Information security in general practice

Prevention and risk assessment

Asset register

      1. Asset register

Last revised: 21 Apr 2023

Prevention and risk assessment

Clinical and business information system risk assessments should be performed frequently and documented each time.

A structured risk assessment requires you to:

  • record the assets in your practice (an asset register] can be used to document your hardware, software and any other information systems)
  • perform a threat analysis [hyperlink to relevant section]
  • perform a measurement and analysis of your information security controls

Asset register

Your practice should maintain an asset register. This should include details of the following:

  • Physical assets
    • computer and communications equipment
    • mobile electronic devices
    • medical equipment that interfaces with your practice information systems
    • backup media and uninterruptible power supplies
  • Information assets
    • databases
    • electronic files
    • image and voice files
    • system and user documentation
    • business continuity and information recovery plans
  • Software assets
    • operating systems
    • application programs
    • clinical and practice management software
    • communications software
    • software license keys
    • original software media and manuals
  • Personnel assets
    • contact details of key members of the practice team and external service providers including internet service providers, telecommunication service providers, cloud service providers
    • Paper documents
    • contracts
    • patient records
    • other paper documents important to your practice

Advertising