Thursday, 23rd Nov 2017

Jul 15

Secure Online Services

Does your practice website compromise the security of your patients confidential information?

If your practice website offers online services to your patients, providing them with facilities to order repeat prescriptions, update their contact details or cancel and request appointments, are these services secure?

As clinical professionals, you will be aware that patient related information is confidential. It is paramount that you ensure the confidentiality, security and integrity of any patient related information. This includes internet based systems such as your practice website and the security of your patients online service requests.

End to end security?

Ensuring that you have end to end security is an area where a practice should request clarification from their clinical website provider. In order to answer this question you should appreciate that there are two key areas which should be secured to ensure the confidentiality of sensitive patient information which is volunteered in order to request online services.

The first area to confirm, is that any online service request should require the patient to enter their personal information over a secure channel. This is the process of providing patients with a secure SSL enabled system which allows them to securely enter their online service request containing personal information.

The submission of a patients personal information made on the practice website could be over one of two channels:

  • HTTPS (web) – A secure encrypted channel that encrypts the patients personal information across the internet as they enter their details to submit their online service request to the practice website.
  • HTTP (web) – An insecure unencrypted channel that results in the patient entering their personal information across the internet in cleartext as they submit their online service request to the practice website.

The second area to confirm, is that the patients online service request is then transmitted to the practice using a secure channel. This process requires the practice to retrieve the patients online service request containing personal information over an encrypted channel.

The retrieval of a patients personal information from the practice website could be over one of two channels:

  • HTTPS (web) / TLS (email) – A secure encrypted channel that encrypts the patients personal information across the internet as the practice recalls the details so they can act on the patients online service request.
  • HTTP (web) / SMTP (email) – An insecure unencrypted channel that results in the practice retrieving a patients personal information across the internet in cleartext so they can act on the patients online service request.

Are we secure?

Considering the requirement to both submit and retrieve confidential patient information entered during an online service request, there are three potential combinations which could be provided to the practice by their website supplier:

  • Submission: Secure / Retrieval: Secure

This combination requires a secure encrypted submission channel where patients enter their confidential personal information to submit an online service request and a secure encrypted retrieval channel for the practice to retrieve the patients details in order to act on the online service request.

The secure submission channel would normally be a secure SSL protected (HTTPS) website and the secure retrieval channel would normally be either a secure SSL protected (HTTPS) website or a secure (TLS) protected email transfer.

OurPractice considers the security, confidentiality and integrity of confidential patient information an integral part of the website service. You can be assured that an OurPractice website secures your patients information with encrypted channels for both submission by the patient and retrieval by the practice.

  • Submission: Secure / Retrieval: Insecure

This combination results from a secure encrypted submission channel where patients enter their confidential personal information to submit an online service request and an insecure retrieval channel for the practice to retrieve the patients details in order to act on the online service request.

The secure submission channel would normally be a secure SSL protected (HTTPS) website and the insecure retrieval channel is likely to be an insecure (SMTP) email transfer.

  • Submission: Insecure / Retrieval: Insecure

This combination results from both an insecure submission channel where patients enter their confidential personal information to submit an online service request and an insecure retrieval channel for the practice to retrieve the patients details in order to act on the online service request.

The insecure submission channel is likely to be an unprotected (HTTP) website and the insecure retrieval channel is likely to be an insecure (SMTP) email transfer.

Why is email insecure?

Using standard email as the retrieval method for confidential patient information entered during the submission of a patients online service request is inherently insecure because of the cleartext (SMTP) protocol used during the transmission of email.

In contrast, TLS refers to a method for securing SMTP with transport layer security. It is intended to provide authentication of the communication partners, as well as data integrity and confidentiality. This means that the client and server speak normal SMTP at the application layer, but the connection is secured by TLS.

Currently sending a standard email to an nhs.net email address eg practice.name@nhs.net is insecure as nhs.net does not currently appear to support a secure gateway to gateway TLS connection even if the sending email service does. A standard email containing confidential patient information sent to an nhs.net email address for retrieval of a patients online service request is not encrypted and is sent as cleartext. A more detailed analysis of the current nhs.net email transport layer is in progress.

What should we do?

Having a technical insight into the submission and retrieval of patient information, should you be asking your website supplier. “Does our practice website compromise the security of our patients confidential information?”

Jul 06

OurPractice Login

The following information explains what happens when access to an OurPractice Login account appears to be blocked.

The OurPractice system has several security features including one that in the event of a user trying to access the OurPractice Login area with the wrong username or password a number of times within a short timespan, access to the account login area will be blocked for a period of time. The user will receive an access denied message during this period and the system logs these events for security monitoring purposes.

In the event of receiving an access denied message, the practice is advised to wait a period of time for access to the account login area to timeout, at which point access to the account login area will be unblocked. The practice should ensure that all users who require access to the OurPractice Login area are supplied with the correct username and password and that they are aware of this security feature.

The point of this security feature is to limit the rate of login attempts by a client, assisting with the mitigation of bruteforce account and password guessing attempts.  This feature blocks a client from making further attempts after a specified limit on retries is reached, making a brute-force attack difficult or impossible.

This is an OurPractice security feature which is in place for the benefit of the practice.

Jun 16

Department of Health & WordPress

OurPractice clinical websites are built using the WordPress Content Management System (CMS) which is also used by the Department of Health (DoH) for their own corporate website, which you can see at www.doh.gov.uk.

There are now at least four Whitehall departments running their primary websites on WordPress: Transport, Health, Defra, the Wales Office and Downing Street and several – Cabinet Office, BIS, DFID, DECC – use it for secondary elements of their corporate websites.

WordPress is an opensource CMS, and with a WordPress powered website provided by OurPractice; you can be confident that you are in good company and working with the most progressive website provider for clinical professionals in the UK. OurPractice websites feature original themes, are great value for money and include secure, proven and effective Online Services for the use of your clients.

For more information about the DoH implementation of WordPress on their main website, see Stephen Hale’s Department of Health blog.

Jun 14

Internet Explorer 6 Countdown

Internet Explorer 6 can still be seen in GP practices, according to Microsoft there are many benefits of upgrading to a newer version of a web browser – improved speed, tabbed browsing, and better privacy settings to name a few.

The web has changed significantly over the past 10 years. The browser has evolved to adapt to new web technologies, and the latest versions of web browsers help protect you from new attacks and threats. Microsoft recommend that Internet Explorer 6 users install a newer web browser for a safer browsing experience.

The Internet Explorer 6 Countdown website is dedicated to watching Internet Explorer 6 usage drop to less than 1% worldwide, so more websites can choose to drop support for Internet Explorer 6, saving hours of work for web developers. Source: www.ie6countdown.com

OurPractice websites do not support Internet Explorer 6 and will display the splash screen above to Internet Explorer 6 visitors which encourages them to install a new browser while still providing them with the option to proceed to the website.

Jun 01

EU Cookie Law

New EU cookie law (e-Privacy Directive)

The Information Commissioner’s Office has released this guide to the new EU cookie law.

Cookie Law Explained

On May 26th 2011 a new EU originated law came into effect that requires website owners to make significant changes to their sites and may fundamentally change the whole web browsing and shopping experience for everybody.This Cookie Law is amended privacy legislation that requires websites to obtain informed consent from visitors before they can store or retrieve any information on a computer or any other web connected device.

Cookie Compliance

Cookies are used by almost all websites, for a variety of purposes:- Analysis of visitor behaviour (known as ‘analytics’)
– To personalise pages and remember visitor preferences.
– To manage shopping carts in online stores
– To track people across websites and deliver targeted advertising

OurPractice Cookies

Ourpractice is observing the requirements of the EU cookie law and has implemented a mechanism to enable your website to comply with UK and EU law on cookies.

Page 1 of 212
Return to Top ▲Return to Top ▲