Dentistry Cosmetology Pricing Contacts News Help Blog Sign Up Log in
Dentistry Cosmetology Pricing Contacts News Help Blog Log in Sign Up

Security of data storage

Data storage security is a very important issue that requires special attention. Cliniccards has implemented a set of solutions to protect each user from information leakage. At the same time, it is important to understand that the reliability of data storage primarily depends on you personally.

Therefore, in this guide, we will look at a number of settings that allow you to protect yourself from online attacks as much as possible. Both in Cliniccards and other resources.

Security settings in Cliniccards

Rule №1: 1 participant - 1 account

First of all, we want to emphasize that each clinic participant must have a separate account in Cliniccards. 

Personal accounts allow you to control the interaction of all participants with the Cliniccards system, and therefore with the clinic's protocols. 

Since every user action is recorded under a personal account, it is very easy to identify unauthorized access or abuse problems using the Change log report. This increases the level of responsibility and internal control.

Separate accounts help maintain data confidentiality. In the event of data loss or damage, it becomes possible to find the cause of the leak within a single clinic member, rather than all specialists.

Rule №2: Enable two-factor authentication

We would also like to emphasize that each clinic member must set up two-factor authentication for their account.

We also recommend that clinic owners activate the Allow access to the clinic only to specialists with two-factor authentication enabled option in the Settings → Other → Clinic settings section. 

The Two-factor authentication option allows you to configure an additional level of protection for your personal user profile. In Cliniccards, two-factor authentication is activated using the Google Authenticator application. 

Install Google Authenticator on your smartphone and activate it. With this type of two-factor authentication, the confirmation code for logging into Cliniccards will be available to you in the Google Authenticator application. Use the more detailed instructions when activating this type of authentication.

Such settings will help protect the accounts of all employees from unauthorized access by unauthorized persons. This is extremely important, since each clinic member works with patients' medical data and this information is especially sensitive!

Rule № 3: Set up Access rights

The Access rights section of the settings allows you to regulate the management of the clinic and determine what information specialists can see and edit. 

With the help of access rights, you can regulate access to the following information:

  • specialists' work schedule and the ability to edit shifts;
  • patient appointment schedule;
  • personal data of patients, their finances, documents, visits, plans, or treatment history
  • financial performance of the clinic - the amount of work performed, patient payments, expenses, income, and salary data;
  • access to financial and operational reports;
  • rights to customize the Cliniccards system in the clinic.

We recommend that you carefully set access rights for each clinic member in accordance with the internal work management, as this way you can exclude the possibility of data leakage due to unauthorized persons having access to them.

You can learn how each of the access rights works in detail by using the hints next to their names.

Pay particular attention to the access rights in the list below:

Access to the cards of only those patients with whom the doctor works

With the Access to all patients of the clinic option, you can restrict the right to view the cards of those patients whom this specialist does not treat - that is, if there are no visits to this doctor or if this doctor is not marked in the patient's treatment plan or history.

This minimizes the risk of accidental or intentional disclosure of confidential data and simplifies the risk management process in the clinic. 

Access to view patient photos

The access right to view patient photos allows or prohibits viewing photos and files contained in the patient's treatment history records, even if the photos and files were uploaded by the specialist.

Clinic staff have different levels of access to medical information depending on their roles and responsibilities. For example, doctors may have full access to the treatment history, while assistants or administrative staff may have limited access to only the necessary data. 

Access to patient finances

You can restrict access to the Finance section of the patient card, the Cash Desk section, payroll reports, and other clinic reports.

This way, only those specialists whose job responsibilities require it will have access to patient and clinic financial data. For example, the financial department or clinic managers may have access to financial reports, while medical staff usually do not have access to such data.

This restriction of access avoids leaks of financial data, such as medical bills, and helps prevent manipulation or fraud with financial information. 

Ability to share patients outside the clinic

Quite often, there is a need to share medical information about patients between different clinics or specialists. The access right Can share patients outside the clinic allows you to restrict the ability of certain specialists to share the treatment history or its stages with specialists from other clinics.

This right is an additional factor in protecting patient data from unauthorized disclosure outside the clinic, as it allows you to determine which participants are able to share the treatment history or its stages.

Remember that ensuring the security and confidentiality of data is a critical aspect of medical information exchange!

Rule №4: Access by IP

Allows you to set up individual restrictions for each clinic employee to access all or some data in the Cliniccards system. 

Access by IP is used in cases where you need to restrict access to the virtual space of the clinic to specialists if they are outside the clinic. The following parameters of access to the Cliniccards virtual space can be configured for each employee separately:

  • Access from any IP - set by the system by default for all clinic members. Clinic employees have the right to log in to the virtual space of the clinic from their account and view the available information from any Internet access point.
  • Access only from authorized IPs - allows you to restrict the viewing of data in Cliniccards to employees if they are outside the clinic or use an unconfirmed Internet access point. 
  • Access only from authorized IPs except for schedule - allows you to restrict access to the clinic so that participants who log in from unverified IPs will be able to view only the schedule if they have access to it. 

Rule №5: Time restrictions

In order to ensure a higher level of confidentiality of the clinic's work, we recommend that you restrict employees' access to editing data in the system, as well as restrict access to viewing reports for previous periods. You can do this in the Time restrictions section.

As a rule, such access rights are partially restricted for administrators, fully restricted for doctors and assistants, and full access to data editing and viewing financial reports is granted only to the owner and/or manager of the clinic.

Rule №6: Emergency blocking

Emergency blocking can be used in case of an unforeseen situation. For example, if the owner loses the device used to log in to the clinic.

To use this option, go to Settings → Access rights → Block clinic and confirm the locking action with your personal login password.

Please note that the emergency clinic lock function is available only to the clinic owner.

To restore access to the Cliniccards system data, the clinic owner needs to contact Cliniccards support and confirm their personal data. After verifying the owner's identity, the clinic will be unlocked.

Additional tools for monitoring security measures

1. Report Patients shared outside the clinic

The Patients shared outside the clinic report displays patient cards to which specialists from other clinics have been added.

We recommend that you review this report from time to time to control the confidentiality of patient data. Even if the clinic has restricted the right to share patient cards with specialists from other clinics, some specialists still have the right to share patient records.

If you find that someone who is not authorized to do so has access to the patient's card, go to the patient's card, click the Add doctor to patient's card button, and click the cross next to the name of the user from whom you want to remove access to the card. 

2. Use the Change log report

The Change log report allows you to track the actions of all clinic employees and stores the history of all changes to information in the Cliniccards system in a table.

Thus, in the event of security incidents or unwanted changes in any section of the system, the clinic owner can always check which account was used to perform the actions and correct the situation.

Additional security measures

In addition to setting up security measures in Cliniccards, we also recommend that you follow the following rules of conduct with electronic devices and the Internet:

Here are some general recommendations to help protect yourself from threats:

  • Always lock your devices with a strong password, PIN, pattern, or biometric means (faceID, touchID, etc.);
  • Do not use the same password for different accounts. Passwords should always be complex and different;
  • Keep all software up to date and use reliable anti-virus programs;
  • Regularly backing up important files and storing backups in a safe place can also help protect against ransomware or other data loss. Remember that the Cliniccards system mirrors data daily, and the information is backed up in several Amazon data centers in Europe;
  • Set the computer screen to auto-lock after no more than 1 minute of inactivity. The laptop should also lock when you close the lid;
  • Do not install unlicensed, pirated, or unverified software and do not visit questionable websites and resources with an increased risk of virus activity;
  • Be sure to enable disk encryption;
  • Avoid connecting to a public/free Wi-Fi network, prefer to connect via a secure network or mobile device;
  • Beware of unsolicited and suspicious emails, text messages, and phone calls;
  • Never click on links or download attachments from unknown sources;
  • Always check the URL of a website before entering any sensitive information;
  • To make sure you are sending messages/information to the right person, call them first and verify their details and whether they have actually requested the information;
  • Accounts of friends and family can be hacked and used to send malicious links or files to their contact list. Be careful not to trust unexpected links and suspicious messages. Especially when they relate to urgent or financial matters;
  • Never connect to public charging stations or hotspots as they may be infected.

Types of online attacks

It's important to understand the risks of online attacks, because in order to protect information from them, you need to know your enemy, so to speak.

  • Phishing
    Phishing attacks are one of the most common threats that aim to lure confidential information from you. By any means necessary.
  • Vishing (vishing, voice phishing)
    A type of scam where an attacker uses calls to trick people into revealing sensitive information such as account passwords, access codes, or card numbers.
  • Smishing
    A type of phishing attack that uses SMS messages to trick you into clicking on a link or downloading malware;
  • QR Code phishing
    A relatively new type of phishing attack that involves scanning a QR code that redirects you to a malicious website.
  • Google Search Phishing
    A type of phishing attack that involves creating fake websites that appear in search results for a specific keyword. These fake websites look like the real thing and often ask you to enter your login credentials or other sensitive information.
  • Baiting
    Involves offering something desirable, such as free software or concert tickets, in exchange for personal information. 
  • Malware
    A type of software designed to infiltrate or damage computer systems without the owner's knowledge or consent. 
  • Ransomware
    A type of malware that encrypts a victim's files, making them inaccessible until the attacker receives a ransom.