John Drummond, Director of CyberSquad IT Consulting interview with HotDoc — future of IT
What are some common IT issues you currently see in healthcare?
One of the most common scenarios I encounter when auditing general practice clinics, is the existence of unmanaged IT systems. It is not uncommon to come across IT systems in general practice that have no “patch management” in place, no anti-virus and security monitoring / reporting, no disaster recovery testing and maintenance plan, all which equal a huge risk. I often explain to my clients that an IT system is like a car, it requires regular maintenance. Sure, it will keep running without maintenance, but it will eventually malfunction, and when it does you are up for a lot of money and without your car for a week. Most specialist IT providers in the health sector will offer packages that include all of the above mentioned points. One of the main reasons hosted systems becoming more and more popular is that generally all of your maintenance will be included in your package.
What advice would you give to GP clinics around cyber security in the future?
Given the mandatory cyber-security reporting measures being implemented by the Australian government next year, now is the time to audit your IT security. Many of the practices that I visit run desktop anti-virus applications with the belief that this will protect them from viruses, malware, security breaches, hacking etc. The reality is that the people and organisations behind these attacks are highly organised and their methods have become very sophisticated. Desktop anti-virus will not protect your GP clinic, full stop.
Depending on your IT infrastructure I would recommend nothing less than a hardware based threat management device, ideally one that interacts with your desktop security agents. A threat management device is a physical piece of equipment that sits in-between your internet (outside world) and your internal IT network. It inspects every single packet of data going in and out of your clinic, including inspecting (and potentially blocking) email, websites staff visit, intruder hacking attempts, plus a host of other features. The company we use for our security can provide up to 100 updates an hour to the threat management device – giving your clinic the best possible up-to-date defence.
Providing adequate staff training and having written procedures and policies in place is equally important. 90% of crypto-locker (ransom-ware) attacks are distributed via email, so making sure your staff deal with incoming email in the correct manner is very important. I would also recommend to make sure that your current desktop security software is blocking USB and DVD-ROM access to end users. Another big risk is if your staff have the clinic WiFi password – this should never be allowed, under any circumstances. This would allow staff to connect their potentially unsecure devices directly to your internet practice network. I have even visited clinics that allow patients to access their internal WiFi, even on a ‘guest network’ this would be highly unadvised.
What advice would you give to GP clinics around cloud based vs on site data in the future?
Cloud or ‘hosted’ as I like to refer has certainty gained traction of the past 24 months. The hosted systems we are deploying for our clients are currently outweighing onsite deployments in the realm of 10 to 1. It is now a very rare occasion that we would be looking to deploy physical server hardware onsite at GP clinics. Obviously there has been a lot of conjecture around cloud systems within the health sector including where your data is actually stored, the ability to retrieve it in the event you wish to move providers and where are your backups? There are all very good questions to ask and research before making any decision to migrate to a cloud based system.
Having said that, and providing you get the right answers to your questions there are significant benefits with “the right” cloud based system. As an example your GP clinic may only have a single physical server responsible for your medical applications and data. This is a single point of failure. If that server malfunctions or is stolen, how long until a replacement server can be sought, data restored and functionality regained? In my experience the answer would be days, and not hours. How much does this cost your practice? Cloud hosted system can overcome this as they will generally have pools of high-availability enterprise servers. This means your cloud provider can have a server or several servers malfunction and their system will automatically fail-over to ensure you have zero down-time. The reality is that it is not financially viable for many GP clinics to deploy and maintain multiple physical servers onsite (3 servers being the absolute minimum for high-availability). My number 1 point when it comes to cloud based systems is that they provide you access to enterprise systems and services without forking out hundreds of thousands of dollars deploying and maintaining them yourself.
As for the negatives, the question I get asked the most is, “what happens if my internet goes down?”. The answer is generally simple, you cannot access your system and/or data. Obviously this is not what a client wants to hear, but luckily there are solutions. When we deploy our hosted systems we first make sure that our client has a stable internet connection at speeds that will not degrade performance. We provide routers that incorporate 4G LTE technology (mobile data) that automatically fail-over in the event your primary internet connection fails. To date we have never had a scenario where a client’s primary internet and backup 4G connection have failed simultaneously.
What predictions do you have for the future of IT in healthcare?