Your browser has 'Cookies' disabled, alert boxes will continue to appear without this feature.

Planned maintenance activity on Wednesday 18 July from 8pm to 10pm AEST may impact performance of the RACGP website.

Practice standards

Computer and information security standards

Compliance checklist for computer and information security

This compliance checklist is designed to help general practices assess, achieve and sustain compliance with the 12 Standards that comprise good practice in computer and information security. This checklist is a guide only and does not describe the complete list of security activities that should be undertaken.

If you are unsure whether your practice complies with a particular Standard then you should tick ‘no’ and focus on relevant risk mitigation activity until you are sure.

StandardCompliance indicatorsYesNo
Standard 1: Roles and responsibilities Do you have designated practice team members for championing and managing computer and information security and do these practice team members have such roles and responsibilities documented in their position descriptions?
This will include a written policy that is communicated to practice team members, the assignment and training of a Computer Security Coordinator, the assignment and training of the Responsible Officer and Organisation Maintenance Officer, and the national eHealth record system training where applicable.
Standard 2: Risk assessment Have you undertaken a structured risk assessment of information security and identified improvements as required?
This will include recording assets in the practice, a threat analysis, reporting schedule and data breach recording procedures.
Standard 3: Information security policies and procedures Do you have documented policies and procedures for managing computer and information security?
This will include a policy to cover each Standard. It will also include practice team and external service provider agreements, and where applicable an eHealth records system policy.
Standard 4: Managing access Do you have well-established and monitored authorised access to health information?
This will include a clearly defined and communicated policy that contains direction on access rights, password maintenance, password management, remote access controls, and auditing and appropriate software configuration.
Standard 5:  Business continuity and information recovery Do you have documented and tested plans for business continuity and information recovery?
This will include tested, practical and implementable business continuity and information recovery plans to ensure business continuation and prompt restoration of clinical and business information systems.
Standard 6: Internet and email usage Do you have processes in place to ensure the safe and proper use of internet and email in accordance with practice policies and procedures for managing information security?
This will include details of configuration and usage of the internet and email, together with practice team education in good internet and email use practices.
Standard 7: Information backup Do you have a reliable information backup system to support timely access to business and clinical information?
This will include documented procedures for the systems to be backed up and how often (backup type and frequency, use of encryption, reliability and restoration checking, media type and rotation, where the backup is stored and who has access to it). It should also include access to data from any previous practice information (legacy) systems.
Standard 8: Malware, viruses and email threats Do you have reliable protection against malware and viruses?
This will include automatic updating of the virus protection software, and educating the practice team to be aware of risks of exposing the practice information systems to malware and virus attack.
Standard 9: Computer network perimeter controls Do you have reliable computer network perimeter controls?
This will include ensuring the firewall is correctly configured and that the log files are examined periodically; this will also apply to intrusion detection systems. Wireless networks need to be appropriately configured, and content filtering and perimeter testing should be considered.
Standard 10:  Mobile electronic devices Do you have processes in place to ensure the safe and proper use of mobile electronic devices in accordance with practice policies and procedures for managing information security?
This will include the defined use and secure management of practice-owned and personal mobile devices that are used for business or clinical purposes.
Standard 11:  Physical facilities and computer hardware, software and operating system Do you manage and maintain the physical facilities and computer hardware, software and operating system with a view to protecting information security?
This will include the physical protection of equipment and the use of an uninterruptible power supply (UPS). A secure disposal process should be established and appropriate system and software maintenance undertaken.
Standard 12: Security for information sharing Do you have reliable systems for the secure electronic sharing of confidential information?
This will include the appropriate configuration of secure messaging, digital certificate management and the practice website.
Advertisement loading...