Information security in general practice

Assessing the risks and keeping your practice running

Last revised: 01 Sep 2019

You should complete a periodic risk assessment to assess the security of your practice’s clinical and business information systems. Documenting your risk assessment provides evidence of a systematic approach to information security. A structured risk assessment requires you to record the assets in your practice. An asset register documents the hardware, software and other information systems used.

A threat analysis should also be included as part of your risk assessment to assess the impact from potential threats to your systems. Ensure plans are in place to minimise threats and vulnerabilities, which includes financial loss, breaches in confidentiality, information integrity and availability, and patient confidence. Risk assessments can be complex and your practice may find it valuable to employ a technical service provider or specialist security firm to undertake your practice risk assessment.

Relevant indicator

C6.4  D Our practice has a business continuity and information recovery plan.

You must maintain up-to-date antivirus protection and hardware/software firewalls.

Create a policy

Develop a policy for assessing the risks to your practice information systems. This policy should document your risk assessment processes and procedures, detail how a threat analysis is performed, and outline information security breach reporting procedures for your practice.

Your policy should cover:

  • the roles and responsibilities of your practice team and technical service providers
  • details of the reporting and monitoring schedule for security risks and mitigations
  • how your asset register is managed  and updated
  • details of how data breaches are reported and documented
  • details of how breaches are reviewed  and analysed when they occur.

Threats may be grouped into three categories:

  • Human (unintentional and deliberate) –  for example, cybercrime using ransomware, the theft of a laptop containing clinical or business information, or unintentional viewing of a patient’s information by  non-practice staff or another patient
  • Technical – for example, a hard disk crash or data corruption from a virus
  • Environmental – for example, a natural disaster such as a bushfire or flood

Potential risks and threats to consider in your risk assessment include:

  • errors and omissions (eg accidental file deletion, inability to restore data from backups)
  • unintentional access to information systems by practice staff
  • unintentional viewing of information systems by non-practice staff
  • non-compliance with legislative requirements theft or damage of equipment
  • inappropriate disclosure or theft of information
  • employee sabotage
  • fraud
  • email threats
  • deliberate misuse of information systems
  • malicious software
  • unauthorised system or network access
  • software/hardware failure
  • power disruptions
  • natural disasters eg flood, earthquake, fire, storm/cyclone
  • physical protection of data that is stored offsite (eg data storage devices such as hard disks.)

If using cloud services, your risk assessment will also need to consider:

  • accessing cloud-based data in the event of an outage or service interruption to your internet connection
  • technical issues with your cloud service provider such as hardware failures, faulty vendor software, lack of software and hardware version control
  • scheduled or unplanned outages from the cloud service provider
  • accessing data stored across multiple locations
  • increased risk of attacks by malicious software for data stored offsite
  • unauthorised access as data travels  across networks
  • physical security of offsite cloud  storage facilities
  • appropriate data governance concerning privacy and security
  • access to data in the event of changing to another cloud service provider.

For more information on cloud services refer to 'Information security for cloud computing' section in introduction.

Your practice asset register should include details of the following:

  • Physical assets
    • computer and communications equipment
    • mobile electronic devices
    • medical equipment that interfaces with your practice information systems
    • backup media and uninterruptible power supplies
  • Information assets
    • databases
    • electronic files
    • image and voice files
    • system and user documentation
    • business continuity and information recovery plans
  • Software assets
    • operating systems
    • application programs
    • clinical and practice  management software
    • communications software
    • software licence keys
    • original software media and manuals
  • Personnel assets
    • contact details of key members of the practice team and external service providers including internet service providers, telecommunication service providers, cloud service providers
  • Paper documents
    • contracts
    • patient records
    • other paper documents  important to your practice

A data breach occurs when personal information held by your practice is lost or subjected to unauthorised access. All breaches or suspected breaches should be recorded in a data breach register and practice management notified. Data breaches can occur:

  • through unauthorised access to your databases
  • through intentional and inappropriate disclosure of information by practice team members
  • when personal information is incorrectly disclosed
  • through loss or theft of laptops, mobile devices, or removable storage devices
  • when discarded hard drives or digital storage media still contain your practice information
  • through lost or stolen paper records.

Notifiable data breaches

The Privacy Amendment (Notifiable Data Breaches) Act 2017 establishes a Notifiable Data Breaches(NDB) scheme. Organisations covered by the Australian Privacy Act 1988 are required to notify individuals at risk of serious harm caused by a data breach. For further information on notifiable data breaches, visit the OAIC website.

An effective business continuity and information recovery plan brings your practice information systems back to working order when a system failure occurs. The plan should focus on internal system malfunction or failure. It is important to include how your practice will function in the event of an environmental or natural disaster.

Business continuity and information recovery plans should be tested and updated when there is a technology or procedure change in the practice or when any change to legislative requirements occurs. It is recommended you consult a technical service provider for advice on creating your plan.

Ensure all business continuity and information recovery processes are fully documented in your policy so your practice team knows their individual roles and responsibilities in the event of an emergency or disaster.

Relevant indicator

C6.4  D Our practice has a business continuity and information recovery plan.

You must operate a server backup log, maintain and test a business continuity plan for information recovery and have a privacy policy.

Your business continuity plan should cover:

  • access to education and training for your practice team on business continuity processes and procedures
  • how your general practice functions in the event of an environmental or natural disaster 
  • transferring information between your practice, other healthcare providers, services and government bodies.

When creating your business continuity and information plan, you should:

  • identify the functions and resources required to operate your practice at a minimum acceptable level without functional computers
  • train your practice team on how your practice systems will be managed ‘manually’ and which information needs to be collected for re-entering after recovery
  • provide advice on how to revert  to a paper-based system
  • provide advice on basic practice  systems such as
    • enabling clinical team members to provide adequate clinical care while not having access to electronic health records
    • appointment scheduling
    • billing
    • issuing of prescriptions
    • business financial operations (eg payroll, Medicare claims)
    • payroll processing
    • financial reconciliations.

If you are using cloud-based services you will need to consider creating a cloud services plan which could include:

  • documenting an internet failover plan including setting up multiple internet connections with different service providers
  • establishing manual workarounds (if available) for when your business and clinical applications cannot be accessed
  • migration plans to accommodate a sudden change of cloud provider
  • documenting key contacts for your cloud service provider, including the support desk, account manager, and the address of any websites that display service status.

Information recovery review

An information recovery review will help you identify the reasons for a system failure. Your review should include how your information was recovered and what changes need to be made to your systems, processes and procedures to ensure the same type of system failure does not happen again.

What to include in your information recovery review:

  • Details and screen shots  of any error messages
  • Changes prior to the system failing
  • Result of the system failure
  • How the system failure was rectified
  • A fault log detailing
    • the date of the fault
    • who logged the fault
    • when the fault was discovered
    • how the fault was rectified
  • A communications strategy to advise practice team members, patients, other healthcare providers, technical support providers and relevant authorities who may have been affected.

Your practice should have reliable information backup systems to support timely access to business and clinical information. The creation of a backup process can require assistance from a technical service provider.

Relevant indicator

C6.4  E Our practice has appropriate procedures for the storage, retention, and destruction of records.

You must operate a server backup log, maintain and test a business continuity plan for information recovery and have a privacy policy.

Create a policy

Your policy should outline your processes and procedures for backing up your practice data.

Your policy should cover:

  • your complete backup procedure
  • how your backups are encrypted
  • where copies of your business-critical data are stored
  • how your practice data is backed up
  • how your backup data is restored
  • how long it takes to restore  your backup data
  • how you ensure your backups are completed and correct
  • managing your archived data in a format readable by your current hardware
  • your practice’s obligations under national and state records legislation relating to the retention of patient information
  • details of which practice team members perform the backup
  • details of any automated  backup processes
  • testing data restoration regularly.

Backup is the process of copying files or databases so they can be restored in the event of equipment failure or other catastrophes.

Defence in depth is a strategy where multiple security controls are layered throughout an IT system to reduce the risk of a network attack.

Retention and destruction of records

  • General practices should keep health records for the length of time specified in state or territory legislation.
  • Once this time has expired, the Australian Privacy Principles (APPs) require you to take reasonable steps to destroy or permanently de-identify health information.
  • APP 11 requires that reasonable steps are taken to destroy or de-identify personal information that is no longer needed. The reasonable steps will be dependent on whether the personal information is held in a paper or electronic format.

About backups

All practice management and clinical systems data as well as other relevant documents, email files and user profiles should be backed up. You may require different backup and recovery procedures to manage these requirements. All backups and archived data should be encrypted and password protected where possible and kept at secure locations.

Backup media

Choose a backup media option appropriate for your practice. Common backup media include portable hard drives, USBs, transfer of data to another computer or hard drive, or data backup to the cloud. You can use different types of backup media to provide you with multiple options for restoring data.

Backup storage

The physical protection of backup media is important. This should be securely stored with carefully controlled access. A record of who has taken any backups offsite should be kept, and the most recent backup should be maintained.

Backup reliability

It is vital you have a process established to determine your backups have successfully completed. Backup failures are often only detected when it is necessary to use the backup to restore data. It is recommended you have a system of daily, weekly, monthly and annual backups.

Backup restoration

Backup restoration is rebuilding a system or server after a software or hardware failure. Your backup restoration process needs to be documented, regularly tested and validated.

Planned server shutdown

As part of your normal IT maintenance processes it is good practice to routinely back up your entire server and schedule a planned server shutdown. This allows you to test the recovery process in your practice.

Choose the time for a controlled shutdown process wisely, as it can often take up more time than you may have anticipated. Ideally, the downtime should be as short as possible. The process and procedure for a controlled shutdown should be fully documented.

Test your backups

It is important to regularly test the integrity of your backup data. This ensures the backup has been successful and the data is accurate, correct, complete and preserved for future use. You can check your backups by validating the data against what is in your live system. This can be done automatically by your software or manually by your practice team.

 Case study

3-2-1 backup strategy

A busy healthcare centre just outside of the Brisbane CBD uses the ‘3-2-1 backup strategy’ to protect their practice data. The practice has approximately 20 GPs and provides a range of general practice and allied health services. GPs and healthcare providers in the practice use electronic health records as part of their consultations to record patient information, generate prescriptions, request pathology and diagnostic imaging and to create referrals to other healthcare providers. All of the practice’s billing and administration is computer-based and each day a large volume of electronic data is collected.

To protect this data and ensure it is available, the practice has a 3-2-1 backup strategy. The practice keeps three copies of their data: the original and two backup copies. Each of the backup copies are stored on different storage media and one copy of the data is stored offsite. Having multiple copies of the practice’s data means there is less risk of losing data in the event of a disaster.

The practice data is backed up locally onsite to a separate server. The second copy is backed up to the cloud at an offsite location. If there is a local disaster that damages data held at the practice, the cloud data is still available to maintain business continuity. The practice’s IT lead and external technical service providers are aware there is no ‘perfect’ backup system, but also know that using the 3-2- 1 strategy is a great starting point to keep most businesses up and running.

This event attracts CPD points and can be self recorded

Did you know you can now log your CPD with a click of a button?

Create Quick log

Related documents

  RACGP-policy-template.DOCX (DOCX 0.02 MB)

Advertising