Information security in general practice

Securing the network and your equipment

Last revised: 01 Sep 2019

Network perimeter controls are essential for anyone using the internet. Your practice should have reliable network perimeter controls in place to protect your practice systems and local network. Use multiple protection mechanisms such as firewalls, intrusion prevention systems (IPS), intrusion detection systems (IDS), virtual private networks (VPNs), content filtering and malicious software protection. Qualified technical support can be engaged for installation and configuration.

Remote access to your practice information systems via a wireless network is convenient but requires additional security measures. WiFi devices should have encryption set up to ensure information confidentiality. Follow vendor guidelines and speak to your technical service provider about secure WiFi configuration for your practice.

Relevant indicator

C6.4 A Our practice has a team member who has primary responsibility for the electronic systems and computer security.

You must have at least one team member who has primary responsibility for the electronic systems and computer security

 Network perimeter controls protect your practice systems and local network by controlling data entering and leaving your local network.

Create a policy

Your network perimeter control policy should provide details of the hardware and software protecting the network, including remote and wireless access networks.

Your policy should cover:

  • the configuration details of network  perimeter control hardware and software
  • how network perimeter controls are managed
  • version details of all hardware and software
  • details of ongoing maintenance  and support requirements
  • configuration of your network  perimeter controls and appropriate  settings for your practice
  • details of who can access your network through the perimeter controls and how  this is done
  • the use of a VPN for all remote access
  • information on avoiding the use of public or open and unsecured networks when accessing your practice systems remotely
  • regular scanning of your networks  to identify security weaknesses
  • reviewing audit logs for unauthorised  access and unusual or inappropriate activity.

Preventive strategies are required to keep your practice information security systems running properly. Undertaking regular and ongoing software and system maintenance can ensure computers and other equipment run smoothly and information is protected. Computer systems need to be physically protected from theft and unauthorised access.

The role of your technical service provider is not just to provide an emergency response when problems arise. They should undertake regular and ongoing maintenance of your systems and provide advice on what physical protections are required.

Uninterruptible power supply (UPS) is a device that provides power to enable computers (especially mission-critical hardware) to shut down normally on an occasion when the main electricity is lost. Put a sticker on your UPS with the date of the battery change as part of your maintenance program.

Create a policy

Your practice policy and procedures should include system and software maintenance as well as physical network and hardware protection.

Your policy should cover:

Software and hardware maintenance

  • All system maintenance performed by your practice team or technical service provider should be documented
  • Regular system maintenance can include
    • upgrades to clinical desktop  system software
    • preventive maintenance
    • planned upgrades
    • maintaining and updating  testing environments
    • monitoring for intrusions and installations of unauthorised programs
    • checking disk capacity (hard disk space)
    • checking system and error logs
    • ensuring antivirus and other protective software is up to date
    • checking battery life on the UPS
    • running patching updates to  rectify security weaknesses  in earlier software versions
    • software version control to maintain software in accordance with the vendor’s guidelines.

Physical protection

  • How all removable computer equipment is secured from theft or damage
  • The physical location of your server to ensure it is secured with limited and controlled access
  • How software disks and backup media are physically protected
  • How computer monitors are positioned in open-access areas to prevent unintentional viewing of information
  • Appropriate use of screensavers
  • Your clear screen policy
  • Your clear desk policy
  • Paper document management
  • The secure disposal of hardware
  • How to delete all data on devices
  • How the server is identified so practice team members know which computer is the server
  • Routine cleaning around the back of computers and other equipment
  • Controlling environmental conditions (eg extreme heat)
  • How to limit damage from power interruptions and/or fluctuations

Clear screen policy

  • Remember to exit the previous patient’s electronic file before the next patient enters the consulting room.
  • Position computer monitors to keep information private, including computers used by reception staff at the front desk.
  • Use ‘clear screen’ function keys, which instantly close down an open file or switch off the monitor.
  • Use password protected screensavers.
  • Log off when leaving computers unattended or use automatic session time-outs.

Clear desk policy

  • At the end of each day, each practice team member clears their desks of all documents, notes and media.
  • All documents should be removed from printers and fax machines immediately  after being copied, sent or received.

Tools to secure your network 

  • An IDS monitors your network and system activity to detect malicious and unauthorised action. It does not prevent attacks on your system but informs you if there is a potential problem so action can be taken.
  • An IPS monitors and controls access to your IT network and takes action to block and prevent malicious and unauthorised action.
  • A demilitarised zone (DMZ) acts as a neutral zone or protected space between your internal practice networks and externalfacing connections, such as the internet, web services and email. It prevents access to internal servers holding practice and patient data.
  • Secure remote access provides a secure and reliable connection over the internet, most commonly using a VPN. A VPN uses encryption to prevent unauthorised reading of messages and authentication to ensure only authorised users have access to the system being connected to, and to ensure messages are not altered.
  • Content filtering is the use of software programs to filter email and restrict access to the internet. Filtering for spam is the most common type of email filtering. Limiting access to known and trusted websites is also commonly used.
  • Firewalls act as a gateway or barrier between a private network and an external or unsecured network (eg the internet). A firewall can be used to filter the flow of data through the gateway according to specific rules.

It is recommended your practice information security lead works with your technical service provider to understand your practice’s environment to ensure your network is correctly monitored.

Tips for protecting your  physical hardware 

  • All computers should be kept reasonably dust free, particularly over intakes for the cooling fans.
  • Be familiar with the operating temperature limits of your servers, as overheating is one of the major causes of server failure.
  • Server room temperatures should be regularly monitored, and dedicated air conditioning installed if required. You should consider installing a thermometer in the server room.
  • Take extra precautions over the summer months – run air-conditioning overnight on hot days or install ceiling suction fans.
  • Always follow vendor guidelines, and seek professional advice from your technical service provider.

 You may have heard your technical service provider mention a ‘computer heartbeat’. This is a signal occurring at regular intervals to indicate a computer is working correctly, or synchronised with other parts of the system. If the heartbeat is not available, an error may have occurred.

Your practice should decide whether or not to use mobile devices for business and clinical purposes. Mobile devices used for business purposes may be owned by the practice or personally owned by members of the practice team. Mobile devices include laptops, tablets, USBs, removable hard drives, mobile phones, backup media and portable electronic clinical equipment. These devices are at a high risk of being lost, stolen or left unsecured which increases the risk of a data breach.

Vulnerability assessment and penetration testing

Vulnerability assessment and penetration testing (VAPT) are ways to test the security of your information networks. Vulnerability assessment works to identify security weaknesses in an IT network. Penetration testing simulates real-world scenarios to discover and exploit security gaps that may lead to unauthorised system access and stolen records.

VAPT should be performed regularly as part of normal IT and network security management, when new infrastructure or applications are added to the network, when user policies are changed and when there are significant system upgrades.

Relevant indicator

C6.4 C Our practice’s clinical software is accessible only via unique individual passwords that give access to information according to the person’s level of authorisation. You must maintain a privacy policy, and the security of the clinical software passwords of each individual practice team member.

Create a policy

Your policy should include which devices are authorised for use in your practice and how these devices are managed. Your policy should direct your practice team on the use of privately owned mobile devices for business purposes.

Your policy should cover:

  • whether or not your practice allows the use of personal mobile electronic devices for work-related purposes
  • the password protection of all mobile devices
  • the protection of health data via encryption on all mobile devices
  • how mobile devices are securely stored when not in use
  • guidance on safely installing and using wireless network access
  • who can have remote access to your practice systems, and how they have access
  • third-party providers and access to practice systems via web-based portals
  • processes and procedures for practice team members working from home to ensure information is protected
  • security on your practice team’s personal devices which are taken home and connected to your practice’s network
  • data encryption on mobile devices
  • controls for bulk downloading or transfer of information using mobile devices.
This event attracts CPD points and can be self recorded

Did you know you can now log your CPD with a click of a button?

Create Quick log

Related documents

  RACGP-policy-template.DOCX (DOCX 0.02 MB)