CLAIRE: Welcome to tonight's webinar for our eHealth webinar series Information Security in General Practice. My name is Claire Pearson and I'm the Project Administrator for the RACGP Practice Technology and Management Team and I'll be your host for tonight. So, tonight's webinar will be presented by Dr David Adam. Dr Adam graduated from the University of Western Australia in 2010 and undertook General Practice training at Lockridge Medical Centre. After completing postgraduate training he returned to Lockridge in 2016. He works part-time and is particularly interested in children's health and medical education. Dr David Adam is a member of the Practice Technology And Management RACGP Expert Committee and he was a digital champion with us last year in 2018 and he presented workshops on the My Health Record Education Awareness Program, and before becoming a GP David was actually an IT systems administrator so this is of great interest to him tonight, and David, welcome to the webinar.
DAVID: Thanks, Claire, just… the Digital Champion title is one that the registrar's found out about and would not let go, so…
(CLAIRE LAUGHS)
DAVID: I highly recommended that if you ever take a position at the College, makes sure that they're not…you know that your trainees aren’t going to make fun of you for the rest of the year.
(CLAIRE LAUGHS)
CLAIRE: Ah, yes, champion in the title, you can't go wrong. So, David, myself and the RACGP, we'd like to thank all of you for joining us tonight and for taking time out of your busy schedules to join us in the webinar this evening, and we do look forward to engaging you in this eHealth webinar series. We've got it going for the whole year actually, each month we'll have information for you all about eHealth, and this is all about tonight Information Security in General Practice and although you may feel like, on the other side there, that you're the only one participating at the moment, you are joined online by a number of your peers, as well as eHealth experts in the background who will be helping you with your questions this evening, and with David, at the end of the session, we'll be doing some Q&A.
So, before we begin I would like to make an acknowledgement of country. I would like to acknowledge the traditional owners of the respective lands on which we are meeting on today, and to pay my respects to elder's past and present. I'd also like to acknowledge any Aboriginal and Torres Strait Islander people who are listening in this evening.
DAVID: Right, what we're hoping is that over the course of the evening we'll cover the key principles of quality of information security, the policies required in your general practice and how the governance should work in a general practice, we’ll look at risk assessment, and some information about systems backups.
On the next slide you'll see our agenda which is how we're going to work through that. So, we're gonna start talking, initially, about information security, and what it involves, and why it's important. We'll look at some of the threats to the security of our information in general practices, in particular we'll look through some evidence about data breaches, and some information about cybercrime. We’ll… after covering what the… I guess what the problem is, or what the problem can be, we'll look at some of the solutions that are available to us, in particular the Information Security in General Practise resource that's available from the RACGP, and the other resources that come out of the Practice Technology Management Group. We've got a little bit about what's coming up next, and then we’ll have a bit of a chance to answer questions.
So, on this slide you'll see all the things that we could think of that information technology involves, and although tempting just to think of it as the computer on the desk it's, in fact, much more than that. It includes all your IT systems and software, including how they’re maintained, and who looks after them, computer security protocols and policies, backup systems, which is one of those things you’ll need to have and hope you never need to use, the way that your email and faxes are transferred through the practices. In this day and age all telephones, printers, and scanners are full-blown general-purpose computers that just happen to do a single job, and so they become a very important part of our information technology security and assessment. Display screens that you might have in your practice, of course, the… where you do a bulk of your work in your critical information system, those of you that interact with secure messaging, including transfer of pathology results, if you're working in areas that involve Telehealth or videoconferencing, and then there's more public facing things like your practice website and your social media presence.
So, when we talk about information security what we mean is the prevention of inappropriate access to patient or other personal information, and that means through things like, data breaches, which is the accidental release of personally identifying information. We wanna make sure that we're protecting that data, the personal information about ourselves and our patients, and we want to preserve the data, in terms of business continuity. The recording of this information is no good to you if you turn up the next day and you can't get hold of it. So, these elements are important because the provision of safe high-quality healthcare and the efficient running of a general practice requires good information security. It's essential for professional and legal delivery of healthcare, and it's important that our IT systems can hold up to that task. We think about information security being important in healthcare because of the particularly in sensitive data that we hold about patients and we want to protect against inappropriate access that information, either intentionally or unintentionally. Hopefully some of the things that we'll talk about tonight, around practice and policy can help avoid this. We want to ensure that we can continue to work, even in the face of problems, so an effective Business Continuity Information Recovery Plan helps us to bring our practice information systems back into working order, when a system failure occurs. We… by that we're talking mostly about internal system functions or failures, but also how the practice will function in the event of an environmental or a natural disaster, and following on from that, is about ensuring disaster recovery, so that in the event of a, so called, information disaster, how our practices can respond as quickly as possible to minimise potential loss or corruption of information. I think we're all aware of why that's important, in terms of both keeping our business running in providing safe and effective healthcare, even in situations that are less than ideal. So, our information security plans look at maintaining critical business function, even when there's an unexpected system event, and like all of these plans, they very rarely survive contact with the enemy unless it’s reviewed, updated, and most particularly tested.
The threats to information security, and the, I guess the risks that we run into, can really be grouped into three categories. So, when we talk about human threats we mean mistakes which are unintentional or by deliberate intervention by malicious actors, so that includes things like cyber crimes. Technical threats involve the everyday failure of components in our system or less, I guess less directed problems things like, hard drive crashes, power outages, data corruption from viruses or from bad software, and then there's environmental threats. So, you know, some systems can cope well with a bushfire, or someone driving their car through the back wall your practice, and other systems are more vulnerable in that area.
If we look at the information about data breaches, so that information that should be private or confidential that’s accidentally or deliberately released other parties, the Office of the Australian Information Commissioner has released this information about the last quarter of last year, and allows us to compare how many of the reportable breaches in the health sector, compared to other areas of the economy, were caused by human error… and you can see that in health much more of our mistakes are made… much more of these breaches are made because of mistakes, because of human error, compared to malicious or criminal attack. Yeah, so that's much higher than everywhere else. If you look at by industry, these are all the reports received by the Office for the Information Commissioner, and with new privacy requirements being introduced in the last few years you can see the health industry is leading the way, in terms of number of notifications, we hold that dubious honour, from the 262 data breach notifications made between October and December last year to the OAIC. They keep… they're going to keep releasing these quarterly reports to give us in a bit of an idea of the trends in personal information security, that it's likely will result in harm to individuals, and hopefully will help us to practice and manage these risks. So, you can see that we top out even the finance industry at just 15%. This is pretty consistent internationally, and so I think the health area is a particular focus of the OAIC to look about preventing this information. I suppose we had a bit of a think about why it might be that health information, healthcare providers do top our list? One primary reason is certainly that private sector health services are much more tightly regulated by the Privacy Act. Most other businesses are exempt from that reporting to the OAIC, unless they turn over three million dollars a year, and there’s certainly practices out there which are lower than that number, but because of our… because of the sensitive nature of the data which we're working with we have to report all breaches. More generally, the health services industry seems to have a greater level of responsibility and awareness of their privacy obligations. I certainly think that most of us involved here tonight have a very keen awareness of the importance of confidentiality of information, and whether that leads to a degree of over-notification is an open question. My question is that, you know, compared to these other sectors are healthcare organisations much more interconnected? You know, there are very few general practices, there are very few one-stop shops. We deal intimately every day with a number of other organisations, whether they’re clinical, such as pathology or radiology companies, or in business terms, you know, Medicare, we do a lot of transfer of information to these other groups. So, I suspect that might have something to do with why we come out so high on the list. I think you’ll be sent round our fact sheet on the Notifiable Data Breaches. Yep, Joanne’s just sent you a link there, so that's got some particular information about data breaches.
There are other threats to information security in general practice and cybercrime is always hot on the lips of information security professionals. In Australia healthcare clinics have certainly been targeted by cyber criminals, and this includes anything that… any crime that's directed against computing or information technology. So, you know, while it wouldn't include things like fraud or identity theft, it’s mostly around the damage to or access to electronic communications or data. And so that includes things like, hacking, scams, or attacks on computer systems. So, we've got some headlines over the last few years that can serve as a bit of an example… 2012, a Gold Coast medical centre was hacked and were attacked by encryption software and their data held to ransom. In 2016, the Royal Melbourne Hospital had an automated computer virus attack, a number of its older computers in its pathology department, and in late January this year, in Melbourne, the Melbourne Heart Group experienced their data being encrypted and held at ransom, so the story goes, so the centre could not access some patient files for up to three weeks and about 15,000 records were inaccessible during this time. So, you'll hear the term ransomware thrown around, and that’s basically an automated or a semi-automated process where information is made inaccessible, through encryption or through another means, and then can only be released when a ransom’s paid to the people controlling the software. Our whole practice team has a responsibility to maintain our cyber security and information security, and so each person in the practice really does need to contribute to protecting the practice’s information systems, and we'll come to some of the areas that that involve shortly.
CLAIRE: So, David… oh, sorry… I’ll let you finish…
DAVID: Yeah, okay, so the only other thing I was going to say is that anyone who's experienced cybercrime should certainly contact the Australian Cyber Security Centre, which is a government body that monitors and helps support victims of cybercrime. So, Claire, are you going to run these polls?
CLAIRE: Yes. So, we'll ask a poll on this… has your practice or organisation experienced a form of cybercrime? Yes, no, you might be unsure, or not applicable. So, we'll just wait for the votes to come in on that. I'll share the results… Okay, and thank you for voting everybody. about 20% yes have, David.
DAVID: Yeah, okay. When I used to work in IT and IT security there was a bit of a saying, in large organisations, that either you've suffered a form cybercrime or you don't know that you've suffered a form of cybercrime. I don't think that that generalises broadly to smaller organisations but certainly those of you that are unsure I think… I think that's a very reasonable response because it can be difficult to know, particularly in smaller organisations where we don't have, you know, aggressive continuous monitoring and hundreds of people dedicated to our information security, that an attack has taken place, either successfully or unsuccessfully.
CLAIRE: Yes, and so in conjunction with that, I mean, has your practice… we're just going to send this second poll out… has your practice been or would it be able to deal with cybercrime effectively and efficiently should it occur, or when it will occur.. likely, yes, no, unsure, or not applicable? And we'll just get a few more votes in and I’ll share those results… and so majority of the listeners tonight are unsure if they would be able to deal with it efficiently and effectively, David.
DAVID: Yeah, okay, so we don't we don't have another poll but I guess what I'd like you to consider is what would you say if instead of about cybercrime that question was about someone having a heart attack in the front room of the practice, or someone driving their car into your back wall? I think most practices would be really good with medical emergencies, and some of us would be okay with more obviously physical crime, but we really need to have the same attitude towards cybercrime that we do to those other things. We need to be aware of the risks and aware of what policies, of what steps we can take to reduce them, and we'll talk about some that shortly. Due to the nature of healthcare records some people claim that they are highly lucrative. Personally identifiable information is often used by criminals to commit financial crime and identity theft, and whether that's to more simple things like to open a bank account in someone's name or to make a fraudulent insurance claim, and of course we do worry about people using the access that the practice has. Doing things like buying biomedical equipment or even generate prescriptions, in healthcare because of the general state of information security, and again in general practice where our organisations and somewhat smaller, data breaches can take a long time to be identified and that means that hackers or criminals would have more access, more time to access information inside a system, and also more time to use that information before being detected.
We're going to talk briefly about a report that came from an American-based telecommunications provider. So, Verizon are a bit like Telstra or Optus in the States and they put together a big report in 2018 on data breaches, so, again, that unintentional loss of control over confidential or private information. They found that the most common type of malware or malicious software is ransomware, and as we talked about before, that’s software that makes your information inaccessible and refuses to return it unless you pay a ransom. It's really started to impact, in their view, on business critical systems rather than just, you know, the desktops of office workers, leading to bigger ransom demands and making the life of cyber criminals more profitable with less work. They mentioned that employees are still falling victim to what are called social attacks. So rather than, you know, you being… a command being sent to your computer without any intervention and going off and going haywire, social attacks referred to the impact of human intervention, so somebody sends you an email with a virus in it and then you open up and spread it around. Financial pretexting and phishing represents 98% of social incidents. So, phishing is targeted emails to you that are faked, that appear to be coming from someone that they’re not, and email continues to be the main entry point for these social attacks. Companies are three times more likely to get breached by social attacks or something that involved tricking one of your employees or one of your staff into doing something rather than what used to be seen, in sort of the early days of the internet, which was entirely automated spread of virus or malicious code, and really the only way to address that is ongoing employee cyber security education. Certainly safe design of software, improved internet security will also help that. Although a majority of people do not fall for phishing, you know for a faked email that attempts to gain access to your organisation by stealing passwords, about 4% do fall for any given phishing campaign, and as we know you need a significant immunity to provide herd immunity and 4% it's probably still enough for people to make a foothold into information systems. Most attacks come from outside the organisation, and again this is a broad generalisation across a number of industries, and in America, largely American data, but about 72% of attacks or breaches were driven by outside… by people outside your organisation. So, we've got some of the numbers on that, on the next slide. Yeah, so, financial motivation continues to be the high motivator for people stealing information or breaking into computer system. Again, in the early days, in the late 80s and early 90s, you know, people used broke into each other's computers for fun, to prove that they could do it, but it's now a… it's a profitable industry, and as you can see, they've assigned… about 50% of those incidents to have links to organised crime. The last number is, I guess, a bit of a worry that many people discovered that their information had been lost, they lost control of that information a month or more later, more than two-thirds of the time, and that's something that we'll talk about a little bit later is about more treatment, about detection these problems.
So, looking again, just reminding ourselves that we talked about human, and technical, and environmental threats, technical threats are the things that your IT staff will be very aware of, and very savvy about, and so that things like software or hardware failure, the power going out just at the wrong time, as well as your automated software or virus corruption to systems or network access, and then environmental aspects too need to be considered, when we think about information security, so, that’s things like, you know, flood, earthquake, storm, the physical protection of data that's stored off-site, and for many of us, we will still have paper records in the archive, and where that archive lives is very different between different practices, and one place I trained in it was a sea container that lived on someone's farm with a big padlock on it, other people have slightly more professional arrangements, but it's certainly something you need to think about, both for old paper records and for your backups. This is an area that the College, and the members of the College, are actively involved in thinking about on a broader scale, and so we highly recommend looking at our resource on this which is called Managing Emergencies in General Practice, and I think Jo'll be sending around a link to that shortly.
So, we've talked a bit about the problem, let's have a bit of a think about what the solutions are, you know, about things like backup systems in place to protect data, about having the latest software and security updates installed, and about the policies and procedures your practice will need in place for managing information security. We're going to look at how you can improve or reduce the likelihood of threats affecting your business, and if affected how to lower the impact of those occurrences by having strong information security systems in place. And the first resource I wanted to talk to you about is the Information Security in General Practice document that is produced by the Royal Australian College of GPs. The aim of this document is to increase the understanding of computer information security for our members so that you are… and also so that you know the requirements that our organisations must meet more to fulfil their professional and legal obligations. This document links closely to the RACGP Standards For General Practices 5th Edition, which is what we are accredited against, and it's a fairly new resource updated from the old Computer Information Security Standards to take into account changes in the law, changes in technology, and changes in particular in healthcare technology. We would like to think that it highlights new security risks and threats, and assists practices to meet their legal and professional obligations. We're really trying to reduce the amount of jargon and reduce some of the complication in the old resource, and I think has been really aimed to be less prescriptive, less, you know, this is exactly what you should do on this day with this colour, and instead follow best practice in regards to information security, and again Jo'll be sending a link around to that shortly.
So, we're going to go through the document, just in brief, to give you a high-level overview. The first thing that it contains is a quick reference section for practice owners and management. I know, like me, the likelihood of wanting to sort of sit down and read a great big document it's not high on your list and so really we've tried to have a bit of a section at the front that covers off the major things you need to be aware of, and, in fact, each section will have a bit of a summary. The guide covers, you know, fundamental processes for safeguarding practice systems. So, that includes really high-level stuff like governance and culture, and then more technical things like resources and planning, access, risk assessment, backup and restore, mobile devices, and staff training, and also tools to help you measure the effectiveness of these security controls. As we said, it links closely to the RACGP Standards For General Practice, and when you see this little flag icon that is an indicator… that’ll show you the indicator from the standards, and also what you must do to meet that, so, the must-have information’s there in bold, and you can see, for example, that recommendation 6.4 or requirement 6.4 says that there's one person in the practice who carries the can for electronic system and computer security. So, there are four main sections in the resource, and each of those covers specific policy content information, case studies, where appropriate, and links to other RACGP resources. The benefit of using a tool like this resource is that you can have confidence in the availability of the information and the integrity of the information that your practice holds. With the increasing connection to information systems that are external to our practices it's really important that we take sound and basic measures to make sure that we are meeting the baseline. Many of the case studies that we were… many of the headlines that we reviewed when we would talk about cybercrime the root cause of those was ultimately found not to be some, you know, sudden advance in crypto-analysis where people would be able to break complex ciphers or rappel down Mission Impossible-style into data centres, often it was as simple as not having anti-virus software installed, not having up-to-date security updates installed, or people clicking on things out of emails. So, you know, nobody's expecting you to become a top secret information handling organisation overnight, really we need to have the basics in place.
So, Section 1 looks at governance, which I’m sure will be all your favourite word, but looking at sort of acceptable use of information technology in your practice and the responsibilities of your practice team, the RACGP produces a number of policy templates, which you can use to your advantage. I always really suggest looking very closely at the policy templates that the College produces, yours and my membership has paid for them so we might as well use them, and they are generally very good, while requiring only a fairly minimal adaption to your practice, and so that includes things like a policy specifying who has access to specific systems, the deliberate focus on access only to the systems that they need to do their job, and on the various team members what their particular responsibilities will be, in regard to practice security.
Section 2 looks at risk assessment and is connected to indicators on business continuity and information recovery, on storage and retention and destruction of records, and on your information recovery plan. It includes making a periodic risk assessment which assesses the security of your practice’s clinical and business information systems, and provides you with a structured way of doing that, and that includes things like threat analysis, and although these can be done by practice staff, depending on the size of your practice and the complexity of the risk you face, you may find it valuable to employ a technical service provider or a specialist security firm to help you undertake that risk assessment, and I don't think there's too many organisations… healthcare organisations out there still trying to run their own information security and information systems by themselves, so it's a great way of getting involved with the technical staff to make sure that all bases are covered. As we often find when we go into consultation with other groups, or if you've ever been involved in any health IT system delivery or system development, both technical and healthcare providers have a very different view and we really need… you need to take all advice that you can from both clinical and non-clinical staff when you're looking at risk management. One area this covers is backups and we particularly want to talk about one of the case studies that's given about the 3-2-1 backup strategy, and I guess this is just an example of some of the information that the resource is aiming to provide. We're not saying this is the right thing for every practice but may be appropriate for yours. So, the 3-2-1 backup strategy was introduced by a practice in the Brisbane CBD of about 20 GPs, with a variety of general practice and allied health service, who use electronic health records as part of their consultations, they generate prescriptions, they request pathology, and they make referrals to other healthcare providers. Like most of our practices, all of the billing and administration is computer-based, and so each day a large volume of electronic data is collected. To protect this, and ensure that they've got it available in the case of something going wrong, they basically… they have this so-called 3-2-1 strategy where there were three copies of their data everywhere. So, that's what the three is, there's the original and there’s two backup copies. Each of the backup copies are stored on different storage media, so they'll be on different tapes or all different discs, one of those copies is always off-site which means that in the event of a disaster, a house… the practice burning down, or some other catastrophic event, that there was a copy that was available off-site. One of their copies they did that by backing it up to a cloud service, so rather than putting it in someone's car and taking it to the archives facility, but again just really whatever's right for you. I think the other really important thing about the backup strategy is that it's tested regularly. Some people would say that the backup is only as good as it’s most recent restore and your IT providers, if you've got a solid backup strategy, will have a… part of that will include regular tests to ensure that you can actually recover the information out of your backups. So, there's no such thing as a perfect backup strategy but the 3-2-1 way is a good starting point and if you don't have one already might be where you want to look to starting.
Section 3 starts to look at more technical areas and particularly securing the network and your equipment, so, this is really about what's inside the practice. Again, the indicators around that are your team member who's got a primary responsibility for electronic systems and computer security, and that clinical software is accessible only by unique individual passwords that give access to information according to the person's level of authorisation. An example there is that, for example, you wouldn’t want your front desk reception staff to be able to access confidential sections of the medical record, at the same time you need to be able to access medical records that are created by your other GPs in the practice, in terms of achieving ongoing continuity of care. This includes things like network perimeter controls, which are essential if your practice is internet connected, and includes details of hardware and software connecting to the network including remote wireless access to networks, it includes maintenance of your computer hardware, software, and operating systems. Like a car, we try not to run them into the ground without getting a mechanic to look at them occasionally, although some of my colleagues at university certainly that was their preferred strategy, but in our professional environment we need to undertake regular and ongoing system maintenance, and ensure that our systems are physically protected from theft, from unauthorised access, so and again from accidental mistakes. Your practice policy should look at things like system and software maintenance, as well as physical network and hardware protection, and again this is a relatively new section in the new resource, but we look at mobile electronic devices. Your practice may or may not use mobile devices for business or for clinical purposes and you need to have a bit of a think about whether they're owned by the practice or owned by the members of the practice team, and then including like laptops, tablets, USB and removable hard drives, mobile phones, backup media, portable electronic equipment. Anything that's easy to pick up is at high risk of being lost, or stolen, or left unsecured, which increased the risk of a data breach. Unfortunately one of our registrar's had her mobile phone stolen on her first day at our practice, which, I think, put a little bit of a damper on the whole experience, but well luckily, you know, she had a strong passcode, I learnt, and she had a lot of the confidentiality features turned on, so whoever stole that phone couldn't then use or get into our practice data later. Our practice uses a two-factor authentication system for remote access, which means that you do need a mobile device or something similar in order to get access to our systems remotely, and so when her mobile was taken, you know, that was an important thing for us to control quickly, just to make sure that their access was… her access was disabled until she could get a new phone.
Finally, Section 4 is all about online safety, and the indicators that are in the standards cover things including those individual passwords we talked about, and the policy about the use of email, and about social media. Your practice really needs processes in place to ensure the safe and proper work-related use of internet and email, and that includes education and training for your staff about best practice. We see time and again, over the years, you know, people downloading games onto their work computers to play that turn out to have viruses in them or sent out things they shouldn't, and I guess another big risk, and hopefully this isn't something that people are unaware of, but… sort of adult entertainment and less salubrious areas of the internet definitely pose a significant risk. So, if people are accessing those sites that needs to be happening somewhere that's not work, and not using your equipment. You need to have good protection against malicious software, and that’s things like viruses which will corrupt or destroy your data or use your computer for unauthorised purposes, that includes a policy on monitoring procedures, and also having a bit of a think, before it happens, about what to do if something like that is detected, so, having a crash plan or having a response strategy. Some practices share information via their practice media or social media channels and that means… so, sharing patient… information with patients or with other providers. Sharing information electronically always requires a certain level of security and confidentiality to prevent it from being intercepted, or changed, or received by people it's not supposed to. You really want to have a really good think about how health information is transmitted before you start doing so, and you need have a strong policy around that, and then finally third-party software which includes things like add-on or bolt on programs to your standard clinical information system. Many practices use these and it could be as simple as electronic prescription exchange or secure communication. If you don't know whether you're using one of these programs, I would say there's a fair bet that you are, so have a bit of a look around your computer systems, ask your information staff, and ask, you know, what those are. These programs are not necessarily produced by, well by their very name they’re not produced by the main manufacturer of your clinical information system, and so they can expose you to threats including damage to your database integrity, or unexpected security weaknesses. You really need to make sure you have a think about information security when you're choosing to use any type of this third-party software in your practice, and there's no time like the present to do a bit of an audit and think about what you're using, what you’ve considered when you first install that, and whether you need to make a new risk assessment.
We've got a policy template coming around on Internet and Email Security and if you don't have one of those in place already then, again, that's a great starting point that can be customised for your practice. So, with all that in mind, have a bit of a think about some of the actions that you can take, right now, to make your systems and processes stronger, in order to protect your practice. You can review what you're doing at the moment and think about well you know what could you better, what are we doing really well, and are the, sort of the top three risks that face you, that you can address immediately, and again we've got some more resources which focus on these areas as well.
So, on the next slide… sorry, next slide after this one, you'll see some notes here, the College works very hard to produce a large number of these resources which we hope are high quality and a useful to our members, that includes the document on Privacy and managing health information in general practice, which was reviewed in line with current best practice, and the new Australian privacy principles, and their implementation. The fact sheet on Notifiable Data Breaches, which I guess is something that you want to know it's there and have a bit of a read through to work out what your obligations are, and also provides a bit of a flowchart on what to do in the unfortunate event that you do have a data breach. There's a new document on the secondary use of data… general practice data, and so by secondary use we mean information that's used for research, or for audit, given to third parties like Medicare Locals for their purposes, and it helps you to decide when and how it’s appropriate to release deidentified data at the request of an external organisation. We've got an extensive guide to Information backup in general practice, so again this expands on some of that information that's available in the previous resource, that we talked about. If anything… if you take one thing out of today, please go away and make sure that you've got a good backup and you know that it works. It is really an essential activity in today's computer focused world. And finally we've got another item that's available on disposable of electronic information. It took ten or even twenty years ago it was a fairly entertaining thing to do, to go through skip bins, pull out old hard drives and see what information you could get off them, you know, pimple-faced youth entertainment, but effective solutions for eWaste in your practice includes disposing of all this stuff safely and securely, particularly for general practice, so, that's including recycling, and disposal and removing patient data. So, Jo’ll send you around those documents now.
The RACGP run an annual technology survey which is really looking at trying to get an idea about the use of technology by GPs in Australia, and their attitudes towards technology and how we think things are going to change. This really helps the College to understand what systems are being used, where more investment is needed, and what the key challenges are faced by general practice teams when it comes to technology. The survey report from 2018 is now available, and the 2019 survey will be coming out soon, and you'll be sent round now a link to that survey report.
So, that more or less finishes us up for the content today. Just a quick advert from our sponsors about the upcoming topics in the RACGP eHealth webinar series, these are free of charge, like this one, and remain accredited for two QI&CPD points, if you are still trying to get the last few points for the training. We've done one so far on Notifiable Data Breaches, Medico-Legal Concerns and My Health Record, and now Information Security in General Practice. So, on the 28th and 30th of May, again day time and a night time session, there’s a talk on SafeScript; which is real-time prescription monitoring that’s available in Victoria, and then Improving Health Record Quality in General Practice is coming up on the 25th and the 27th of June and you'll be sent round the registration links. So, that brings us to the end of the end of the slides, and I’ll hand back to Claire.
CLAIRE: Thanks very much, David. So, thank you for a really great presentation tonight on Information Security in General Practice, and as promised we do have some time now to answer your questions. So, please use the chat box to send your messages through and we'll either answer them in the background or David will answer them live here, and just as we wait for some of those to keep coming through also note that we are recording tonight's session. So, we will be making a recording available in the coming days, on our website, so if you missed part the presentation this evening, or you would like to share it with your colleagues, we will be having that on our eHealth webinar website at the RACGP website. So, David we’ll probably kick off with our first question which is, I guess quite a common one but which is, how long should I be keeping my medical records in backup?
DAVID: Yeah, that's a good question, and I think it's different for different practices. Certainly the medico‑legal advice is generally that you want seven years worth of data available to you, but that's not really quite the same as how long you should have it available in the backup. I think you want a backup that's available, it's really not so much how long ago do you need the most recent backup as how old are you willing to let your last backup be. So, how disruptive to the practice is it if you restore a backup from a year ago compared to a month ago, compared to a week ago, compared to a day ago. I think we would all like if our, you know, we turned up to work one morning and our computers were wiped, to be able to restore yesterday's backup but I understand that, you know, having an off-site backup or having something installed in a vault somewhere you're not going to be running out there every day to put a new one in. So, rather than thinking about how long you need to be keeping the backups available, think about how quickly you… or what the longest time that you'd be willing to put up with loss of data across is, and so, I know for us, you know, that basically that where we came down was well you know we're going to have our on-site backups every day so that, you know, if something goes wrong overnight then we have yesterday's data available, or if something goes wrong during the day our off-site backups are a week old, we decided that that’s where the threshold falls. The only other little caveat to that question, of course, is that it's not unheard of, in terms of ransomware or virus attacks, for them to damage your backups as well, and that's why I really want to emphasise that a backup is really only as good as the last time it was tested. If you restore from your backup only to discover that actually the virus was in your system… has been in your system for six months and it's destroyed all the backups as well then you might be wishing you'd had one from a year ago, so that you at least have something. So, definitely have a think about testing, as well as how long ago you've got it available. So, I hope that answers the question.
CLAIRE: Thanks, David. So, another question is how often should I be training my staff?
DAVID: Yeah, look that's a good question. The… I think it's like, you know, CPR training, or any of the other routine training we do in the practice, it's a balance between overwhelming and overdoing it, and juggling the competing demands for other training. So, that's not a… not one that there's an easy answer for. I work also for a large healthcare organisation and we have a routine drill about… in fact I think it’s about once a week that you'll get an email that's a normal email that's been modified by the server that it's received through to provide a training aspect to it. So, if you click on a link in it, for example you get asked, you know, do you this is a legitimate link or not, or is it taking you to something that it shouldn't be. So, you know that's a weekly training exercise that we get run through. Now, we're a very large organisation, in that group, so the balance is a little bit different to a general practice of six GPs, none of whom use email. Have a think about have to think about it like you think about your CPR training or your other practice emergency training, if you were to run something, you know, once a year I would say that would probably be the bare minimum, practices where you're dealing with more sensitive information, so for example if you're in a practice that looks after a lot of politically sensitive people, if you look after a lot of domestic violence victims, if you look after a lot of, you know, people who for one reason or another would hold… put an even higher value than normal on their information, then I think that adjusts the risk calculus a bit and, you know, you need to be thinking about more active approaches to training. So, the, I guess the industry term is penetration testing or red teaming, which is where you hire specific staff to conduct exercises that are determined to breach your information security. The general rule is that those people always find something, they can always find a way in, it's just really a matter of how long it takes, and also what we can do to tell you about that. So, there are different levels of training available, and again I think that comes down to risk assessment that you need to make about your practice.
CLAIRE: Thanks, David. So, we've got a couple of questions about emailing. We actually have the RACGP resource about Using Email in General Practice, and our questions are about emails between healthcare providers and how secure is that? Is that something that should be done, particularly even if you don't think you should be, you may be insisted upon by other doctors or allied health, and also what's the best security with emails and could you use a Gmail or Hotmail account to correspond with others?
DAVID: Yeah, that's a good series of questions and it's something that the College and the Practice Technology Management Committee have thought about a lot, I would very much… I'll take the last part first if that’s okay, I’d very much caution against the use of Gmail and Hotmail for a bit of a different reason, which is that their information is all stored offshore. So, there's absolutely no guarantee that records that you create using those services are held in Australian hands, and that may, depending on the type of information being transferred, that may expose you to further risk or even breach your requirements under the Australian privacy principles, or, you know, under… I certainly know that systems connected to My Health Record have a certain requirement about, you know, being on Australian soil, for example. Unfortunately, particularly Gmail and the Outlook services have the benefit of having a full-time, you know, thousand-person-strong 24-hour monitoring team that take their information security very valuably, so I think you would be well pressed… you would be well served to emulate as many of their services as possible, but that's a decision that you need to make as a practice, and I would certainly recommend against a Gmail or a Hotmail account, and if you've been looking at hosted services which both Google and Microsoft provide and I think, without wanting to sort of pick one over the other, having a look at whether they can make guarantees about, for example, where your information is stored, whether it's in Australia, or whether it could be anywhere round the world, using a hosted service for email is the way of the future. Having said that, the feeling of the RACGP Practice Technology and Management Committee and team is that it is still very difficult to be sure about the security of email, full stop. It's certainly possible, within organisations, to correspond securely and you'll see that in the Australian government unit, even for sensitive or the lower levels of classified information, but transferring that information to other systems, which is, I suppose, the whole reason we want to use email, it is a bit of a different kettle of fish and it can be very difficult, for even technically trained people, to have any confidence that their information is transmitted A, to the right person and B, in a manner that's not interceptable. Now, of course, email is covered by the same laws that cover postal mail, or by telephone calls, that it is illegal to intercept it, and/or modified it if you're not the intended recipient, but I s’pose it can just be a little bit more difficult to know whether that's happening with email. So, I'd certainly point you towards the RACGP’s resource on that and have a bit of a think about that in your own practice. The decision we've made in our practice, for example, is that we are confident that our systems can communicate securely with the Health Department of Western Australia, so we're happy to email them, but for organisations outside of that we're not that… can’t be confident, so we don’t do it.
CLAIRE: Okay, so a bit more specific question here is can we say anything David about cyber safety of using eFax?
DAVID: Yeah, so eFax is a funny sort of hybrid, for those of you that don't know electronic faxing is basically an attempt to drag the fax machine kicking and screaming into the 21st century and providing a gateway between fax machines and email, So, again in the large organisation I work for you can actually email a fax number at a special server and that will connect to the normal fax network and send it. If you are not using an in-house fax server almost all the electronic gateways are served by the same company which defends its intellectual property very tightly and uses that to provide a number of different branded services that are all provided by the same infrastructure, and almost all that infrastructure runs out of America. So, just be very careful about signing a contract with a provider of electronic faxing services, if those are not provided by… you know, if it's not done by a machine that sits in your practice and they, you know, if they're not confident to say well the information never leaves the practice except by fax machine, you're basically just emailing it with a fancier interface. So, I would be very careful about external electronic faxing services.
CLAIRE: Okay fantastic, David. Well that brings us to the end of the webinar this evening. So, thanks David for a great presentation tonight.
DAVID: Okay, thanks for having me, and I'll be back on Thursday in case anyone want to hear it again.
[DAVID CHUCKLES]
CLAIRE: Yes, fantastic! We've got… yes, that's right, so we do have two more happening. So, if you have any colleagues that missed out on tonight we do have Thursday afternoon and the first Thursday evening session. So, please get them to register via the links that we've sent. As I said, we will send you an email after this which will have a link to a survey for you about tonight, and also links to all the resources that we've talked about, and in the coming days we'll have a recording available. So, thanks very much for everyone for joining us. If we didn't get to your question tonight, or if you have something you think about the next day or two just email us at ehealth@racgp.org.au and we'll get back to you as soon as we can, and so thanks very much everybody for joining us, have a lovely evening, and we'll see you at the eHealth webinar series.