Your browser has 'Cookies' disabled, alert boxes will continue to appear without this feature.

Practice standards

Computer and information security standards

Standard 1: Roles and responsibilities

Our practice has designated practice team members for championing and managing computer and information security and these practice team members have such roles and responsibilities documented in their position descriptions

Compliance indicators

The compliance indicators listed in the matrix identify the specific actions that comprise good security practice for Standard 1.

It is assumed the practice will provide appropriate education and training to facilitate compliance with this Standard.

The compliance indicators at level 3 reflect the minimum level of computer and information security acceptable for this Standard. The compliance indicators for higher levels provide the basis for incremental security improvement.

Helpful templates for this Standard

Templates 1.1–1.4 will assist in achieving compliance. Completion of these templates will ensure you have fully documented the requirements of this Standard.

Roles and responsibilities compliance indicatorsLevel 1 InitialLevel 2 RepeatableMinimumLevel 4 ManagedLevel 5 Optimised
Level 3 Defined
1.1 Policy content No formal policy No complete written policy Complete written policy Complete written policy, periodically reviewed Complete written policy, reviewed annually
1.2 Policy communication Policy not communicated to the practice team Policy communicated verbally to the practice team Policy communicated in written format to relevant practice team members Policy communicated in written format, training provided and all practice team members have access to the policy Policy available in written format to relevant practice team members
Regular training for the practice team and communication strategy reviewed against policy
All practice team aware of the content and implications of the policy
1.3 Computer Security Coordinator Role not assigned Role assigned by default to the practice manager Role assigned to a practice team member and training provided Role assigned to a practice team member and training provided, with ad hoc reporting to practice management Role assigned to a practice team member with ongoing training provided and periodic activity reports provided to practice management
Role duties and responsibilities reviewed annually
1.4 Responsible Officer / Organisation Maintenance Officer Role(s) not assigned Role assigned by default to practice manager Role assigned to a practice team member and training provided Role assigned to a practice team member and training provided, with ad hoc reporting to practice management Role assigned to a practice team member with ongoing training provided and periodic activity reports provided to practice management
Role duties and responsibilities reviewed annually
1.5 Tasks and roles Tasks and roles verbally defined only Ad hoc allocation of roles dependent on availability and capability of practice team members
Roles and responsibilities documented in a team member’s position description
Tasks and roles allocated to a practice team member and defined and documented in the position description
Training completed
Practice team members trained in specific roles and responsibilities All practice team members aware of who is responsible for tasks
Ongoing training for all roles and responsibilities assigned
1.6 National ehealth record system (PCEHR) training None provided At induction only Ad hoc training as required All practice team provided formal and ongoing training All practice team scheduled for regular updates and training
Policy annually reviewed. Regular review of compliance by practice team
Adapted and reproduced with permission from Dr Patricia Williams

1.1  Policy content

The practice policy needs to include information about the specific roles and responsibilities of practice team members. A practice Computer Security Coordinator should be appointed and their role defined and acknowledged by the practice team. The responsibilities of all practice team members with regard to computer and information security should also be defined. This will provide the basis for determining the level of access to information systems. The practice Computer Security Coordinator, who might be the general IT coordinator as well, should help ensure that all practice team members are aware of the principles of computer security and are provided with appropriate training for their responsibilities.

1.2  Policy communication

The practice policy should be in written format and communicated to all relevant practice team members.

1.3  Computer Security Coordinator

The role of the practice Computer Security Coordinator will vary depending on the IT skills of the practice team and the availability of technical support. In most instances, the practice IT coordinator will also be responsible for computer and information security, and in many practices the roles will be shared by at least two people.

This section only specifies the role of the Computer Security Coordinator. The roles of the Responsible Officer and Organisation Maintenance Officer are outside the scope of this document

Role description

The Computer Security Coordinator will need the skills required to undertake the responsibilities listed below, or be able to liaise with appropriately skilled external providers. The role requires time dedicated to undertake the responsibilities and to ensure familiarity with the current and emerging e-health environment. The coordinator does not need to have advanced technical knowledge, although they should be reasonably comfortable with the computer operating systems (e.g. Windows) and relevant application software. They require adequate management skills to be able to develop computer security policies that are understood by the practice team, with input from technical staff when required. The role incorporates raising awareness of information security governance among the whole practice team.

The practice Computer Security Coordinator draws together the computer and information security issues that confront the practice – this is a leadership role. The coordinator manages the training and is responsible for maintaining practice team members’ knowledge of computer and information security principles and practice security policy and procedures. The role also includes managing the risk assessment, creation and policy review, and the security management and reporting functions. The practice Computer Security Coordinator might be one of the doctors, a nurse, a senior receptionist or the practice manager. These tasks can be allocated to more than one person in the practice.

The coordinator’s role is primarily to raise computer security awareness rather than to be a technical ‘fix-it’ person. The coordinator should help foster a security culture and ensure that there is adequate and appropriate training for all of the practice team. The coordinator also needs to understand that while many aspects of computer and information security are outsourced to technical service providers, including the use of cloud services, certain responsibilities and tasks need to be carried out by the practice team (e.g. checking the backup procedure). While many practices now outsource aspects of computer maintenance to technical service providers, a practice Computer Security Coordinator needs to be aware of what needs to be done, even though they may not have the technical knowledge to do these tasks themselves. A generic role description for the Computer Security Coordinator is given in Section 1.5.

1.4  Responsible Officer and Organisation Maintenance Officer

In the national eHealth record system there are two roles designated in relation to computer and information security.

The Responsible Officer, as defined in the Healthcare Identifiers Act 2010 (the HI Act), is registered under the Healthcare Identifiers (HI) Service and has authority to act on behalf of a seed organisation and relevant network organisations in its dealings with the System Operator. For large organisations, the Responsible Officer may be the chief executive officer or chief operations officer, and for small organisations the Responsible Officer may be the business owner.

The Organisation Maintenance Officer, as defined in the HI Act, is also registered under the HI Service and has authority to act on behalf of a network organisation in its dealings with the System Operator. A seed organisation maintenance officer has authority to act on behalf of the seed organisation. A healthcare organisation can have multiple Organisation Maintenance Officers. An Organisation Maintenance Officer is likely to be someone who is familiar with the IT system used by the organisation and, as such, is more likely than the Responsible Officer to be assigned tasks related to computer and information security. This role could be assigned to the practice manager.

Note: the role of the Responsible Officer and the Organisation Maintenance Officer are different and require different responsibilities. It is important to understand the specific responsibilities of each role and it is recommended that these two roles are not performed by the same person.

1.5  Tasks and roles

All of the practice team should be aware of their responsibility in regards to information security. While the role of the Computer Security Coordinator is well defined, it should be made explicit in the practice policies what role and responsibility each member of the practice must assume in the protection of information. Practice team member awareness of their role in information security is vital. This includes access management, recognition of errors or abnormal software behaviour, and susceptibility to social engineering (where someone is tricked into revealing information, e.g. a password, which can be used to attack systems or networks). A form for recording all practice team members and their allocated computer and information security tasks and responsibilities can be found in Template 1.3.

Examples of delegated tasks are changing backup tapes, logging all users out of the system when the practice closes, and checking that automated tasks scheduled are successful.

Computer Security Coordinator responsibilities

The role of the Computer Security Coordinator could include, but is not limited to, the following responsibilities:

  • oversees the development of documented computer security policies and procedures
  • ensures the existence and testing of the computer business continuity and information recovery plans
  • ensures that all policies and procedures are reviewed at least annually
  • monitors and ensures that practice security policies are being followed, in particular that:
    • practice team members are following password security procedures
    • the routine backup procedures are in place and tested for successful data recovery
    • archived data remain capable of being restored in a timely manner
    • anti-malware software is installed on all computers and are automatically updated
    • the computers, especially all servers, are adequately maintained and can deal with fluctuations in power
    • clear screen and clear desk policies are followed (i.e. screensavers are activated)
  • maintains an up-to-date risk assessment including the IT asset register (hardware, software, licences, manuals and technical support)
  • ensures technical advice is sought and acted upon for the installation of protection systems such as intrusion detection and firewalls
  • ensures that information transferred electronically is secure (e.g. uses secure message delivery)
  • arranges ongoing security awareness training for practice team
  • ensures the practice management is aware of any outstanding security issues and regularly reports on security in practice management meetings.

1.6 National eHealth record system training

To meet the requirements of the PCEHR legislation, practice team members accessing the PCEHR system should be trained and educated in security awareness, as defined by the PCEHR system Participation Agreement.

Advertisement loading...

Advertisement

The Royal Australian College of General Practitioners Ltd

Contact Us

General Inquiries

General Enquiries

Opening hours 8:00 am-8:00 pm AEST

1800 4RACGP

1800 472 247 | +61 (3) 8699 0300 (international)

Payments

Payments

Pay invoices online

RACGP automated payment service: 1800 198 586

Follow us on

Follow RACGP on Twitter Follow RACGP on Facebook Follow RACGP on LinkedIn


Healthy Profession. Healthy Australia Logo

The Royal Australian College of General Practitioners Ltd (RACGP) ABN 34 000 223 807
RACGP House, 100 Wellington Parade, East Melbourne, Victoria 3002 Australia

Terms and conditions | Privacy statement
Sponsor conditions | Delegate conditions