Setting up Secure Networks

The Private Physician Network (PPN) is the private, high-speed network available to physicians and practice staff to enable secure access to clinical information in their electronic medical record (EMR) systems. Provincial Health Services Authority (PHSA) offers the PPN service as part of a province-wide initiative. As of 2023, the PPN supports over 900 clinics including over 4500 clinicians. DTO provides escalation support when PPN issues arise.

The common path for PPN-related performance or application issues is Clinic (or Clinic IT) > EMR Vendor > Telus PPN Support > PHSA.

Please contact the Doctors Technology Office if issues cannot be resolved through the channels above.

Modern medical practice extends beyond the clinic walls. This section provides tips on how clinic staff can ensure security best practices are in place to protect personal health information while caring for their patients from home or on the go.

When working remotely, ask yourself:

Do I trust the network that I’m connected to?

The local network you connect to facilitates access to all your internet-based applications. This includes most EMRs and productivity suites including Office 365 or Google Workspace. Public networks (at cafes or hotels) may not be secure and may expose your account credentials to other internet traffic. Confirm the network ID with a staff member before connecting and consider using a Virtual Private Network (VPN).

Have I taken the time to configure my home network?

Understanding some basics about your home network can give you more peace of mind when working from home. While the clinic or health authority may have dedicated IT staff, at home it’s up to you. Making sure your firewall is enabled, securing your home Wi-Fi, and changing default passwords are some simple steps that can make it substantially more difficult for others to gain access to patient information. Check out more information on router configuration to secure your home network quickly and effectively.

Am I able to keep physical control over my devices?

When working remotely with patients, consider the physical management of your devices. Lock your screen or take your device with you when you step away. Orient your screen so others cannot see patient information. Do not share your device with family members or friends, as their activities can compromise other data on your device, including access to your EMR.

Do my accounts have strong passwords and multi-factor authentication (MFA)?

Account management is a pillar in protecting patient information. Learn more about managing user accounts and find helpful tips on how to manage your passwords with ease and the value of MFA in keeping patient information secure.

Virtual Private Networks (VPNs)

Communicating over the internet carries more risk than communicating with devices within your home or clinic network. VPNs create an encrypted tunnel between your device and a VPN server over the internet, making it more difficult for someone to intercept any data that you send or receive. The use of a VPN in daily web browsing is becoming more commonplace. Although a VPN can be used anywhere, it is particularly useful when you are connecting to a network where you may not have full visibility into other users’ activities. For this reason, the Canadian Centre for Cyber Security recommends use of a VPN as a safeguard for many aspects of remote work. DTO can help answer questions related to VPN use specific to your needs.

How do I get a VPN?

Consumer VPN solutions can be purchased for a relatively low cost ($5 - $15 per month per user). Searching for top VPN solutions will yield a selection of the most popular options, with many feature comparison articles. These solutions will hide your IP, encrypt your internet traffic, and provide reasonable protection when on networks you may not fully trust. Some may even have features that alert you if you connect to a malicious network.

Your clinic may have a specially configured VPN that allows you to remotely access clinic applications securely. Configuring a custom VPN solution for access to your clinic network requires intermediate to advanced IT knowledge. This is useful if you maintain servers or data on-site or require location-specific access to some of your clinic applications. Speak with your IT provider or contact DTO to learn more.

Router configuration and wireless (WiFi) access

Internet connectivity is essential in the modern clinic. Whether accessing your EMR or your clinic applications, configuring your network equipment is a critical step in protecting your patients' personal health information. Here you’ll learn how to make basic changes to common settings that improve network security both at the clinic and at home. Contact us for questions about security on the Private Physician Network (PPN).

Regardless of the type of router or wireless access device you may have, the settings options are typically similar across different makes and models. Consumer-grade equipment may not give you access to all the following settings, but business-class network equipment will. Look for the following settings and configure them as follows for optimal performance and security:

1. Use the appropriate network band setting (5GHz vs 2.4GHz).
   The 2.4 GHz band provides greater physical coverage but transmits data at slower speeds. It may also have congestion from other nearby networks and active network devices. Use this setting for devices that are distant from the access point or travel through several walls. The 5 GHz band provides coverage over a shorter distance but transmits data at faster speeds. The range is shorter in the 5 GHz band because higher frequencies cannot penetrate solid objects, such as walls and floors. Use this frequency for devices close to the router or that will be transmitting high volumes of data.
2. Disguise your wireless network name (Service Set Identifier or SSID).
   The names of wireless networks are visible to the nearby public on their devices. Choose a name for your clinic wireless network that does not indicate to outsiders that the network belongs to a clinic. Having a custom network name immediately signals that your network has been configured and is less vulnerable.
3. Disable remote and Wi-Fi administration for your network device.
   There is no need to "administer" your Wi-Fi using a wireless computer, especially if you have at least one computer connected using a physical network cable. Only use remote administration if you and your IT support staff identify it as necessary.
4. Modify your wireless encryption protocol settings.
   Set the wireless encryption protocol setting to Wi-Fi Protected Access II (WPA2 or WPA3). This setting includes the Advanced Encryption Protocol (AES) standard, which is the industry standard at the time of writing.
5. Separate public Wi-Fi from the clinic network.
   You may wish to provide a public Wi-Fi network for your patient waiting room, or for others outside of your clinic team to use. Business-class devices will allow you to create a separate wireless network, with its own name and password, which keeps your patients’ activity separate from your clinic activity.
6. Disable Wi-Fi Protected Setup (WPS) feature.
   WPS is a setting that allows devices to connect to your router without a password. It is often in the form of a physical push button on your router. This setting is generally not useful for clinics and represents a security risk.

1. Physical placement of routers and wireless access points.
   Physical access to network equipment should be restricted to clinic staff only. If someone arrives at the clinic claiming to be tech support, ask for identification and verify they are from a legitimate company. Furthermore, the placement of devices can have a significant impact on performance. Consult with your IT support to determine the best location.
2. Disable the Wi-Fi Sense feature on Windows 10 workstations.
   The Windows Wi-Fi Sense feature allows you to share Wi-Fi connections with others without knowing each other's passwords. Windows automatically identifies these individuals as anyone in your Outlook or Skype contacts, or optionally, your Facebook contacts, using this feature. This type of automatic access sharing is not appropriate for the business-use network at a clinic and should be disabled.
3. Keep network device firmware up to date.
   Network devices such as your routers, firewalls and wireless access points will periodically receive firmware updates from the manufacturer. These updates often require you to manually activate them by logging into your router using your administrator username and password. Keeping firmware up to date helps ensure that newly discovered vulnerabilities are fixed, and your data stays secure.