Over the years, our commitment to serving the doctors has only increased, and our partnership with you continuously drives us to do more, better. Data Privacy and Security has always served as one of the founding philosophies of Practo and we go to great lengths to make sure that it continues and evolves, come what may.
As a digital firm that help establishments manage sensitive healthcare data, we have the best of security features in place. However, complete security is possible only when the user also takes care of their daily handling of accounts. This blog is our attempt to emphasise on the importance of mindful management of digital account, be it Practo or any other.
Here are 5 tips to keep your account safe:
- Set a strong password and keep it yourself
Your password is the first security barrier between your account and unauthorised access. Make sure that your password is not easy to guess. Generally, people make the mistake of setting common phrases or information to remember the password easily. Such passwords are the easiest to hack. or Never share it password with anyone. In case of multiple accesses be judicious and grant them only to people that you trust. For added measure establish accountability to check possible security breaches.
Do not set a password that is easy to guess. E.g. your birthday or common phrases like “password123”. To ensure sufficient password strength we have integrated our system with password strength meter that uses the current best practices and determines if the password can be guessed easily by another person.
- Enable multi factor authentication for your account
Two-factor authentication adds an extra layer of security to your account. In addition to your username and password, you’ll need to enter a code that Practo sends to you via text or an app on your phone.
Enable in just 5 steps:
- Log in to Ray i.e ray.practo.com
- Go to the user icon at top right & click “Account Settings”
- Click on ” Enable 2-factor auth”
- Choose suitable method for enabling (google authenticator app or send sms)
- Add token received and submit
- Don’t reveal your OTP
Mobile number based OTPs work on the assumption that you’re the sole user of your mobile phone. Therefore, never lend your mobile to anyone you do not trust. Since our system has support for role-based access like Reception, Administrator etc., it is recommended to maintain individual accounts. This helps in tracking user-specific changes in the system.
- Google Authenticator code is sacred
This is an added security layer and the second factor in Two-factor authentication for your account. Enabling two-factor authentication provides several layers of protection to your account and brings down security attacks significantly. Make sure that you don’t divulge Google Authenticator’s codes with those you do not trust enough.
- Don’t share your email access
This is a federated trust factor where the Practo system trusts that only you have access to your email account and that it is secured with strong security options like two-factor authentication. Sharing the access of your email account can seriously compromise the security of all the accounts related to it.
Digital diligence is a non-stop affair
We have already stopped accepting weak passwords for all the new accounts. Existing users will soon be asked to set stronger passwords. Currently, there is an option to skip and continue but it will be removed in the coming weeks.
We are also improving our system of sending automated notifications to confirm that the email addresses are owned and controlled by the practice and not by someone else. Even Practo employees are not allowed to record account password, inbox password or OTP from our users.When it comes to security, it’s important to always be on high alert. Always conduct regular safety audits for your practice and report any suspicious activity so that it can be resolved as soon as possible.
What is the problem doctors are/might be facing or we have identified?
We have identified that some user accounts are not as secure as they can be due to the intentional practice of setting weak passwords or sharing the same account with multiple staff and also the lack of awareness to users about the advanced security features (support article) that they can enable.
Why should they be concerned with this?
Since we deal with healthcare data and the data is accessible only to authorized individuals, unless the individuals also follow certain best practices, a data breach is possible. For example, if you are using the same password in Practo as some random XYZ website and that random website gets compromised, then the attacker can log in to Practo using the same password if there are no additional security measures.
Practo software establishes trust based on following factors:
- Password – this is typically a what-you-know factor and if someone knows or guesses your password, the system believes that it is you
- Mobile number + OTP – this is known as a what-you-have factor and if you lend your mobile phone to someone, they can trick the system into thinking that it is you
- Google Authenticator – this is also a what-you-have factor and is used as a second-factor if you enable Two-factor authentication for your account
- Email – this is a federated trust factor where the Practo system trusts that only you have access to your email account and that it is secured with strong security options like Two-factor authentication
It is recommended that you use one what-you-know factor and one what-you-have factor to keep your account safe from attackers. If you haven’t enabled two-factor authentication for your Practo account, you can enable it by following this support article.
What can they do to avoid such situations?
In order for your practo account to be secure, it is important to keep the above factors secure.
Passwords should be set to a long memorable phrase that only you know. We have integrated our system with password strength meter that uses the current best practices and determines if the password can be guessed easily by another person.
Do not lend your mobile to anyone you do not trust with all of your data. Since the system has support for role-based access control like Reception, Administrator, etc.., it is recommended to maintain individual accounts. This improves audit-ability in the system so that we can prove which user actually made a particular change to the system.
Secure your email inbox with multi-factor authentication and a strong password as well. Since most of the online services these days use email address to recover your password, if your email is compromised, your online accounts which rely on email are also compromised. If the email address linked to your practo account doesn’t belong to you, please report to us immediately by contacting our Support via email to email@example.com.
What are we doing to help them?
We have already stopped accepting weak passwords whenever the user is setting a new password. Existing users with weak passwords will see a notice that their password is weak and needs to be changed. Currently, there is an option to skip and continue but in the coming weeks the skip option will be removed.
We have identified a few cases where a few of our employees have created new email accounts when there were sales blockers. We do not ask any of our sales executives to do this and strict actions are taken on the identified cases. We’re improving our system to send out automated notifications to confirm that the email address is owned and controlled by the practice and no account password, inbox password or OTP is shared with any practo employee.