Information security in general practice

Prevention and risk assessment

Third party software security

        1. Third party software security

Last revised: 21 Apr 2023

Third party software security

Third-party software, including ‘add-on’ programs, are commonly used in general practice to enhance practice and clinical systems and to transfer clinical information. For example, data extraction tools, administrative products, and online medical appointment scheduling applications are used to analyse and improve business and clinical performance. Third-party software is also used for electronic prescription exchange and to send secure communications.

Using third-party software can expose your general practice system to threats. Using this software without appropriate information security processes in place can result in core database integrity compromise, unauthorised access into your practice system and data breaches.

Third party software security

When choosing to use any type of third-party software in your practice, consider the following:

  • Have you developed policy around the use of third-party software that meets your security requirements?
  • How is the third-party software updated? By whom, and will this impact your other systems?
  • Does the third-party software meet the necessary APPs requirements? Where and how is extracted and transferred data stored?
  • Are you able to test and audit the use of the third-party software?
  • What contractual arrangements are in place?
  • Where is the data stored?

Your practice may be using multiple software packages from different vendors that access clinical and/or administrative data to perform a range of functions. It is important to consider how these packages send or store data outside the practice and its systems. This includes for 'comprehensive clinical packages'.

Third-party software often uses practice data to complete functions and produce reports. For example, it can be used to provide health information to external organisations for research or population health planning. Your practice team needs to know what the third-party software is doing with any practice data, as consent should be sought for any secondary use of data – that is, information used for purposes other than for what it was originally collected.

See section on secondary use of data for more information.