We're aware of a cyber security incident affecting the electronic prescriptions provider MediSecure. The eRX Script Exchange (eRX) and the National Prescription Delivery Service (NPDS) continue to operate as usual and have not been impacted. Find out more and read our statement here.

Information security in general practice

Prevention and risk assessment

Electronic sharing of information

        1. Electronic sharing of information

Last revised: 21 Apr 2023

Hidden risks

There are a rage of potential information security risk areas that your practice needs to ensure are not overlooked. These include:

  • electronic sharing of information
  • running unsupported software or hardware
  • fax and paper documents
  • patient communication via electronic mediums – including email and social media.

Electronic sharing of information

‘Use of electronic communication in the general practice setting is essential, and yet it generates significant medicolegal risk’ .9

Your practice may electronically share information via your practice website or social media channels. Sharing information electronically requires a certain level of security to prevent it from being intercepted, changed during transmission or received by unintended recipients. Health information is sensitive by nature, so any communication of this information via electronic or other means must adequately protect your patients’ privacy.

Communication of clinical information to and from healthcare providers should be from within your practice’s clinical software using secure electronic messaging.

Secure electronic messaging involves two processes: encryption and authentication. Encryption means data is electronically ‘scrambled’ so it cannot be read unless the information is decrypted using a digital key. Authentication means the sender can be verified using electronic signatures.

eHealth information exchange in the Australian health system relies on and incorporates encrypted, secure messaging techniques. The software programs used will handle this function and are required to meet Australian standards.

There are two key types of information that your practice may electronically share:

  1. information that your practice publishes on your practice’s website or social media channels, accessible by anybody or by restricted groups of people. Your practice should take reasonable steps to prevent others from changing that information.
  2. identified clinical information about your patients.

Systems for electronic communication of clinical information are changing with the development of newer technologies, including those that use Fast Health Interoperability Resources (FHIR). Some of the first common uses of FHIR have been to provide two-way communication between GPs’ clinical software and the Australian Immunisation Register and the National Cancer Screening Register.

Currently, the most widely used method of communicating clinical information securely between healthcare providers is secure message delivery, commonly known as SMD.

Providers of SMD are required to meet Australian standards. These SMD packages enable letters and other messages to be sent from within clinical software, and incoming messages to be received into the GP’s electronic clinical inbox, where reports of pathology and medical imaging are received.


In the past, standard email lacked security features, making it susceptible to interception. The security of email has increased as a result of the use of encrypted connections between mail servers.

Some clinical software packages now enable documents to be emailed from within the clinical package to other health professionals and organisations, and to patients. These offer protection via the use of a password to access the email.

Create a policy

Your practice should take reasonable steps to make any electronic communication of health information safe and secure.

Your policy should cover:

  • how patient-related and other confidential information is sent electronically between healthcare providers
  • your practice’s approach to using email to communicate patient-related and otherconfidential information between healthcare providers and patientsrecording of patient consent for electronic transmission of their health information
  •  the maintenance of your website to ensure information is current and correct
  • encryption for online transactions such as appointment bookings
  • who in your practice team is responsible for maintaining the practice website
  • use of social media for your general practice.

Use the RACGP practice policy template sample to create your practice policies.

9 Carter, D., & Hartridge, S. (2002). Privacy breaches and electronic communication: Lessons for practitioners and researchers. Australian Journal of General Practice, 51(7), 497-499.