Setting up secure networks

Do I trust the network that I’m connected to?

The local network you connect to facilitates access to all of your internet-based applications. This includes most EMRs and productivity suites like Office 365 or Google Workspace. Public networks (at cafes or hotels) can be fake and expose your account credentials or other internet traffic. Confirm the network ID with a staff member before connecting and consider use of a Virtual Private Network (VPN), detailed below. 

Have I taken the time to configure my home network?

Understanding some basics about your home network can give you more peace of mind when working from home. While the clinic or health authority may have dedicated IT staff, at home it’s up to you. Making sure your firewall is enabled, securing your home Wi-Fi, and changing default passwords are some simple steps that can make it substantially more difficult for others to gain access to patient information. Check out more information on router configuration [click to anchor in section below] to secure your home network quickly and effectively. 

Am I able to keep physical control over my devices? 

When working with patient information remotely, consider the physical management of your devices. Lock your screen or take your device with you when you step away. Orient your screen such that others cannot see patient information. Do not share your device with family members or friends as their activities can compromise other data on your device, including access to your EMR.

Do my accounts have strong passwords and multi-factor authentication (MFA)? 

Account management is a pillar in protecting patient information. Learn more about managing user accounts and find helpful tips on how to manage your passwords with ease and the value of MFA in keeping patient information secure. 

Tools for secure remote work

Virtual Private Networks (VPNs)

Communicating over the internet inherently carries more risk than communicating with devices within your home or clinic network. VPNs create an encrypted tunnel between your device and a VPN server over the internet, making it more difficult for someone to intercept any data that you send or receive. Use of a VPN in daily web browsing is becoming more commonplace. Although it can be used anywhere, it is particularly useful when you are connecting to a network where you may not have full visibility into other users’ activities. For this reason, the Canadian Centre for Cyber Security recommends use of a VPN as a safeguard for many aspects of remote work. DTO can help answer questions related to VPN use specific to your needs. 

How do I get a VPN? 

Consumer VPN solutions can be purchased for relatively low cost ($5-$15 per month per user). Searching for top VPN solutions will yield a selection of the most popular options, with many features comparison articles. These solutions will hide your IP, encrypt your internet traffic, and provide reasonable protection when on networks you may not fully trust. Some may even have features that alert you if you connect to a malicious network. Your clinic may have a specially configured VPN that allows you to remotely access clinic applications securely. Configuring a custom VPN solution for access to your clinic network requires intermediate to advanced IT knowledge. This is useful if you maintain servers or data on-site or require location specific access to some of your clinic applications. Speak with your IT provider or contact DTO to learn more.

Router configuration and wireless (WiFi) access

Internet connectivity is essential in the modern clinic. Whether accessing your EMR or your clinic applications, configuring your network equipment is a critical step in protecting your patients' personal health information. This section provides tips on how to make basic changes to common settings that improve network security both at the clinic and at home. Contact us for questions about security on the Private Physician Network (PPN).

When assessing your network, ask yourself: 

 Is my firewall enabled and configured to a high security level? 

A firewall is a network security system that monitors and controls incoming and outgoing network traffic. It may be included with the device (router) provided by your internet service provider (ISP) or separately installed by an IT professional. In clinics, firewalls are generally configured to restrict most incoming network traffic to limit the ability for malicious actors to gain access to your local clinic computer network. Contact DTO if you need help getting started assessing your firewall configuration. 

Have I changed my router administrator username and password? 

Your router controls many of your network settings and functions. Routers come with a default username and password (often “admin”) that are well known for each make and model. Changing these settings from the defaults reduces the risk of someone gaining access to your network. 

Have I configured my wireless network (Wi-Fi) settings? 

Properly securing a wireless network in a clinical setting is complex. Commonly, your wireless access is included with the router provided by your ISP. When you log into your router, you will also have access to a variety of wireless settings, including encryption, passwords, and guest accounts.

Wireless network configuration

Regardless of what type of router or wireless access device you may have, the setting options are typically similar across different makes and models. Consumer grade equipment may not give you access to all the following settings, but business-class network equipment will. Look for the following settings and configure them as follows for optimal performance and security: 

1. Use the appropriate network band setting (5GHz vs 2.4GHz). 

The 2.4 GHz band provides greater physical coverage but transmits data at slower speeds and may have congestion from other nearby networks and active network devices. Use this setting for devices that are distant from the access point or travel through several walls. The 5 GHz band provides coverage over a shorter distance but transmits data at faster speeds. The range is shorter in the 5 GHz band because higher frequencies cannot penetrate solid objects, such as walls and floors. Use this frequency for devices close to the router or that will be transmitting high volumes of data. 

2. Disguise your wireless network name (Service Set Identifier or SSID). 

The names of wireless networks are visible to the nearby public on their devices. Choose a name for your clinic wireless network that does not indicate to outsiders that the network belongs to a clinic. Having a custom network name immediately signals that your network has been configured and is less vulnerable. 

3. Disable remote and Wi-Fi administration for your network device. 

There is no need to "administer" your Wi-Fi using a wireless computer, especially if you have at least one computer connected using a physical network cable. Only use remote administration if you and your IT support staff identify it as necessary. 

4. Modify your wireless encryption protocol settings.

Set the wireless encryption protocol setting to Wi-Fi Protected Access II (WPA2 or WPA3). This setting includes the Advanced Encryption Protocol (AES) standard, which is the industry standard at time of writing. 

5. Separate public Wi-Fi from the clinic network.

You may wish to provide a public Wi-Fi network for your patient waiting room or for others outside of your clinic team to use. Business class devices will allow you to create a separate wireless network, with its own name and password, which keeps your patients activity separate from your clinic activity. 

6. Disable Wi-Fi Protected Setup (WPS) feature.

WPS is a setting that allows devices to connect to your router without a password. It is often in the form of a physical push button on your router. This setting is generally not useful for clinics and represents a security risk. 

Other router and network considerations 

1. Physical placement of routers and wireless access points.

Physical access to network equipment should be restricted to clinic staff only. If someone arrives at the clinic claiming to be tech support, ask for identification and verify they are from a legitimate company. Furthermore, the placement of devices can have a significant impact on performance. Consult with your IT support to determine the best location. 

2. Disable the Wi-Fi Sense feature on Windows 10 workstations.

The Windows Wi-Fi Sense feature allows you to share Wi-Fi connections with others without knowing each other's passwords. Windows automatically identifies these individuals as anyone in your Outlook or Skype contacts, or optionally, your Facebook contacts, using this feature. This type of automatic access sharing is not appropriate for the business-use network at a clinic and should be disabled. 

3. Keep network device firmware up to date.

Network devices like your routers, firewalls and wireless access points will periodically receive firmware updates from the manufacturer. Often these updates require you to manually activate them by logging into your router using your administrator username and password. Keeping firmware up to date helps ensure that newly discovered vulnerabilities are fixed, and your data stays secure.