Information security in general practice

Prevention and risk assessment

Performing a threat analysis

      1. Performing a threat analysis

Last revised: 21 Apr 2023

Performing a threat analysis

A threat analysis should be included as part of your risk assessment to assess the impact of potential threats to your systems. Ensure plans are in place to minimise threats and vulnerabilities which could lead to financial loss, breaches in confidentiality, loss of information integrity and availability, practice reputation and patient confidence. 

Risk assessments can be complex. Your practice may find it valuable to employ a technical service provider or specialist security firm to undertake your practice risk assessment. 

Threats can be grouped into three categories:

  • Human (unintentional and deliberate) – for example, cybercrime using ransomware, the theft of a laptop containing clinical or business information, or unintentional viewing of a patient’s information by non-practice staff or another patient
  • Technical – for example, a hard disk crash or data corruption from a virus
  • Environmental – for example, a natural disaster such as a bushfire or flood

Standards indicator

Criterion  C6.4D  Our  practice has a business continuity and information recovery plan.

You must:

  • operate a server backup log
  • maintain up-to-date antivirus protection and hardware/software firewalls 
  • maintain and test a business continuity plan for information recovery
  • maintain a privacy policy
  • store backups offsite in a secure location.

You should also a add multi factor authentication process for remote access

Please note, additional considerations need to be made if you use cloud-based systems. For example, rather than maintaining a server backup log and backups offsite, you should have a policy to test your cloud-based system.

Create a policy

Develop a policy for assessing the risks to your practice information systems.

This policy should document your risk assessment processes and procedures, detail how a threat analysis is performed, and outline information security breach reporting procedures for your practice.

Your policy should cover:

  • the roles and responsibilities of your practice team and technical service providers
  • details of the reporting and monitoring schedule for security risks and mitigations
  • how your asset register is managed and updated
  • details of how data breaches are reported and documented
  • details of how breaches are reviewed and analysed when they occur.
  • access to ongoing training for your practice team as required
  • education for your practice team in identifying errors or abnormal software behaviour.

Potential risks and threats to consider in your risk assessment include:

  • errors and omissions (e.g. accidental file deletion, inability to restore data from backups)
  • unintentional access to information systems by practice staff or non-practice staff
  • non-compliance with legislative requirements
  • theft or damage of equipment
  • inappropriate disclosure or theft of information
  • employee sabotage
  • fraud
  • email threats
  • deliberate misuse of information systems
  • malicious software and viruses
  • unauthorised system or network access
  • software/hardware failure (including loss of remotely hosted practice database or software)
  • power disruptions
  • natural disasters e.g. flood, earthquake, fire, storm/cyclone
  • physical protection of data that is stored offsite (e.g. data storage devices such as hard disks.)