We're aware of a cyber security incident affecting the electronic prescriptions provider MediSecure. The eRX Script Exchange (eRX) and the National Prescription Delivery Service (NPDS) continue to operate as usual and have not been impacted. Find out more and read our statement here.

Information security in general practice

Information backup

Practice roles for the backup and recovery plan

      1. Practice roles for the backup and recovery plan

Last revised: 21 Apr 2023

Practice roles for the backup and recovery plan

It is critical that you have a primary contact for your practice’s backup and recovery plan and have a written agreement clearly outlining their role and accountabilities. This role is a key responsibility. You must ensure that the designated person has the required skills, including the ability to navigate and minimise the impact a data loss or backup failure will have on your practice. This staff member may also be responsible for performing and/or monitoring the daily backup and recovery of data.

Alternatively, your practice may contract a third-party IT company to manage your backup and recovery processes. This option requires a written agreement that outlines the third-party organisation’s roles and accountabilities.

Working with a third-party IT provider

PART A: Selecting a third-party IT provider to manage your backups

If you decide to employ the services of an external IT provider, there are several questions to consider in order to choose the right one to suit your practice needs:

  • What is the history and background of the IT business? Does it have experience in the healthcare industry?
  • What are the qualifications and expertise of the business’ staff members?
  • What type of hardware (if any) is supplied and what is the warranty period?
  • What are the details of the service agreement? You should request a copy of the service agreement prior to finalising your decision and ensure that you and the IT provider have agreed on the same terms of the service delivery.
  • What insurance cover does the business have?
  • What risk management strategies are in place? Are these reviewed on a regular basis?
  • Will the business be available to provide support if you run into trouble? What does this process look like?
  • Does the business provide remote monitoring and maintenance systems?
  • Is there remote monitoring of backup and regular restoration from backup?
  • Does the business’ area of expertise cover site servers or cloud-based systems, or both?
  • What is the cost of the service? Are there differing price structures depending on the level of support required (e.g. 24 hour monitoring to ensure there is no down time)?
  • What support does the business provide when the practice is undergoing accreditation?
  • Has the company experienced a data breach previously? How did they respond to this and what was the impact on the business it was providing service for?

Refer to the checklist in the ‘Contracts’ chapter of the RACGP’s Guide for hardware and software requirements in general practice for further information on reviewing contracts and service-level agreements with external IT providers.


PART B: Consulting with your selected IT provider to manage your backups

When considering different types of backups for your practice, it is essential to consult with a trusted and validated IT professional about your specific, unique requirements. Once you have selected a suitable IT provider, you may wish to ask them questions such as:

  • Who is responsible for ensuring the backup happens?
  • How often should we backup our data?
  • Where is the data being held offsite and is it being held securely?
  • What information do we need to back up?
  • What is your role in our practice’s business continuity plan?
  • How quickly can our practice recover in the event of a disaster?
  • Is our practice backing up all the data it requires?
  • How do we perform routine checks to validate that our backup data is complete and correct?
  • How do we regularly test the restoring of our backup data?
  • What type of security is used to protect our practice backups? ​