Home working as a result of the Covid-19 pandemic has been a major step-change for those practices that can implement it.

Working from home might not be new for many practice managers, but social distancing means that it is no longer a ‘nice to have’ option. You may have more staff working from home than usual, some who have never done it before, so there’s going to be a need for some education, planning and checks to make sure everyone and everything is working properly.

Equipment setup aside, if any of your teams are working on patient data then you will need to consider data security as the priority.

Be wary of phishing scams

If there’s one thing you can guarantee with a major crisis, it’s that somebody out there trying to exploit it for their own ends. Cyber-criminals have been sending emails claiming to provide information or support in an attachment. As soon as you open it, you’re downloading their malware onto your device to take control and access whatever information they can find. Google say they have blocked over 126 million Covid-19 phishing scams in the last week alone, so be wary of what is coming into your inbox;

• Beware of requests for personal information. A coronavirus-themed email that wants your login information, bank details or anything similar is a phishing scam. Any legitimate organisation won’t ask for that kind of information, so never share it.
• Check the email address or link. I’ve had some emails allegedly from our IT team saying I’ve had emails quarantined and I need to click a link to get them. A quick check showed that it came from an “alan@gmail.com”, so clearly not an internal email address, so I let our IT people know. You can hover over the sender’s name or the weblink to see where it leads. Sometimes, it’s obvious, but keep in mind phishers can create links that closely resemble a real address
• Watch for spelling and grammar mistakes. If you see some very obvious spelling, punctuation, and grammatical errors, it’s more than likely it’s a phishing email.
• Generic greetings. Most phishing emails are unlikely to use your name. A greeting like “Dear sir or madam” or even “firstname.lastname” is a giveaway.
• Avoid emails that want you to ‘act now’. Phishing emails will try and confuse you, saying it’s urgent to do something right this minute – all they want you to do is stop thinking and just click that link and tell them what they want to know right now. Instead, delete the message.

Ensure all security is up to date

If you or your staff are working from home, they may already have security software installed on their devices, but it’s essential that they also have device encryption, firewalls and web filtering. Your Homeworking Policy should include a checklist that must be completed to ensure they have the necessary security and protection.

• Don’t use public WiFi – work offline until you can connect to a secure network.
• Device encryption will protect any access to patient information, but each device they use should have their network security completely up to date.
• Ensure your home broadband router admin/default password has been changed – most cyber-criminals can access networks because people have not changed them since they were installed.
• Make sure you are running the latest software versions on all your devices.
• If you are regularly sending documents via email, think about password-protecting them before you do

Confidentiality and IG considerations

Practices would be connecting to the N3 network, so your devices should be able to access it remotely and with the right level of encryption – check with your local IT team whether that is the case. You should take all steps that are necessary to ensure that information is not disclosed.

• Be aware of your PCN’s network security policies
• If you are in an easily accessible location where people can see your screens, get a screen protector or think about moving your workstation.
• All information stored and accessed (including written information and that held on computer) is secure and cannot be accessed by anyone else.

Keep your device and information safe

You might think keeping your laptop hidden behind the sofa when you’re not using is good enough, but it’s easy pickings for thieves and hackers if you don’t secure them properly. Always keep all your work devices locked up when not in use.

• Never leave equipment unattended, anywhere – always lock your device screen when not in use
• Devices and any printed documents should be locked away when not in use.
• Never allow anyone else to use your machine at home (or anywhere else)
• Never allow anyone else such as family members to access your devices for personal use such as internet browsing

Keep your Homeworking policy up to date 

You should have a strong remote home-working policy in place to guide your staff operations, but it is essential to ensure that they understand how to gather and access data transparently with respect

Depending on the experience of your staff (not everyone is as IT literate as you might think), see if you can either get (or write your own) instructions on how to securely log on to the right remote networks - having a series of 'How to…' guides will make it easier for your teams and reduce the number of calls to you or the IT desk. For example, you might produce a 'How to log into and use an online collaboration tool' guide.

Homeworking has previously only been available to a small group of practice roles before all this happened, but that has scaled up since the lockdown came into force. Your staff might feel more exposed to cyber threats when working outside the office environment, so now is a great time for them to work through the policy and be sure they are doing the right thing.

First Practice Management members can access our Homeworking Policy, along with a wide range of regularly updated draft policies and documents relating to information security and governance from our FPM Core database.