In Australian general practice, the use of clinical desktop systems and the electronic management of information have become vital tools in the delivery of safe and high-quality healthcare and good practice management. Secure computer and information management systems are essential for the necessary protection of business and clinical information and are therefore critical to the provision of safe, high-quality healthcare and the efficient running of a general practice.
Implementing appropriate computer and information security can be challenging and general practice has specific requirements to consider. Finding the right IT support and a technical service provider with appropriate security expertise who understands the business of delivering healthcare in the general practice environment can be difficult. To help general practices meet these challenges, the RACGP developed the first edition of the Computer and information security standards in 2011.
This second edition of the RACGP Computer and information security standards (CISS) takes into account developments such as:
- increased use of laptops, remote access devices (e.g. personal digital assistants [PDA], tablet devices, USB flash drives and removable hard drives) and wireless (Wi-Fi) connections
- widespread uptake of broadband internet and secure messaging, and particularly the implementation of the national eHealth record system and the Healthcare Identifier Service, which underpin many of the e-health initiatives.
Improving computer and information security in your practice requires adapting to an evolving technical environment, fostering awareness of contemporary security issues, and monitoring and improving your security protection processes.
Computer and information security is not optional, it is essential. It should be considered a fixed cost of doing business that requires financial and human resources being allocated to ensure the protection of information assets.
The purpose of the CISS
This second edition of CISS incorporates changes to Australian legislation and the Office of the Australian Information Commissioner directives, including legislative requirements for a national eHealth record system (the personally controlled electronic health record [PCEHR] system).
The Standards are designed to assist general practices and other office-based healthcare organisations to meet their professional and legal obligations in computer and information security.
Information security obligations
Computer and information security is not optional: it is an essential professional and legal requirement for using computer systems in the delivery of healthcare.
The Standards address the legal and professional obligations in computer and information security in core areas.
Information management processes
Managing the use and ongoing availability of information requires fundamental information security processes, such as:
- backup procedures that are documented and tested: it is important to ensure that the backup system functions correctly and that data can be restored promptly if there is an incident such as a server failure
- business continuity and information recovery planning: documented business continuity plans that include information recovery procedures are essential to maintaining information availability so that in the event of an ‘information disaster’ there is an adequately planned response, and potential loss or corruption of information is minimised. These plans detail how to maintain the critical functions of the business when there is an unexpected system event
- access control and management: control of who has access to business and clinical information is essential to the protection of all practice data. Access management (password and/or biometrics) ensures accountability; without this it can be difficult to ascertain who has entered or altered data. Without these controls the practice is vulnerable to unauthorised information access.
It is important to understand the security risks and threats to business and clinical information. This includes the requirement for effective information security practices by identifying gaps in security and implementing strategies to lessen security risks. Ensuring the security of information held in practice systems is essential to the running of a general practice, to maintaining professional responsibilities to patients, and to ensuring that practice information is accurate and available when it is needed.
Governance implies accountability, responsibility, monitoring and reporting to demonstrate legal and ethical compliance to sound information security and to ensure that all computer and information security processes are documented and followed. To enable this, responsibility should be allocated to one or more staff in the practice. Staff who are allocated this responsibility should coordinate security-related activities and assist in identifying the need for external technical service providers and when it is appropriate to engage their services. Computer and information security requires regular attention at a practice level and the practice team need to be aware of their responsibility in protecting practice information.
To contribute to good practice governance, practice principals/owners should be able to answer the following questions:
- What are the legal and professional requirements for the protection of the information for which the practice is custodian?
- What capabilities does the practice have in terms of security knowledge and expertise?
- Who makes the decisions about the security protections to be put in place?
- What processes are in place to assist in decision-making regarding the use of the information for purposes other than what it was collected for, for example providing health information to external organisations for research or population planning (secondary use)?
Developing a security culture
It is beneficial to promote a security culture within the practice. This includes educating the practice team about the risks to the practice information systems and the maintenance of practice policies that direct staff in their management of security risks.
Format of CISS
There are three components to CISS:
- Compliance checklist
This checklist is designed to help practices determine whether the practice has established and maintained reasonable computer and information security measures to protect the security of clinical and business information on an ongoing basis.
- Twelve computer and information security standards
For each Standard there is:
- a user-friendly compliance indicator matrix
- explanatory notes for each compliance indicator. The explanatory notes are designed to explain each Standard and the actions required to minimise potential risks to computer and information systems.
The accompanying templates consist of sample tables and forms to assist practices to develop and record their own policies and procedures for computer and information security.
CISS describes professional and legal obligations for computer and information security and details policies and procedures designed to help general practices protect their computer and information systems.
These Standardshave been developed in accordance with recognised best practice and are aligned with the requirements of international and Australian standards, current Australian legislation and legislative instruments, the National Privacy Principles and national standards in health information security (see Appendix A).
The computer and information security requirements that relate to the Healthcare Identifier Service and participation in the national eHealth record system have been included in this edition of CISS.
Out of scope
The Standards do not cover separate issues such as patient access to their own health information, patient identification (personal identification and validation of the Individual Healthcare Identifier), or the content of patient health records.
The Standards also do not cover all the necessary technical aspects of computer and information security. It is generally assumed practices will engage expert technical advice and support to establish and maintain computer and information security on a day-to-day basis.
The Standards are not designed to impose new professional obligations over and above recognised best practice.
Compliance with Australian legislation
The Standards are aligned with relevant legislation including the following.
Privacy Act and National Privacy Principles
The Privacy Act 1988 (Cwlth) and National Privacy Principles stipulate that reasonable steps must be taken to protect and secure personal information, which includes personal health information. Reasonable steps are explained further by the Office of the Australian Information Commissioner (OAIC). When investigating compliance, the OAIC considers the reasonable steps that were taken to protect the information, and whether those steps were reasonable in the circumstances, including the processes followed if a privacy breach occurred.
Reasonableness is considered in relation to the organisational context and the context in which the information is collected and used. Health information is regarded as sensitive information by the OAIC and there is an expectation that such information will be given a higher level of protection than non-sensitive information. See the OAIC website (www.oaic.gov.au).
The Standards are designed to help practices meet the requirements for OAIC definition of reasonable steps.
Healthcare Identifiers Act and Personally Controlled Electronic Health Records Act
To participate in the Australian national eHealth record system (also known as the [PCEHR] system), practices must comply with the Healthcare Identifiers Act 2010 (Cwlth) and the Personally Controlled Electronic Health Records Act 2012 (Cwlth) and PCEHR Rules 2012. The PCEHR system Participation Agreement that practices must agree to prior to using the eHealth record system is derived from this legislation and consequently incorporates compliance with these Acts. There are many requirements of a participating healthcare organisation pursuant to the PCEHR system legislation and the related Participation Agreement.
The Standards are designed to help practices meet the requirements of the national eHealth record system (further detail is in Appendix B).
The terminology used in CISS is designed to enhance the clarity of the text.
- Availability of information: Information is available and accessible to authorised individuals when it is needed.
- Confidentiality: The non-disclosure of information except to another authorised person, or the act of keeping information secure.
- Health information: All health information and health data about a patient that is collected during a consultation with a health professional.
- Integrity of information: Maintaining the accuracy and consistency of information, which requires that only authorised people can modify the information.
- Organisation: Any healthcare organisation operating in the Australian primary healthcare sector.
- Practice team: All members of a general practice, including clinicians and non-clinicians working in the Australian primary healthcare sector whether as a solo practitioner, a member of a single discipline practice team or a member of a multidisciplinary practice team.
- Privacy: A person’s privacy is maintained by control over what and how information is disclosed.
Implementation and review
This edition of CISS was published in June 2013 and will be reviewed by the RACGP from time to time in consultation with key stakeholders.