With cyber-threats on the rise year after year, computer users need to make wise choices on how they use devices, both personally and at work. 

For any business - but especially for pharmacies - there are legal requirements in the Privacy Act and Health Information Privacy Code to protect private and personal information that you store.  This includes customer names, addresses and medical information, as well as the details of your own staff members and prescribers.

We have outlined the basic recommendations for security below, with a more detailed explanation underneath.  Items in red have specific guidelines for Toniq customers.

  • Antivirus and firewall software must be installed, enabled, and kept up-to-date
  • Run updates for Windows and software
  • Replace/upgrade computers with old versions of Windows
  • Beware of email scams ("phishing" for information)
  • Never divulge a password over email or phone, or provide personal information
  • Use BCC (blind carbon copy) not CC (carbon copy) when sending emails to groups, where individuals are not known to each other
  • Only download and run programs from the internet that you went searching for
  • Don't trust pop-ups, especially those warning about viruses or performance issues, suggesting you "click here to clean"
  • Never leave devices unattended; lock the computer when you walk away (Win+L, or Ctrl+Alt+Del, Lock)
  • Passwords should be used on computers, and one/two digits is not enough
  • Toniq can provide security cards for staff to use instead of short passwords in the Toniq software
  • Different passwords should be used on each web site
  • Multi-factor authentication should be used wherever possible
  • Safeguard loss of data with an off-site, encrypted backup such as Toniq Vault
  • Safeguard access to your data with encryption where possible - including encrypting the Toniq software database
  • Consult your hardware support company for other recommendations. They may have monitoring programs to ensure things are working smoothly.

Antivirus and firewall software

This scans files that are saved or loaded on your computer, to ensure they will not perform malicious activity. There are a multitude of antivirus packages, both free and paid subscription, or the built-in Windows Defender software scores highly on independent tests.

Toniq recommends using the built-in Windows firewall as we configure it with the permissions our software requires to work properly. Unless you have independent firewall software, the Windows firewall should be left enabled at all times.

If your antivirus software also has a firewall component (sometimes branded as "Security Suite", "Internet Protection" or "Total Security") then it must be configured by your hardware person to allow the Toniq software to work through the network. This includes allowing DCOM communication, and access to/from the network by specific Toniq executables.

Run updates

Any software that is still under support will have updates to its security, to patch security holes that are found. Running updates is a critical step to stop hackers and viruses from getting into your computer, and accessing your data.

Windows Updates are released at least monthly, and should be applied regularly to your computers. These include upgrades to the version of Windows itself (continued below).

For pharmacies, the connection to the Health Network / Connected Health has a requirement that you will have "a Security Policy consistent with the Health Information Security Framework".

The HISF (from the version updated in 2015) states you will:

  • Ensure assets are continuously maintained to an appropriate security baseline that minimises their vulnerabilities and threat exposure, such as regular patching and other activities
  • Remove or upgrade unsupported legacy software

Contact your hardware support company if there are any issues with Windows Updates, or if you believe they are not showing for you to run.

Old versions of Windows

Windows typically receives support for up to 10 years for a major version, or 3 years for minor updates.

Running "winver" will tell you the version of Windows installed. Windows 10 and above have adopted a "YYnn" naming system, where the first 2 digits are the year it was released and the final 2 digits are the month or half of the year.

E.g. "1703" was released in March 2017 and is incredibly out of date.

"22H1" was released in the first half of 2022.

You should be running a version of Windows no more than 1 year old.

Windows 8, 7, and older are out of support and do not receive updates. These machines should be replaced, or could be upgraded if they meet our hardware requirements.

Keeping Windows updated is part of your requirements for the Health Network / Connected Health.

Email scams

For many businesses and individuals, "phishing" scams and viruses arrive by email daily.

Phishing is an attempt to get the user to reveal personal information about themselves, or to enter a username and password into a fake website, which might look like a social media site, a bank, or any other company. They come with all sorts of wording, for example asking you to deal with some sort of problem urgently such as a service that will be disconnected if you don't act promptly.

If you enter your information into the fake web site, the scammer can use these details to log in as you onto any web systems where you use the same username and password. This can lead to virus emails being sent to customers from your business email address, fake posts to social media sites, and many other devastating outcomes for your business reputation.

Viruses can often be stopped by your antivirus software, but sometimes not until it is too late. Beware of emails that arrive unexpectedly but seem enticing, for example a payment remittance from a company that you aren't expecting a payment from.

Never divulge passwords or personal information

As above for email scams, passwords and personal information allow a hacker to impersonate you when logging on to a web site. Common questions asked to prove your identity are along the lines of 

  • Your mother's maiden name
  • The name of your first pet
  • Your favourite food
  • The city you were born
  • A parent's middle name

Revealing this information to the wrong person will allow them to reset your password on a web site, giving them full access to the information stored within.

Use BCC for email

BCC - Blind Carbon Copy - hides the name of the recipients you have sent an email to.  This is important to your business because it builds trust with your customers and associates.

If you were to send an email out to multiple customers or businesses who do not know each other, then you are revealing their personal information (their email address and probably their name) to the other recipients. This could be in breach of the Privacy Act.

This is particularly important to remember when sending emails to many customers, such as for a sale or promotion.

Only download programs you went searching for

Many software programs available to download come from shared hosting sites, where software from many companies can be downloaded.

To increase their revenue, some try to take the visitor on a tangent, or display adverts linking to other sites, tempting you with other software you "may be interested in." There is no telling what this other software may do, so be vigilant and only download the software you specifically went looking for.

Don't trust pop-ups

Web sites do not search your computer for viruses, nor check the speed of your system.  Beware of any pop-up message that claims it has found a virus, or recommends you scan your system for performance issues.

Many web sites these days offer to "notify you" or "keep you updated" with information. A lot of the time when answering yes to this, you are allowing the web site owner to send you pop-up notifications whenever they wish.  

These can be displayed above the time - where other system notifications appear - and may contain ads for any service you might - or might not - want to be notified of. For example, we have seen notifications appearing for fake antivirus products, gambling web sites, and other services that are "not safe for work."

Think before you allow notifications. Why does this web site need to send you information?

  • do you really want social media notifications coming up on your work computer during the day? 
  • do you need to know when someone has purchased a cat toy from this web site?

If you're only planning on visiting the web site once, or rarely, do not allow notifications.

Never leave devices unattended

Leaving a computer unattended could allow someone to access software, emails and documents on the computer, or access web sites that have remembered who has been logged on. This can lead to the unintended disclosure of personal information, health information, pay rates for staff, or malicious posts onto social media.

If you have a password on your computer then "locking" it when you walk away will stop any unauthorised people from using the computer physically.  This can be done by pressing Win+L on the keyboard, or Ctrl+Alt+Del and clicking "Lock"


Computers should have logon passwords, a reasonable password should be used for software programs where they are available, such as securing the Toniq software.

It is not secure to use a 1- or 2-digit password, or your initials.

NB: If you want to set a password or change the password on your computers that run Toniq, there are requirements that must be met to ensure your Toniq software continues to function.

  • The computers must be able to authenticate with each other. Typically this means all computers log on with the same combination of username and password. If you wish to have different users set up, those users and passwords must be set up on the Toniq server computer at least, and preferably any computers with shared printers that may need to be accessed.
  • If you set or change the user password on the Toniq server computer, there is a Toniq utility which must be run, to configure some Toniq software components with this new information.

Security cards

Toniq can produce staff security cards on a key-pull or lanyard, to prevent the use of short passwords in the Toniq software. The security card has a barcode printed on it, which is scanned whenever the staff member needs to log on.  The staff member does not need to remember their password or type a long password multiple times each day, they simply scan the barcode.

This requires a barcode scanner on each computer the staff members may need to use the Toniq software at.

Different passwords

Passwords should be different for each web site.  Consider a password manager for making random passwords, so that you don't need to remember the password, it is stored for you. Password managers allow you to access your password from both your cell phone and computer, giving you portable access to your passwords - but some require a paid subscription to access them on multiple device types.

An alternative to random letters and numbers for your password is the "three random words" technique. Think of three random words that start with letters from the web site. You can customise this as you wish, e.g. use letters 2, 3, 4, or the last 3 letters, or letters 5, 3, 1. 

Find random words for those letters, and insert numbers or special characters instead of letters.

For socialmedia.com, you might end up with a password of Oct0pus Carn!v0re Impl3ment (with Oct0pus having a number zero in the middle)

Use multi-factor authentication

Multi-factor authentication (MFA), also known as two-factor authentication (2FA), is a method of prompting you for some other information when you log on to a web site or perform an action. It is a way of proving that you are who you claim to be, by using some other piece of information or physical device that anyone else should not have access to.

For example, a bank might send you a txt message when you pay someone for the first time. If you have successfully logged on to the banking web site, and have your cell phone to be able to read the txt message, then you are highly likely to be the person authorised to make that payment.

MFA should be used wherever it is available - web sites and social media, email access, banking, online shopping.

MFA comes in different forms depending on the web site. For example it might send you an email with a code, or will ask you to use an authenticator app. Typically an authenticator app such as Microsoft Authenticator, Google Authenticator, Authy, Duo, LastPass Authenticator or many others, will generate a numeric code that lasts for 30 seconds.

If you send emails from your Toniq software - such as emailing debtor statements or repeat reminders - and set up MFA on your email account, then you will most likely need to create an "app password" to allow Toniq to continue to send the emails.

Safeguard loss of data

The Privacy Act 2020 and Health Information Privacy Code introduce the requirement to safeguard information from changes or deletion.

Toniq Vault is a reliable way to achieve this for all types of files.  It performs backups on a schedule - typically at least twice a day for the Toniq software database. All information is encrypted before it leaves your premises, and the retention period (how long the old copies of your files are kept for) can be customised to suit your needs.

Saving your documents to an online/cloud system such as OneDrive, Google Drive, Dropbox, Box or similar is a good second choice, but often these only have a 30 day retention policy. If your files are deleted and you don't notice for a month, they can be irretrievable.

Safeguard access to your data

The Privacy Act 2020 and Health Information Privacy Code require information to be stored securely so that it cannot be accessed by unauthorised parties.

Encryption of information "at rest" means that files are stored encrypted on your computer's hard drive. If someone were to steal your computer, they should not be able to access the information.

Windows 11 helps by encrypting the whole of your hard drive by default. This can stop someone from stealing your computer and reading the contents of the drive.

However, all of the above relies on your computer having a good password for logging on to Windows, so that your password cannot simply be guessed. Once someone has logged on to Windows, the previously-encrypted files are readily available, decrypted, to the user. If you accidentally open an email attachment containing a virus, for example, it would be able to read the contents of your computer.

Enabling encryption on your Toniq database allows the Toniq software to store information directly in a way that makes it appear scrambled. No other party or software will be able to read the personal information in there, such as patient and customer information (names, addresses, NHI, phone, email, etc.), staff member details and prescriber information. The amount of information encrypted will increase over time, protecting more information from prying eyes.

Together, Toniq Vault and Toniq database encryption can vastly reduce the amount of information disclosed from the Toniq database in the event of a data breach, and reduce the risk of data loss if you are struck by a computer failure or encrypting virus.