17 December 2012

RACGP urges general practices to implement Computer Information Security Standards in light of cyber-security attack

Following a recent cyber-security attack on a Queensland general practice, the Royal Australian College of General Practitioners (RACGP) has emphasised the critical need for all general practices to implement processes, policies and procedures that will protect their practice’s information.

Designed to assist general practitioners (GPs) in executing effective computer and information security, the College has developed the Computer and Information Security Standards (CISS) and accompanying workbook.

Dr Liz Marles, RACGP President, said it is vital that all practices apply a risk analysis of their particular systems and security needs to ensure preventative measures are in place in the event of a security breach.

“Even large multinational corporations and governments are susceptible to sophisticated cyber-security breaches, however if the right precautions are taken early enough, the vulnerability of the system is greatly reduced and is less likely to be infiltrated.”

“Ensuring comprehensive backup and recovery procedures for practice information are in place, including checking the backup and data restoration process regularly, is the best corrective solution to regaining lost data should a cyber-security breach take place,” Dr Marles said.

The CISS provides a record of the 12 basic computer and information securities that should be undertaken across all general practices.

The workbook, when completed by practice staff, forms part of the general practice’s policies and procedures manual and is becoming more of an integral component of practice life as the profession moves towards the shared management of patient records.

Other recommendations to minimise a practice’s points of cyber-security vulnerability are:

  • Ensure the anti-virus and anti-spyware software is up-to-date, automatically updates on a daily basis, and runs regular scans on the system;
  • Ensure that remote access defaults of the operating systems are configured correctly and disabled when not in use;
  • Firewalls are used to separate internet access from the practices network;
  • Ensure the operating system updates and patches are applied when they are available;
  • Be careful of files being downloaded from the internet; and
  • Switch off computers and routers when not in use.

The RACGP is currently reviewing the CISS in light of new legislation and legislative instruments that have been put in place to support the national ehealth records system, the personally controlled electronic health record (PCEHR).

The second edition of CISS will be released by June 2013. Practices are advised that the current edition of the CISS (2011) is still best-practice and the gold standard in guidance for general practices to be confident in information and security protection.

Media enquiries

Journalists and media outlets seeking comment and information from the RACGP can contact:

John Ronan

Senior Media Advisor