How to prevent a cybersecurity incident
General practices should follow the steps below to prevent a cybersecurity incident before it occurs:
- Seek expert support − Engage an IT or cybersecurity specialist to assess systems and provide guidance on what protections are needed.
- Protect systems − Install and maintain firewall and intrusion detection tools at key network points. Ensure all software, operating systems, and devices are kept up to date with security patches.
- Set clear policies − Develop and implement practice policies for how staff use systems, internet, email and mobile devices. Define who has access to which systems and applications based on role.
- Apply access controls − Enforce strong authentication (Strong passwords, multi-factor authentication) for all accounts and applications.
- Staff training − Provide regular training for staff on how to identify risks to practice and how report suspicious activity.
- Test − Periodically audit system access, review security settings, and test the effectiveness of the practice’s existing information security controls.
- Continuous improvement – Consult with your IT or Cybersecurity specialist to advise on technical risks and recommend additional controls suited to your practice.
Take action
Standards indicator
C6.4D Our practice has a business continuity and information recovery plan.
You must maintain up-to-date antivirus protection and hardware/software firewalls.
Please note, if using cloud-based systems, you must develop policies that ensure strong security features, and backups must be available. It is recommended that you test your cloud systems to ensure efficiency.
Take action
Create a policy: Protecting against malicious software
Healthcare provider organisations must create, communicate, and enforce a written Security and Access Policy to use the My Health Record system, as set out in Rule 42 of the My Health Records Rule 2016. This policy must cover how access is authorised and revoked, staff training, identity verification, security measures, risk management, and assisted registration (if applicable). The policy must be kept up to date, reviewed annually, and tailored to the organisation’s size and structure. It should also be accessible to all relevant staff and contractors.
While this is not mentioned in Rule 42, it is recommended that your policy specify monitoring procedures to detect malicious software and provide advice on what to do if malicious software is detected.
Your policy should cover:
- the malicious software protection used and enabled on all practice computers
- access to disable, bypass, or adjust the setting on malicious software protection
- how updates of malicious software protection occur
- the process for scanning all incoming email attachments
- the process for scanning all documents imported into your practice information systems
- how automatic data/signature file updates are managed
- managing the ‘cookies’ feature in web browsers so it is turned off (although some legitimate software may need this turned on to function properly)
- access to training for the practice team in malicious software prevention and how to report all incidents
- automatic upgrades occurring on computers left running out of practice hours.
Useful resources
Have I Been Pwned (HIBP) - HIBP is a free resource for anyone to check if your email or phone is in a data breach. You can quickly assess if your practice may have been put at risk due to an online account having been compromised in a data breach. Access the HIBP site
Leading risk – personal information emailed to the wrong recipient
A leading potential risk in a general practice’s information security is the high incidence of personal information being emailed to the wrong recipient, otherwise known as human error.
To reduce such occurrences, it is critical to regularly confirm with each patient that the email address you have listed against their name on your Patient Management System is correct and up to date. Aim to confirm patient email addresses every six months or, at a minimum, annually.
Your entire practice team has a responsibility to ensure cybersecurity measures are in place to protect your practice information systems from cybercrime and online threats. Each person in the practice needs to actively contribute to protecting the practice’s information systems.