Information security workplace culture
Often, information security incidents in businesses occur due to misfortune or a lack of knowledge. Practice owners and managers must empower staff with relevant awareness and education to assist in minimising the occurrence and potential impacts of such incidents.
A culture of learning
An information security culture should be promoted within your practice. Educate your practice team on risks to your practice information systems and ensure practice policies outlining responsibilities to manage security risks are up to date and communicated.
You can read more about this in the module on Roles and responsibilities of your practice team.
Practice team education
It is essential for you to provide comprehensive education and training for your practice team to support information security in your general practice. Records of when team members have undertaken training should be kept.
Education can include:
- induction training
- discussion at practice team meetings
- formal ongoing training
- ad hoc training sessions when changes are made in the practice or to legislative requirements
- practice drills and exercises to test processes (e.g. a training activity to test your practice’s business continuity and information recovery plan can be undertaken using practical exercises in the same way fire drills are practiced).
A reporting culture
Investing in adequate time and education for practice staff will help to establish a confident information security culture that is well informed and willing to report potential threats such as cyber attacks or accidental privacy breaches related to human error.
Train your practice team to identify and report when systems are not working as expected. Make sure your team has a process to follow to report suspicious activity, or if issues with existing security measures arise.
The principles of open disclosure apply to any data breaches that involve potentially identifiable patient information.
Case study: Creating a security culture
Mandy, a practice manager at a general practice in southeast Melbourne, was alerted to a malicious software cyber-attack that had a detrimental effect on several general practices’ computers. The affected practices’ electronic systems were rendered completely unavailable, preventing access to all electronic patient and business-critical information.
In response to this news, Mandy immediately organised a meeting to inform her practice team of the rapidly spreading cyber-attack. The team then discussed their previous training and the practice’s preparedness for such an incident. They confirmed the practice’s information systems were backed up, and the latest systems and software security updates had been installed.
Mandy reviewed online security bulletins for advice and highlighted the necessity for all staff to be vigilant and to be able to recognise a suspicious email. She reminded the practice team not to download files or access links in emails where they did not recognise the sender.
If there was any suspicion a computer had been attacked, its network cable was to be disconnected from the network. This would also disconnect any WiFi access and reduce the chances of the cyber- attack spreading across the entire general practice network.