May is celebrated as the security and privacy awareness month. While cyber security week is an opportunity for organisations to check how well their privacy practices stack up, it shouldn’t stop there. We should continually monitor how well we are managing sensitive personal information and protecting our (and our clients’/residents’) data.
Your governing body and management team should understand the importance of having systems and processes in place to protect personal and sensitive information. This should flow down through your team from Coordinators, Registered Nurses, care staff, cleaners, kitchen staff and the contractors you work with.
What is sensitive information?
To provide quality care to individuals, aged care organisations need to collect a significant amount of personal information. This includes information on a person’s health status, their finances and investments, their family, their residential status, absences from their home and how vulnerable they are. You can imagine how devastating this would be for an older person if this information were to fall into the wrong hands. There is the potential of leading to serious problems including elder abuse or targeted fraud. This is why the information is considered sensitive personal information and it is critical that you handle it with integrity and care.
Sensitive information also includes an organisation’s ‘commercial’ sensitive records, or documents relating to the business operations. This is information that has economic value and if disclosed to another party, may lead to economic harm to the business. It can also extend to information that can adversely impact the organisation’s reputation and personal information held on employees.
In this day and age, having filing cabinets full of paperwork has become a bit of a dinosaur. Yes, you might have some key documents that you keep on hand as reference or as a backup in the case of computer outages, but paperless offices are becoming the norm.
Most aged care organisations will have an electronic Client Management System (CMS). The CMS has become essential for retaining up to date information on clients or residents, generating care plans, rostering staff and maintaining client progress notes. Many of these systems can also upload data directly into portals for essential reporting, minimising the amount of work involved in reporting processes.
Alongside the CMS, many organisations will have electronic Human Resource systems, data storage platforms, compliance logging platforms, intranets, and email has become the default system for sending messages and communicating between stakeholders. Many aged care services also use social media platforms to disseminate information to clients and their families or as a promotion and engagement tool.
We can’t get around using these systems. They are useful, make our jobs easier and support transparency. When used correctly and with the right permission settings and protections, they are helpful in protecting sensitive information held by the organisation. But you need to ensure that your cyber-security practices are sound and regularly updated or reviewed.
What can you do to protect sensitive information held by your organisation?
1. Password-protected access to systems
All your organisational systems should be password protected, using a unique password for each system or platform that is regularly updated. Each person accessing the system should have their own password and understand good password management practices.
2. Lock devices or turn on screensavers
Never leave devices such as computers, tablets and phones unattended without first logging out or locking them. Put them away in a secure location where appropriate. If you have a visitor in your office or at your workstation make sure that any sensitive information is not able to be viewed by the person. Close the laptop or turn on the screensaver.
3. External backups
If you store or back up information onto an external hard drive, ensure the information is either encrypted or password-protected, especially if taking it offsite.
4. System updates
Ensure your operating systems, applications and browsers are up to date. Activate automatic updating where possible to ensure you are getting the latest ‘patches’ that are often developed to address potential hacking of systems.
5. Antivirus software
Ensure you have up to date antivirus installed on your devices. Antivirus programs are designed to prevent or identify and take action against malicious software on a computer or device. Once malware is on your computer it can lock you out of your data by encrypting it or can delete it altogether. Antivirus is also an effective tool to minimise the amount of spam that gets through to your inbox.
Ensure your firewall is turned on. Firewalls can be installed on an individual computer or maybe enabled across a network. Firewalls control the flow of information in and out of a system and sometimes cause problems when an application or program requires access to the internet. Permission to disable a firewall should sit with an administrator who understands and can mitigate the risks involved. In a networked system, even one vulnerable computer can provide a gateway for malware which can spread across the network.
7. Only trust verified sources
Avoid downloading programs from untrusted sites as these may host malware that will automatically install on your computer, compromising your security. The same goes for attachments or links from emails that come from an unsolicited source – don’t click on them.
8. Staff education
Educate staff on the appropriate use of the information they have access to, the importance of logging off after accessing databases, your policies and procedures that protect organisational information, as well as phishing scams to be aware of and ways to avoid exposing the organisation inadvertently to these.
9. Staff devices
Where staff have access to sensitive client information on their phones or a tablet (perhaps through their roster), educate and reinforce the need for staff to password-protect their mobile device. Access to the CMS program should also be protected using a different password.
10. Regular backups
Back up valuable and personal information regularly in case of a malware or ransomware attack. Even if you have an encrypted system, if a hacker accesses your systems and locks you out of it, you want to be able to access an up to date backup and get up and running while you sort out the breach.
11. Information management
Consider carefully who needs to have access to information and at what level. It is important that care staff have access to some essential information about a client or resident that they care for, but there is a lot of personal information that will be unrelated to their role. Check the permission levels that staff have access to and adjust them to match their role.
12. Remove access to information
Remove access to systems as part of the exit process of a departing employee. While the person may not have access to their emails or internal systems after they leave, I still find sometimes people are registered, and potentially have access to client information, on platforms months after they have left an organisation. Ensure this crucial step is part of your exit process and consider suspending access where a person is on extended leave from the organisation.
As mentioned earlier in tip number 8, ensure your team understands policies and procedures around data management, and educate them on what sensitive data is and what to do. Of course, this means you need to have written policies and appropriate procedures in place to both protect information and respond appropriately in the event of a data breach.
If you are seeking an up to date set of policies and procedures for aged and community care settings, check out the Total Quality Package from CDCS which includes an up to date full suite of policies and procedures that take the hassle out of ensuring you are compliant against aged care standards and legislative requirements. Head on over and get your immediate access to these valuable resources and much more.