This site is intended for health professionals only
Tuesday 27 September 2016
Share |

Remote danger? Why IT support and security is a primary concern

Systems & Information

Simon Wright
IT Manager

Simon is an IT Manager at a very large GP Surgery in the West Midlands, with 20,000 patients and 18 GPs. He has been in the IT industry for over 21 years, first as a programmer, then as a computer analyst/consultant/ specialist. His present position involves dealing with the local PCT in all matters relating to Connecting for Health, as well as the normal day-to-day operation of over 65 computers within the surgery

Who looks after the computers at your surgery? The medical secretary? Admin staff? Receptionist? You? Well, things may be about to change. The future of general practice is going to be more dependent than ever before on information technology, and payment is going to depend on quality of data. To ensure that your computers and data perform to the optimum standard, you need to guarantee you have suitable support structures in place. As surgeries become paper-light, you will become increasingly dependent on your computer system.

"Ah," you might say, "but under the new GMS contract the PCT looks after IT services, so it is not our problem." Wake up and smell the roses! Your PCT looks after all the surgeries in your area. It's worth considering: How many support people do they employ? What does your service level agreement (SLA) state on response times?

Our PCT has a three-day SLA. This means they will respond to our problems within three working days. Could you or your doctor manage without a computer for three days? The PCT will try to prioritise urgent problems, but with dozens of surgeries and probably only a handful of support technicians, your priority may not be the same as theirs.

If you employ an experienced IT person in your own practice, they may be able to fix the problem immediately. I know what you are thinking – "We cannot employ someone merely for the odd occasion we have a computer problem." And this is exactly what your PCT will say if you demand more manpower at their end. But if you do have an inhouse IT person, you will soon find all kinds of tasks suited to their skills to keep them fully occupied – creating templates, running searches, creating posters, leaflets, surgery intranet, surgery website, etc etc.

Remote access programs
One of the options available to PCT IT departments needing to support large numbers of surgeries with minimal staff is to use remote access software, such as LANDesk or PC Anywhere. These programs allow technicians based in your local PCT service centre to log on to your computers and take control without being onsite. They are able to run programs and view error logs in an attempt to fix problems. Remote access programs also enable IT staff to view any other data that may be stored on your local computer.

Before an IT technician can gain access to your system, they should have to contact the surgery and get someone to accept the incoming call. If you decide not to allow them access, you can deny their log-in. Remote access programs usually show you what the technicians are actually doing on your computer in real time. It is therefore important that you watch what they are doing, even if you don't fully understand it. If you think they are trying to access private information, you should have the option to "pull the plug".

Remember not to give them passwords to private details such as payroll or, if you do, remember to change it as soon as they have finished what was required. PCT staff are covered by confidentiality agreements, but you still don't want them seeing private information.

Also, ensure that when IT technicians have finished they log off; with an N3 connection, your computers are always connected to the PCT network/internet. This means it would be possible for anyone to log back on to your computer after you have finished for the day unless you remember to shut down the computer before you leave.

A possible disadvantage of remote access systems such as LANDesk is that your local PCT may use it to run an audit of your computer hardware and software without your knowledge. They can check exactly what software you have installed on your computers and can also use remote software to restrict your access rights to the computer, in order to stop you being able to load any software programs without their permission.

Good host?
Many PCTs around the country are looking at "hosted" services as a means of providing clinical software to their surgeries. This means that you would no longer have a server within your practice. Your system would be on a computer located at either your PCT IT department or your system supplier. You no longer have to worry about making a safe backup. You don't have the concern of ensuring your server is safe and secure. You will be connected to the server via your N3 connection.

There are several things you need to be aware of before considering a hosted service:

  • Is the N3 connection fast enough at your surgery to run your clinical system without significant slowdown?
  • How many other surgeries are going to be connected to this hosted system? How many PCs will be connected at peak times? This could cause potential slowdown of the system.
  • What contingency plans does the PCT have for power cuts or computer failure at the hosted server? If your system goes down, so will every other surgery within the area. Are there enough people in the PCT IT department to answer the phones? All surgeries will be trying to phone the hotline to see what has happened, which could mean quite a delay before you know why the system is down.
  • Will your surgery have its own area on the server that is backed up separately? This could be important if you ever lose data and need to restore your system from a backup. If it is a complete backup, it will affect other surgeries. You may have to wait until another surgery has finished using the system. Also, if another surgery needs something restoring, will you have to log out while their backup is restored?
  • Once the PCT has all your patient data onsite, how long will it be before they decide to run their audits across all systems, to extract the data they require, without telling the surgeries involved?

Ensuring data accuracy
For QOF monies and other payments, you must ensure data quality and accuracy of data input. Depending on your clinical system, the easiest way to ensure data accuracy is to use template entry whenever possible. Most clinical system suppliers provide basic templates to assist, but it is often better if you can modify or create your own to suit your own requirements.

To check your position you need to run reports or audits. Some systems provide means to achieve these reports with tools such as Population Manager or MSD software. However, more accurate results can be achieved by creating your own custom searches and reports.

System security
This is a vital area of NHS computing, which needs tightening up. There are several aspects to consider relating to IT security within the surgery environment:

  • First, make sure all computer kit is secure and can't be stolen:

          (a) Metal cages bolted to the floor can be purchased to fit around the computer box. However, these can be a little awkward and get in the way, and if a room needs rearranging or moving, it can be a major task to move and resecure the cage.
          (b) A steel security cable can be attached to the wall and padlocked to the computer security tag.
          (c) Ensure that all rooms containing computer equipment can be locked when not in use.

  • Make a daily backup of all vital data to removable media (tape), and store it offsite. This should either be encrypted or only restorable on a password-protected system.
  • Have an up-to-date antivirus system running on all computers, and make sure it receives regular updates from the supplier.
  • Turn on a firewall on each computer. This is a software block that attempts to control what information can enter and leave your computer.
  • All users must have a unique individual password to gain assess to the computer system. One of the major suppliers of clinical systems has set up entire surgeries with the same Windows username and password on every computer. This is no longer acceptable. You need to get individual log-on names and passwords for all staff. This also gives audit traceability for all operations carried out on the computer system. If set up correctly, this also has the benefit of allowing users to get their own working environment and files correctly set up automatically on the computer they are currently using, when they log on to any computer in the network.
  • Have a practice policy regarding internet usage, and ensure that all staff are aware of the types of websites they can and cannot access. Make sure that staff do not download software that could contain viruses.
  • Only open emails you are expecting, unless you know it is from a reliable source. Even then, do not download or open pictures forwarded by friends or colleagues because they think they are amusing and someone sent it to them. This is how the vast majority of computer viruses are spread.
  • Finally, make sure that when people leave a computer they log out and shut down the computer. With an N3 connection, a computer left switched on could be accessed via the internet by any hacker.