Information security in general practice

About this resource

Last revised: 01 Sep 2019

Information security in general practice reflects the changing technology environment and new security risks and threats. It does not impose new professional obligations but is designed to assist you to meet your legal obligations for information security and the requirements necessary for accreditation against The Royal Australian College of General Practitioners (RACGP) Standards for general practices  (5th edition). This resource details and recommends essential business practice, policies and procedures to help you protect your general practice information systems. It is not designed to be a technical document, but as an educational and training resource for you and your practice team.

Each section of this resource:

Relevant indicator

Where there is a ‘must have’ in the Standards for general practices (5th edition), we direct you to the relevant indicator for each section.

Recommendations are provided to assist general practices to meet the required accreditation standards.

Practice information security policies

Polices should be created to support information security processes in your general practice.

To be effective, your policies should be: 

  • publicised and provided to all existing and new members of your practice team
  • easily accessible (eg kept in policy manuals or available on your intranet)
  • explained to team members through information and training sessions, at team meetings and during induction • reiterated and discussed regularly to maintain relevance
  • periodically reviewed to ensure they are current, and updated when changes are made in information security processes in your practice or to relevant legislation
  • re-issued to the practice team when updated.

Policies should include:

  • a purpose and objectives
  • scope (ie to whom and what the policy applies, and under what circumstances)
  • definition of information security incidents and their consequences
  • organisational structure and defined roles, responsibilities and levels of authority
  • reporting requirements and contact forms
  • processes for providing access to training for your practice team. 

You can use the RACGP practice policy template to create your practice policies.
 

Practice team education

This resource recommends you provide access to education and training for your practice team to support information security in your general practice. You should keep a record of when team members have undertaken training. Education can include:

  • induction training
  • discussion at practice team meetings
  • formal ongoing training when  changes are made in the practice or  to legislative requirements
  • practice exercises to test processes  (eg a training activity to test your practice’s business continuity and information recovery plan can be undertaken using practical exercises in the same way fire drills are practised).

Information security in general practice describes the fundamentals of implementing information security controls into your general practice. As a practice owner or manager you need to ensure these processes are in place to safeguard your practice systems, and appoint a member of your practice team to be accountable and responsible for monitoring information security controls across your practice.

Introduce information security governance

Addressing information security at a governance level is crucial. A security governance framework will define the acceptable use of information technology (IT) in your practice and outline responsibilities. Information security roles and responsibilities should be allocated to members of your practice team. These team members should coordinate security-related activities and determine when it is appropriate to engage external technical service providers. Information security requires regular attention at a practice level and your practice team members need to be aware of their responsibilities to protect practice information. Information security processes should be documented and followed.

When developing your information security governance framework, it is important to consider:

  • the legal and professional requirements for protection of the information held in your practice. Under the Australian Privacy Principles (APPs), APP 11 requires that reasonable steps are taken to protect personal information from misuse, interference, loss, unauthorised access, modification or disclosure. Further information is available in the Office of the Australian Information Commissioner’s (OAIC’s) Guide to securing personal information
  • what capabilities your practice has in terms of security knowledge and expertise
  • who makes the decisions about the security protections required
  • what processes are in place to assist in decision making about the use of information for purposes other than for what it was collected (eg providing health information to external organisations for research or population health planning [secondary use of data])
  • how you know the system and process are working as intended.

You can read more about this in Section - Roles and responsibilities of your practice team. 

Protect your WiFi network

If your practice has a WiFi network or offers free WiFi for patients, have a policy for its use. Ensure you have strong authentication and encryption standards if using an internal WiFi network and isolate it from other networks to limit exposure if compromised. Set up a strong password to restrict access to the WiFi network so it is only accessible to authorised people.

You can read more about this in the Section - Securing the network and your equipment.

Allocate resources

Recognise and plan for the fixed costs of maintaining hardware and software that supports information security. Many businesses assume spending money on information security means they are adequately protected. The right budget for your security requirements will depend on the specific needs of your business. Having an information security professional review can help identify security gaps and save costs in the long term.

Create a culture of  information security

An information security culture should be promoted within your practice. Educate your practice team on risks to your practice information systems and ensure practice policies outlining responsibilities to manage security risks are up to date and communicated. Train your practice team to identify and report when systems are not working as expected. Make sure your team has a process to follow to report suspicious activity or if issues with existing security measures arise.

You can read more about this in the Section - Setting up your information security governance.

Manage access to your  systems and your data

Reduce security risks in your practice by introducing access controls. Practice team members only need access to the minimum data required to do their work. This limits the risk of data breaches and protects your practice data. Establish a strong and unique password policy to make sure access to systems is controlled and secure. Access management ensures accountability and allows you to ascertain who has entered or altered data.

It is good practice to separate your data on different servers if possible. Ensure your clinical data is on a separate network and server to your website and other business data. Data separation helps contain the risk of data exposure across your entire system.

You can read more about this in the Section - Setting up your information security governance.

Measure the effectiveness of your security controls

The effectiveness of any information security control procedures you have in place in your practice needs to be measurable. This allows you and your practice team to monitor and assess if your information security controls and processes are working. The challenge with information security is to find a balance between good protection and ease of use. Make sure your security controls are regularly tested.

To measure your information security controls, consider the following questions:

  • How will you know if your information security controls are effective?
  • Are they too restrictive? Do they make your systems difficult for the practice team to use?
  • What resources are needed if changes to your practice’s information security controls are required?

Use the ‘List of information security considerations’ to assist with monitoring and measuring your controls.

Perform a risk assessment

Securing the information held in your practice systems is essential to running your general practice, maintaining professional responsibilities to your patients, and ensuring practice information is available when required.

It is important to analyse and understand the security risks and threats to business and clinical information in your practice. Identify gaps in security and implement strategies to lessen any potential risks.

You can read more about this in the Section - Assessing the risks and keeping your practice running.

Have a business continuity plan with information recovery procedures

Your general practice needs a documented business continuity plan which includes information recovery procedures to preserve access to your practice data. In the event of an ‘information disaster’, this will ensure you can respond as soon as possible to minimise potential loss or corruption of information. This plan should detail how to maintain critical business functions when there is an unexpected system event. The plan should be reviewed, updated and tested periodically.

You can read more about this in the Section - Assessing the risks and keeping your practice running.

Have a resilient backup  and restoration process  for practice data

Critical data in the practice should be regularly backed up and validated. The backup procedure needs to be documented and routinely tested to ensure the backup system functions correctly and data can be quickly restored if an incident such as a server failure occurs. A robust backup process enables you to restore your business functionality in the shortest time possible. Ensure your backup media is secure from unauthorised access and copies are held at an alternative location in case of theft or a natural disaster at the primary location. Backup and restoration may not apply if your practice data is stored in the cloud and provided as Software as a Service (SaaS). In this case, it becomes an obligation of your cloud service provider and should be included as part of your contractual agreement.

You can read more about this in the Section - Assessing the risks and keeping your practice running.

Educate and train  your practice team

Your practice team needs to know and understand that security breaches can and will happen. You need to educate your practice team about the importance of data protection and how to recognise signs of a security breach. You should have a process for your practice team to access training so they approach their jobs with a security focus. Share information on security breaches, no matter how small, when they happen. Show your practice team why they need to be careful.

You can read more about this in the Section - Setting up your information security governance.

Regularly update  software and systems

Ensure your software is current and supported by your software provider. All of your practice software, including web browsers and operating systems, should have the latest security updates installed. Ideally, operating system and application security updates should be deployed automatically and be scheduled to update at a time that suits your practice. These updates are key in your defence against malicious software and other online threats.

You can read more about this in the Section - Online safety.

Keep mobile devices secure

Have a policy on the use of mobile electronic devices for both business and clinical purposes. Mobile electronic devices can contain confidential business information or easily access information via your local network. If you allow the use of mobile devices, these should be password protected, have data encrypted where possible, and have appropriate security applications or software installed. When using public and potentially unsecured networks on such devices, do not send or access sensitive data in case your communication is intercepted.

You can read more about this in the Section - Securing the network and your equipment.

This list is a guide to help you assess, achieve and maintain effective information security controls in your practice.

1. Setting up your information security governance framework

  Security consideration Explanatory notes and recommendations
1.1 Roles and responsibilities of your practice team Does your practice have designated practice team members for championing and managing information security? Do these team members have their roles and responsibilities documented in their position descriptions? Does your practice have training scheduled for these roles and responsibilities? Your practice should have a documented policy outlining the specific roles and responsibilities of all team members.
Practice team members should receive regular training on all of the practice policies and procedures to ensure they understand their roles in maintaining information security.
1.2  Policies and procedures  for managing  information security Does your practice have documented policies and procedures for managing information security? Your practice should have a policy and procedure manual outlining the security requirements for your practice. These policies and procedures should be clear and contain simple instructions.
1.3  Managing access  to your information  systems and data Does your practice have well-established and monitored authorised access to health information? Your practice should have a policy containing information on access rights, unique password maintenance, password management, remote access controls, and auditing and appropriate software configuration.

2. Assessing the risks and keeping your practice running

  Security consideration Explanatory notes and recommendations
2.1 Risk assessment Does your practice have a structured risk assessment of information security and identified improvements as required? Your practice should have a policy detailing vulnerability management, risk assessment and security breach reporting procedures. This will include recording assets in the practice, a threat analysis and a reporting schedule.
2.2  Business continuity and information recovery Does your practice have documented and tested plans for business continuity and information recovery? Your practice should have a documented business continuity plan to ensure the practice can continue to operate when a practice information systems failure occurs.
This includes an information disaster recovery plan to restore data so the practice information systems can be brought back to working order as quickly as possible.
The practice team should be aware of their roles in relation to business continuity and disaster recovery and receive training as required.
2.3 Information backup Does your practice have a reliable information backup system to support timely access to business and clinical information? Your practice should have documented procedures for the backup of your practice systems. This should include:
  • how often backups are run
  • the type of backup, media type and rotation
  • the use of encryption
  • reliability testing and restoration checking
  • where the backups are stored
  • who has access to the backups
  • access to data from previous practice information systems.

3. Securing the network and your equipment

  Security consideration Explanatory notes and recommendations
3.1  Network perimeter controls Does your practice have reliable  network perimeter controls? Your practice should have documented information on the systems protecting your practice network and any remote or WiFi networks.
This should include firewall and intrusion detection and prevention hardware and software, and content filtering software with configuration and settings appropriate for your practice security needs.
3.2  Maintenance of your computer hardware, software and  operating system Does your practice manage and maintain the physical facilities and computer hardware, software and operating system with a view to protecting information security? Your practice should have documented information on how team members can prevent the unauthorised viewing of confidential information such as using lock screensavers.
Your practice should document how access is managed to restricted areas such as server rooms and how equipment can be secured from theft or damage.
Your practice needs to document how hardware is disposed of safely and how software and hardware is maintained.
3.3 Mobile electronic devices Does your practice have processes  in place to ensure the safe and proper use of mobile electronic devices? Your practice should have a documented policy on the use of mobile devices, including using wireless networks and remote access to your practice systems.
The practice team should be made of aware of what devices can be used in the practice and how to use their personal mobile devices in line with practice policies.

4. Online safety

  Security consideration Explanatory notes and recommendations
4.1 Internet and email use Does your practice have a process  in place to ensure the safe and proper use of internet and email? Your practice should have a policy clearly defining and describing how the practice team use email and the internet for business purposes. This may include access to social media and what is considered acceptable personal use of email and the internet by the practice team.
4.2 Malicious software Does your practice have reliable protection against malicious software? Your practice should document the installation and monitoring of protection against malicious software.
4.3  Electronic sharing  of information Does your practice have reliable  systems for the secure electronic  sharing of confidential information? Your practice should document how information is sent outside of the practice using secure electronic communication. This will include the appropriate configuration of secure electronic messaging, digital certificate management and your practice website.
4.4  Third party  software security Does your practice know how  third-party software is using  your practice data? Your practice should have a policy around the use of any third-party software that is installed, and how it meets your security requirements. Third-party software regularly uses practice data to perform its function, but can also open up your practice to security threats. Ensure that you can demonstrate an understanding of how it is using your practice data and that consent has been obtained for any secondary use of data.

Cloud computing involves storing and accessing data and programs over the internet instead of locally from a computer or server. Most general practices currently run their IT environment from a physical server located at the practice. Cloud-based services in general practice are more commonly used for data storage or for public services such as website hosting. As cloud-based technology has advanced, a number of clinical software vendors now offer cloud alternatives for general practices and there are new opportunities to move more business functionality into a cloud environment. Cloud computing services can be an efficient way for your general practice to manage your IT, providing access to your practice information security systems from anywhere there is an internet connection.

Moving to cloud-based services can reduce the cost of managing and maintaining your local IT systems. Rather than purchasing expensive hardware for your business, you use the resources of your cloud service provider, reducing the costs associated with:

  • system upgrades
  • new hardware and software
  • external IT staff
  • energy consumption, because you no longer have to provide specific environmental conditions for servers and other hardware.

Cloud-based services can improve your practice’s ability to communicate and may increase efficiencies through:

  • the easy sharing of records with third parties
  • the ability to access patient records outside of your practice during home visits or case conferences
  • more flexible work practices, through the ability to quickly and easily access data
  • regular and automated updates or upgrades included in your contract
  • improved backups and restoration that can be much simpler and more timely.

Information security in a cloud-based environment requires additional considerations. When patient and practice data is surrendered to a third-party cloud service provider, you may need to consider the increased potential for data breaches, ownership rights to the data and ongoing data access.

Related documents

  RACGP-policy-template.DOCX (DOCX 0.02 MB)