EMAIL – DON’T DO SOMETHING STUPID
Apparently email fails cause 30% of data breaches. Let’s not become part of that statistic, shall we?

TRY THIS INSTEAD
Whether you are sending PI via email to each other, pathology services, specialists, your patients, or your service providers you should always be very careful.

• Before hitting the send button, check who the recipients are. Are you sending this email to the correct Johan?
• Protect important and sensitive information in password protected documents sent as attachments, rather than putting it in the body of an email.
• Ask for a ‘delivery receipt’ and a ‘read receipts’ if the information is important.
• Don’t share one email account between more than one employee. Rather have an alias that sends to 2-3 email addresses.
• Do not allow employees to use accounts such as Gmail or Yahoo for work purposes. They should use their official emails only.

DEVICES – WE ALL HAVE THEM
With an increase in the popularity of cell phone and tablet use, chances are that your employees will want to use their own mobile devices for work purposes. Although this could have many benefits for your practice, you need to be aware of the risk. Regardless of where the PI is stored or accessed, you remain responsible to keep it secure.

HOW DO WE MANAGE THIS?
You probably need a clear Bring Your Own Device (BYOD) policy. Read our top tips for drafting a BYOD policy. Introduce the new policy to your employees and make sure that it is part of the ‘starter pack’ for each new employee.

Security tips for devices:

• Disable the autorun feature to prevent software programs running automatically when removable storage media is connected to a computer or when network folders are accessed.
• Use a password on each of your devices (desktop, cell phone, tablet, etc.). Make sure it is a strong password. Read more about creating strong passwords.
• If you or your employees use hard drives or USB drives around the office, you should encrypt it (turn on Bitlocker).
• Require all devices to have anti-virus software installed and keep the software up-to-date. This helps prevent ransomware or other hacking attacks.

WHAT IF AN EMPLOYEE LEAVES? HOW DO I GET MY DATA BACK?
Put in place an employee exit process where you delete their email access from their devices and change the passwords on their accounts. Have them sign a declaration that they have deleted all work-related data from their personal hard drives and devices and keep it on file. You don’t want ex-employees to have access to your or your patient’s data. This would be classified as a data breach in terms of the POPIA.