Your browser has 'Cookies' disabled, alert boxes will continue to appear without this feature.

Planned maintenance activity on Wednesday 18 July from 8pm to 10pm AEST may impact performance of the RACGP website.

Practice standards

Computer and information security standards

Standard 10: Mobile electronic devices

Our practice has processes in place to ensure the safe and proper use of mobile electronic devices in accordance with practice policies and procedures for managing information security

Compliance indicators

The compliance indicators listed in the matrix identify the specific actions that comprise good security practice for Standard 10.

It is assumed the practice will provide appropriate education and training to facilitate compliance with this Standard.

The compliance indicators at level 4 reflect the minimum level of computer and information security acceptable for this Standard. The compliance indicators for higher levels provide the basis for incremental security improvement.

Mobile electronic devices compliance indicatorsLevel 1 InitialLevel 2 RepeatableLevel 3 DefinedMinimumLevel 5 Optimised
Level 4 Managed
10.1 Policy content No formal policy No complete written policy Complete written policy Complete written policy,  periodically reviewed Complete written policy, reviewed annually
10.2 Policy communication Policy not communicated to the practice team Policy communicated verbally to the practice team Policy communicated in written format to relevant practice team members Policy communicated in written format, training provided and all practice team members have access to the policy Policy available in written format to relevant practice team members
Regular training for the practice team and communication strategy reviewed against policy
All practice team aware of the content and implications of the policy
10.3 Data transfer only devices Unsecured or security unknown Password protected but not encrypted Ad hoc encryption Where possible health data encrypted, password protected and stored securely All USB and transfer data media encrypted
Devices tracked and use monitored
10.4 Practice and personally owned mobile devices Unsecured or security unknown Password protected but not encrypted Ad hoc encryption Where possible health data encrypted, password protected and stored securely All health data encrypted on device
Devices password protected, tracked and monitored
Adapted and reproduced with permission from Dr Patricia Williams

Helpful templates for this Standard

Template 10.1 will assist in achieving compliance. Completion of this template will ensure you have fully documented the requirements of this Standard.

Explanatory notes

It is not enough to consider computer and information security only for the fixed hardware. Mobile devices are increasingly being used inside and outside practices for the provision of healthcare and the running of the business. Remote access via wireless (Wi-Fi) connections and web-based access via internet connections make it easier to log on to the practice systems. In addition, the portability and small size of devices such as USBs mean that copying information is easier, whether for legitimate or unauthorised purposes. All portable devices should be password protected, encrypted and stored securely where possible.

Mobile devices include any device used to contain information or enable access to sensitive information. Examples may include but are not limited to laptop computers, tablet devices, notebook PCs, USB flash drives, removable hard drives, mobile phones (particularly ‘smart phones’), personal digital assistants (PDA), and backup media such as drives, tapes and discs. Examples may also include portable electronic clinical equipment such as ABI (arterial brachial index monitor), spirometer, 24-hour BP and ECG monitoring devices. All of these devices present a higher risk of being lost, stolen or left unsecure, which increases the risk of data inadvertently ending up with unauthorised people. Computer and information security measures need to be broadened to include all mobile devices.

10.1  Policy content

This policy details the permitted use of portable devices. It also provides guidance on the many considerations in installing and using wireless network access. Further, it should detail how and who can have remote access to practice systems (e.g. accessing practice information systems from home). This may include third party providers and access to practice systems via web-based portals.

The practice policy should include what devices are authorised to be used in the practice and how these devices are managed. The policy must direct the practice team on the use of privately owned mobile devices.

10.2  Policy communication

The policy should be in written format and communicated to relevant practice team members.

10.3  Data transfer only devices

This includes devices such as USB devices. The security around memory sticks and USBs is typically lax, due to the ease of use and small size of the devices. However, they can store a large amount of information and are often not used with security in mind. Therefore, their use should be strictly controlled within the healthcare setting. Even the ad hoc transfer of information poses security risks as USBs tend to be left around unsecured and usually are not used in conjunction with protection mechanisms such as encryption.

10.4  Practice and personally owned devices

The devices may be owned by the practice or owned by members of the practice team.

  • Security for all mobile devices can be increased using passwords and encryption.
  • When not in use, these devices should be placed in secure locations.
  • Additionally, it is important to review the security for practice team members’ home computers where GPs and the practice team take electronic files home to work on them after hours and then return them to the clinic’s network. Data needs to be secured (encrypted) on portable devices as they can be easily misplaced or stolen. Care should also be taken for backup media that are taken offsite on a daily basis.
  • Seek technical advice on how the devices can be secured using mobile device management (MDM) or mobile application management (MAM) for personal devices used for clinical purposes.
  • Bulk downloading or transfer of information using portable devices should be strictly controlled and audited. This also incorporates the ‘store and forward’ methods used in telehealth (refer to RACGP Standards for general practices offering video consultations. An addendum to the RACGP Standards for general practices (4th edition).
Advertisement loading...