Two-step verification, account management and mobile app updates
We recently held a webinar for practices to provide an update following the cyber security incident and to answer operational questions that practices and patients have been raising.
The session covered security improvements, clarification around account management, updates to the mobile apps, and the support available to practices.
Acknowledgement of the incident
At the start of the webinar we acknowledged the impact the incident had on practices and patients and thanked practices for the support provided during a difficult period. We recognise that health information carries particular significance and that the additional work practices undertook to support patients placed extra pressure on teams.
We also clarified the scope of the incident. The unauthorised access related to a specific document feature of the platform. This involved some documents uploaded by patients or sent from Northland Hospital so that patients could access them through the portal.
Importantly, no data from GP practice systems was compromised. Appointments, prescriptions, and clinical records held within practice systems were not affected.
Once the issue was identified it was contained quickly and we worked closely with Health New Zealand, PHOs, the Office of the Privacy Commissioner and police during the response.
Security improvements
We outlined a number of security improvements that have now been implemented.
- Multiple independent vulnerability and penetration tests have been completed.
- Continuous 24 hour monitoring by external security specialists is now in place.
- Two step verification is now mandatory for all users
When logging in through the web portal, users are required to enter a six-digit code sent to their email address. Users can also enable authenticator apps such as Google Authenticator or Microsoft Authenticator for additional protection.
For mobile apps, users verify once via email and can then enable biometric login such as Face ID or Touch ID.
We also noted that some usability challenges were identified after introducing two-step verification. Adjustments are being made, including extending the validity window for login codes so that patients have more time to enter them.
For more ‘how to’ information on the 2-step verification process, including videos, click here.
Account closure and suspension
The webinar also clarified the difference between closing and suspending accounts.
An account may be closed if a patient has died or if a patient explicitly asks for their account to be closed. If a patient closes their own account through the portal, a 72 hour grace period applies before deletion begins in case the request was made in error.
If closure is requested through a practice or the Manage My Health support team, the deletion process begins immediately.
When a patient moves to another practice, the account should not be closed. In these situations the account should be suspended instead.
We also confirmed that inactive accounts will now be managed more actively. If an account has not been used for 12 months, the patient will receive notifications reminding them to log in or close the account. If the account remains unused after further reminders, it will be deleted.
Mobile apps reinstated
The Manage My Health mobile apps have now been reinstated after being temporarily removed during the incident response.
The updated apps include two step verification, optional biometric login, and a temporary feature that allows users to check whether their data was impacted by the incident.
Support for practices
We are preparing communication resources that practices can use to respond to patient enquiries. These will include suggested messaging, flyers and email templates that practices can send to patients if required.
We have also launched an updated Support Centre which provides guidance and training resources for reception, clinical and system administrator roles. The centre includes walkthrough videos and written instructions for common tasks such as registering patients, sending group messages and configuring features.
Common questions raised
A number of operational questions were raised during the webinar.
Some login issues are related to verification codes expiring before patients enter them. This is being addressed by extending the validity window.
If patients report issues such as not seeing lab results or not being able to request prescriptions, we ask that practices contact our support team first so we can check whether there is a configuration issue affecting the practice.
Some users may also experience access issues if they are using anonymised networks such as certain VPN services. These connections may be blocked for security reasons.
Next steps
If you would like to discuss any of the topics covered, please contact your Manage My Health account manager or the support team.
To view the webinar presentation, click here.
