudulent acts, cookies should only be allowed for trusted sites. The cookies configuration options are typically found in the Internet browser s option enu. Auto-coplete password storage for website access is disabled When accessing a website that requires usernae and password authentication, soe Internet browsers (e.g. Internet Explorer, Firefox, Chroe, etc.) offer the option to autoatically store and pre-populate the usernae and password for the user. These Internet browsers store the usernae and password on the local coputer to be retrieved whenever the website is accessed. This feature is called auto coplete password storage. The risk with enabling auto coplete password storage is the credentials grant anyone using that coputer full access to those websites requiring personal login inforation. It defeats the purpose of having usernaes and passwords if they are already autoatically entered by the coputer, especially if a user has the sae login credentials across nuerous applications. If the end user uses the sae usernae and password to log on to the EMR application and to log on to a workstation, these sae credentials can be coproised by an unauthorized user using the sae workstation. This dangerous 7

8 practice could potentially allow unauthorized users to access confidential patient inforation and extract and retain the details electronically. It is recoended to disable auto coplete password storage within the Internet browser application. The end user can disable the auto coplete password storage functionality under the options enu within the Internet browser. LOCAL NETWORK SECURITY Network ports (wall sockets) in public areas (e.g. waiting roos) are disabled There are situations where a clinic has local network plugs (wall sockets) installed in public areas that are still connected to the local network, but with no devices connected to the plug. This situation creates a potential security risk as unauthorized users could connect their laptop to this network plug and gain access to the clinic s local network and possibly view confidential patient inforation. The clinic should ensure that all plugs with no devices connected to the, especially in public areas, are not active by verifying that the other end of the cable at the wiring closet is not connected to the local network (switch). Wireless networks are hardened according to industry best practices When wireless network solutions are purchased, their default security settings are not configured to industry best practices. If the clinic installs this network solution with default settings there is the potential for unauthorized users to connect to the wireless network to gain access to the clinic s local network and possibly obtain confidential patient inforation. Unfortunately, soe individuals use advanced tools and software to locate unsecured wireless networks. Once detected, they will connect to the unsecured wireless network to gain access to confidential inforation. Clinics should ensure their wireless solutions are not installed with the default setting, but, instead, are following industry best practices. The following exaples are current industry best practices for wireless solutions. Please note this list is based on tie of publication and therefore subject to change due to updates to technology: Physically secure wireless access points; Wi-Fi Protected Access II (WPA2) Enterprise; o Authentication: EAP-TLS; o Encryption: AES-CCMP (128-bit iniu); Wi-Fi Protected Access II (WPA2) Personal; o Authentication pre-shared keys (PSK) with a iniu 13-character rando passphrase; o PSK should be secured and changed on a regular basis; o PSK should be changed whenever an eployee/contractor who had access to the network leaves the organization; and o Encryption: AES-CCMP (128-bit iniu). It is iportant the clinic hires a qualified IT support vendor with extensive knowledge and experience installing and supporting wireless solutions. 8

9 Physician Office IT Security Guide 2015 Wi-Fi access to clinical local network is not granted to patients and others Due to security and privacy risks (e.g. users accessing confidential patient inforation) the clinic should not provide patients and others with Wi-Fi access to the network the clinic uses for clinical purposes. If the clinic wants to provide patients and others access to a Wi-Fi network, the clinic should set up a separate Wi-Fi network which is not connected to the clinic s priary local network. Networking equipent is located in a secure area (e.g. locked wiring closet) It is iportant for the clinic to install all network equipent (e.g. TELUS PPN equipent, clinic s switches) in a secure and locked area, preferably in a dedicated wiring closet. Only the clinic and authorized support vendors should have access to this secure area. If the networking equipent is not in a secure and locked area, unauthorized users can plug a laptop into the clinic s local network and potentially gain access to confidential patient inforation. Private Physician Network (PPN) is not interconnected to any coercial Internet services without appropriate security easures There are situations where the clinic ay require a second or third Internet connection in addition to their PPN service to access other services the PPN cannot provide (e.g. high speed Internet to view PACS iages). In this situation, the clinic should ensure these services are not connected with each other without the appropriate security easures. When two or ore such networks are connected together, hardened security easures are required to ensure inforation exchange only occurs between the proper networks. In other words, EMR inforation destined to the EMR vendor does not traverse the Internet portion of the network and vice versa, keeping EMR traffic and Internet traffic flow separate. The security design requires a highly skilled professional, as well as approval fro Health Shared Services BC (HSSBC) vis-à-vis the PPN. PPN service is cancelled prior to oving If a clinic is oving or closing, it is iportant for the clinic to contact HSSBC and their EMR vendor to infor the they are cancelling their PPN service. If the clinic does not infor HSSBC and their EMR vendor, the PPN equipent will reain at the old location and the next tenant could use this service and gain unauthorized access to confidential patient inforation. It is iportant for the clinic to infor both parties at least one onth prior to oving or closing so that the appropriate steps can be taken to reove the equipent. 9

10 LOCAL SERVER SECURITY Servers are hardened according to industry best practices If the clinic is planning to install a local server in their clinic that will store confidential patient inforation, these servers need to be configured to increase their level of security (i.e. hardening). Depending on the server s functionality (e.g. delivering EMR application services, storing identifiable confidential patient inforation in docuents, databases or spreadsheets), the server should be hardened according to the services provided. If an unauthorized user gains access to this server, it is iportant that they cannot gain access to confidential patient inforation stored on the server. The IT industry publishes recoendations on how to harden your servers based on the services the server is providing. It is iportant that the clinic follows these guidelines set by the vendors of their chosen server software copany (e.g. Microsoft, VMware). Server equipent is located in a secure area (e.g. locked wiring closet) It is iportant for the clinic to install all server equipent in a physically secure and locked area, preferably in a dedicated wiring closet with the networking equipent. Only the clinic and authorized support vendors should have access to this secure area. If the server equipent is not in a secure and locked area, unauthorized users can gain physical access to the clinic s server and potentially access confidential patient inforation. All server back-ups are transferred and stored securely with both physical security and encryption If the clinic stores confidential patient inforation on a local server (i.e. server located inside the clinic), all server back-ups should be stored off-site in a secure location, preferably anaged by a qualified business that specializes in this type of service. Clinics should back up their server daily to ensure they have the ost up to date backup in the event their server hardware fails, and the backup should be tested regularly (i.e. a full recovery fro backup perfored). To increase privacy and security of confidential patient inforation, all back-up ediu, such as a USB or tape drives, should be encrypted and password protected. It is iportant to keep the back-up tapes away fro agnetic sources to avoid erasure. Note: In addition, all requireents under Device Security apply to local servers USER ACCOUNT MANAGEMENT Usernaes and passwords are not shared between users Sharing usernaes and passwords between users is a security and privacy risk. Unique usernaes are assigned to allow users to have a role-based profile (i.e. the level of access provided for each user atches the user s need to know and provides the least privilege necessary based on the user s job function.). When usernaes are shared between users, the person using the shared usernae iediately has access to the other person s role profile that was assigned specifically to that usernae. This process also circuvents the auditing process built into the EMR application as it akes it difficult to pinpoint who accessed inforation they were not allowed to view. This situation puts the person the 10

11 Physician Office IT Security Guide 2015 usernae and password was originally assigned to at risk as they could be liable for the actions of the person using their usernae and password. Passwords are required and robust (upper/lowercase characters, length, etc.) In order to increase the security of confidential patient data, it is iportant for users to have a robust password to prevent unauthorized users fro easily guessing it or using autoated password cracking software to decode the password. The ore coplex the password is, the harder it is to decrypt. Users should use a cobination of upper and lowercase characters, along with nueric characters and special characters (e.g. $%_ ^). The password should be a iniu of eight characters in length and it should be changed regularly. Inactive user accounts are disabled iediately When an account becoes inactive (e.g. eployee leaves the clinic), it is iportant that the account is disabled iediately by the physician or the assigned Security Officer (or their delegate) to ensure unauthorized users cannot access the EMR and view confidential patient inforation. Workstation logon accounts can be disabled using the operating syste s adinistrator tools and the EMR logon accounts can be disabled by the EMR application s built-in adinistrator tools. If in any doubt, contact the EMR vendor helpdesk. User access is controlled by appropriate roles-based access profiles To enhance the level of security and privacy and protect confidential patient inforation, it is iportant to assign role-based profiles for each user requiring access to the EMR application. Role-based profiles allow the adinistrator to control what the end user can view and access for exaple, a billing clerk does not typically need access to full patient edical charts. The roles are created using the adinistrator tools built into the EMR application. One or ore individuals is assigned to anage user accounts It is iportant to designate one or ore individuals (e.g. physician, Security Officer, MOA) to anage and govern the privacy and security of user accounts. This role ensures that: all inactive accounts are disabled in a tiely anner; all users are assigned a unique usernae; all passwords are secure and robust; and role-based access profiles are properly configured. ACCEPTABLE USE Users do not record passwords insecurely (e.g. sticky notes, notebooks) To help reeber passwords, soe users write down their passwords on sticky note pads and/or in a paper notebook. This type of practice is a serious risk to the security of 11

12 confidential patient inforation as unauthorized users could find the password and log into the EMR application to view patients records. The clinic privacy and security policy and the clinic s Security Officer should discourage this type of behaviour. Users do not download or install files/progras fro unknown or suspicious sources into the network There are websites on the Internet designed with the purpose of luring users into downloading and installing alicious software onto the user s coputer. Such alicious software can capture the usernaes and passwords and install viruses on the coputer.. This software then allows unauthorized users to access the coputer devices secretly and reotely gain access to confidential patient inforation. The clinic s Security Officer should discourage users fro accessing questionable websites and downloading and installing files or progras fro unknown or suspicious sources. The coputer s operating syste should be configured to prevent the downloading and installation of software by end users. Users do not e-ail or otherwise transfer confidential patient inforation over insecure networks, such as the Internet, unless the inforation is encrypted Eail is not a secure ethod of transferring confidential patient inforation. If eail is the only ethod to send confidential patient inforation, there are applications that can encrypt the eail essage with a cobination of public and private passwords, better known as public/private certificates, or keys. The public key is shared with the eail recipient and ust be used in order to view the eail essage. OpenPGP.js + Mailvelope or GPG4win are recognized eail encryption solutions the clinic can consider for encrypted eails. In the private edical practice setting B.C., governed by PIPA, if a patient has provided appropriately infored consent acknowledging the risks, a physician can choose to counicate with the patient via eail without the protections of encryption, but should carefully consider the appropriateness and risks in each case prior to doing so. Users do not visit untrusted or potentially unsafe websites Siilar to the guidelines under Users ust not download or install files/progras fro unknown or suspicious sources into the network, it is crucial that end users do not visit untrusted or potentially unsafe websites. There are nuerous websites containing alicious software to be downloaded by unsuspecting end users. Users do not open unknown eail attachents Eail attachents, especially fro unknown sources, can contain alware which, when opened or downloaded, causes alicious software to be installed on the unsuspecting user s coputer device. This creates the potential for unauthorized users to access confidential patient inforation or install viruses on the user s coputer device. Users should take the tie to failiarize theselves with understanding e-ail scas, fraud, and phishing. To learn ore about e-ail scas or frauds, or to report one, visit and type e-ail scas and frauds in the search bar. 12

13 Physician Office IT Security Guide 2015 AUDIT Audit trail is turned on EMR applications have user-level access auditing features built in; however, this feature ay not be turned on or if it is turned on the clinic ay not be actively reviewing the audit log. The clinic should contact their EMR vendor to ensure this feature is turned on and verify by reviewing the audit log. At iniu, the audit log captures which users have logged onto to the EMR solution, the patient records they have reviewed and/or printed, and which files have be odified or deleted. The auditing feature within the EMR application should be turned on and actively reviewed by the clinic s Security Officer or delegate to ensure the privacy and security of confidential patient inforation. The workstation also has an auditing feature to onitor printing and file access on the user s coputer device which can also be enabled. Rando audits are conducted regularly To aintain the privacy and security of confidential patient inforation, the Security Officer and/or delegate should conduct rando audits of the EMR application audit logs to ensure that users are not accessing confidential patient inforation or printing and deleting files not pertaining to their role (e.g. accessing the inforation of faily ebers, other clinic staff/physicians, friends, neighbours, or rando individuals). Access to VIP records are audited When clinics have VIP patients (e.g. political leaders, celebrities, etc.) it is recoended to audit accesses to these records to ensure they are not being viewed by unauthorized users. The Security Officer or their delegate should create a regularly scheduled process to audit VIP records. PERSONNEL Physicians and staff attend regular privacy and security training (e.g. annual) Physicians and staff should attend regular privacy and security training workshops. This training should focus on Personal Inforation Protection Act (PIPA) legislation and how to apply its policies in an EMR environent. The Ministry of Technology, Innovation and Citizens Services offers PIPA training sessions. For further details, including contact inforation, visit their webpage at Confidentiality agreeents are in place with staff and contractors In keeping with the requireents of the BC Personal Inforation Protection Act (PIPA), the physician(s) (or designated Security Officer) should require internal staff and third party vendors exposed to confidential patient inforation to sign a confidentiality agreeent. This approach helps to ensure that all staff and contractors are failiar with 13

14 the clinic s privacy and security policies and guidelines when in contact with confidential patient inforation. Additional inforation and resources can be found at and search for BC Physician Privacy Toolkit. Physicians working in clinics are not typically expected to sign confidentiality agreeents due to their existing professional standards set by the College of Physicians and Surgeons; however, group clinics ay choose to establish an additional coitent to privacy and security with a physician confidentiality agreeent. A Privacy Officer is appointed as required by PIPA The appointent of a Privacy Officer is a requireent and legal obligation under PIPA. The Privacy Officer is an individual designated with the accountability to ensure organizational copliance with privacy legislation, industry standards, and professional and regulatory obligations. The Privacy Officer is responsible for policy developent, copliance onitoring, privacy breach anageent, staff training, and anaging coplaints, questions and access to personal inforation requests. In a edical practice, it is recoended that the Privacy Officer is a physician. This eans that if the office is a solo practice, the solo physician is the de facto Privacy Officer. In a group practice, one of the physicians or a senior staff person such as a Clinic Manager should be identified as being responsible for this role and its functions on behalf of the group. Appropriate written policies and procedures are in place (PIPA Sections (5a) and (5b)) According to PIPA, clinics ust aintain appropriate privacy policies and procedures that eet the requireents of the Act: 5 An organization ust (a) develop and follow policies and practices that are necessary for the organization to eet the obligations of the organization under this Act, REMOTE ACCESS (b) develop a process to respond to coplaints that ay arise respecting the application of this Act, and (c) ake inforation available on request about (i) the policies and practices referred to in paragraph (a), and (ii) the coplaint process referred to in paragraph (b). Any devices or network used for reote access eet the requireents above for Device Security and Local Network Security The clinic should ensure that any device or network used for reote access eets the requireents described in the Device Security and Local Network Security sections, above. 14

15 Physician Office IT Security Guide 2015 Reote access uses a secure connectivity solution (e.g. VPN, SSL) that offers highgrade encryption Physicians increasingly need to view confidential patient inforation reotely (outside of the clinic such as fro at hoe for on-call coverage). For clinics on the PPN, Reote access to EMR patient records fro outside the clinic using coputers with Internet connectivity is already provided through tokens issued by TELUS (with the exception of Med Access EMR, which uses web-based software with built-in reote access certificates). The tokens provided by TELUS use a SSL VPN Tunnel with two-factor authentication. Secure reote access to an individual desktop within a clinic on the PPN, fro a public network such as the Internet, requires cloud-based third-party reote control software, such as TeaViewer or LogMeIn. To aintain the highest level of security for this type of access, two-factor authentication should be used to protect against coproising the security of usernaes/passwords. Other ethods ay work for non-ppn clinics, but cloudbased products are necessary for the PPN due to the particular security configuration of the PPN. Unlike SSL-based browser encryption to secure data for web browser-based EMRs such as Med Access or OSCAR EMR, secure reote access to an individual clinic network for other LAN-based (non-asp, local server) EMRs fro a reote location requires Virtual Private Network (VPN) technology or Cloud-based third-party reote access software. 15

16 West Broadway Vancouver BC V6J 5A4