Information security in general practice

Setting up your information security governance

Last revised: 01 Sep 2019

It is vital for practice team members to be aware of their roles in information security. All practice team members require a position description clearly defining and documenting their roles and responsibilities and access to clinical and/or business information.

It is recommended that your practice appoints an information security lead to champion and manage information security. The information security lead does not need to have advanced technical knowledge but should be comfortable with your practice’s computer operating systems and other relevant software. The lead will need to determine what aspects of information security in the practice are outsourced to external technical service providers. The information security lead requires management skills to develop information security policies and to raise awareness of information security governance, help foster a strong security culture and ensure access to adequate and appropriate training for your practice team.

Relevant indicator

C6.4  A Our practice has a team member who has primary responsibility for the electronic systems and computer security.

You must have at least one team member who has primary responsibility for the electronic systems and computer security

Create a policy

Your practice policy should include the specific information security roles and responsibilities of practice team members.

Your policy should cover:

  • specific information on the roles and responsibilities of each practice team member in relation to information security, to determine the required levels of access to information systems
  • assignment of an information security lead who has access to ongoing training as required
  • who is responsible for specific information security tasks
  • access to ongoing training for your practice team as required
  • education for your practice team in identifying errors or abnormal software behaviour.

The position description  of the information security lead can include responsibilities such as:

  • overseeing development of information security policies  and procedures
  • testing business continuity  and information recovery plans
  • reviewing and updating policies and procedures as practice and legislative changes occur
  • regular monitoring to ensure practice security policies are followedmaintaining an up-to-date  risk assessment
  • ensuring technical advice  is sought where required
  • ensuring secure transfer  of electronic information
  • arranging access to ongoing information security awareness training for the practice team
  • updating the practice management on outstanding security issues
  • regular reporting on information security to the practice team
  • regular monitoring of system  logs and audit reports.

Practice team agreements

You should document all confidentiality and privacy agreements for practice team members, together with an appropriate internet and email use agreement. Practice team members and relevant external providers should sign these agreements. These agreements act to protect practice owners in the event of legal action should a security breach occur.

External service provider agreements

Your practice has a responsibility to ensure anyone who has access to practice clinical and/or business information is aware of their obligations to comply with your information security policies. Technical service providers are usually granted unrestricted access to practice data. Third-party access for support and problem solving is an issue requiring careful consideration. This is often undertaken remotely and trust is placed in software and external support service staff. While technical support personnel will be knowledgeable in information security, they may not fully understand the sensitivity and confidentiality requirements of health information. All external technical support providers with access to any of your practice’s information should sign confidentiality agreements.

Technical service provider contractual agreements can include:

  • what can or cannot be viewed when accessing your practice systems. If ‘everything’, including files saved on workstations can be viewed, all practice team members should be aware of this
  • details of backup procedures and testing that meet the needs of your practice
  • set response times to provide technical support via telephone, remote access to your systems, in person and onsite, and outside of business hours
  • the cost for routine maintenance, additional work in case of system malfunction and the differences in costs for support during business hours and outside of business hours
  • details of maintenance schedules
  • information on system audits and reporting
  • details on how information assets are disposed of safely and securely
  • a signed confidentiality agreement.

Cloud service provider agreements will require additional details, including:

  • your practice retaining legal ownership  of the data
  • appropriate internet connection to support the amount of data transferred and any other online functions required
  • a Service Level Agreement (SLA) to define the level of service and availability expected from the provider
  • storage and management of data in line with Australian Privacy Law
  • processes for redundancy and backup protecting data from loss or corruption
  • the ability to move your cloud services or data either to another cloud service provider or back into your business for local management.

 Case study

Case study

Creating a security culture

Mandy, a practice manager at a general practice in southeast Melbourne, was recently alerted to a malicious software cyber-attack that had a detrimental effect on several general practices’ computers.

The practices’ electronic systems were rendered completely unavailable, preventing access to all electronic patient and business-critical information. To ensure her practice was not subject to the cyber-attack, which was predicted to spread rapidly across Australia, Mandy immediately organised a meeting to inform and update her practice team on this latest cyber-attack.

The team discussed their previous training and the practice’s preparedness for such an incident. They confirmed the practice’s information systems were backed up, and the latest systems and software security updates had been installed.

Mandy reviewed online security bulletins for advice and highlighted the necessity for all staff to be vigilant and to be able to recognise a suspicious email. She reminded the practice team not to download files or access links in emails where they did not recognise the sender. If there was any suspicion a computer had been attacked, its network cable was to be disconnected from the network. This also disconnected any WiFi access and reduced the chances of the cyberattack spreading across the entire general practice network.

Your practice should document all policies and procedures for managing information security. A policy and procedures manual provides information and guidance to your practice team on the protocols used in managing your information systems. This manual is used to clarify roles and responsibilities, and to facilitate induction of new practice team members.

Relevant indicator

C6.4 B Our practice does not store or temporarily leave the personal health information of patients where members of the public could see or access that information.

C6.4 F Our practice has a policy about the use of email

C6.4 G Our practice has a policy about the use of social media.

You must maintain a privacy policy, email policy and social media policy

Create a policy

Your policy should reflect the overall strategy of how practice information is secured. Policies can be kept as a manual, folder or suite of documents accessible to your practice team. The practice team should have access to training on all policies and procedures to ensure compliance and implementation.

Each practice team member should only have access to the necessary systems and information to enable them to perform their role in the practice. Your practice needs to establish and monitor authorised access to health information. Your practice team should have access to appropriate training in the relevant software and on potential risks before access and passwords are provided.

Passwords are the most common form of access authentication. Password management can be complex as users often have multiple passwords to access various systems. Your practice team needs to be aware that most software will allow new passwords to be generated if they are forgotten, so it causes an unnecessary risk to your information security to keep a written record of passwords.

Your information systems should be set up to generate audit logs providing details of who is accessing, downloading, changing and deleting information. The audit logs should be reviewed periodically and retained in case information is required following an information security incident.

Relevant indicator

C6.4 C Our practice’s clinical software is accessible only via unique individual passwords that give access to information according to the person’s level of authorisation.

You must maintain a privacy policy, and the security of the clinical software passwords of each individual practice team member.

Create a policy

Your practice should develop a policy specifying who has administration rights and access to specific systems. Access to systems should be consistent with the responsibilities outlined in the position description of your practice team members.

Your policy should cover:

  • password security to ensure passwords are not written down and placed near practice monitors
  • how often passwords are changed – the longer the same password is used, the greater the risk it will become known and used inappropriately
  • who in the practice team has the authority to reset or disable user passwords
  • restriction of who in the practice team can create and remove users on each practice information system
  • a process for recording different access levels and software access for your practice team members
  • an established password structure (numbers, characters and symbols)
  • each practice team member creating their own password and being responsible for keeping these secure
  • not using a shared common password
  • the need for passwords to be changed immediately if they have been or are suspected to have been compromised
  • the implications when practice team members terminate their employment. Ensure these accounts are deactivated, remote access disabled, and computer equipment, backup media and any access devices (such as keys or entry swipe cards) as well as practice name badges are returned.

Tips for software password settings

Most software will allow password requirements to be set up so all users can create safe and secure individual passwords. Software can be configured to require:

  • default user account passwords be changed on first login to the system
  • a minimum password length (ie number  of characters)
  • a mixture of alphabetic (lower and upper case) and numeric characters, and symbols
  • passwords do not use familiar and family names or words that can be found in a dictionary
  • passwords should be set to expire to enforce periodic changes
  • dates of birth are not used
  • passwords are not reused
  • two-factor authentication method  (a combination of two types of authentication) if appropriate for your practice
  • how automatic password saving is addressed in browsers and if this is disabled across the practice network.

Useful RACGP resources

This event attracts CPD points and can be self recorded

Did you know you can now log your CPD with a click of a button?

Create Quick log

Related documents

  RACGP-policy-template.DOCX (DOCX 0.02 MB)