Your browser has 'Cookies' disabled, alert boxes will continue to appear without this feature.

Practice standards

Computer and information security standards

Standard 11: Physical facilities and computer hardware, software and operating system

Our practice manages and maintains our physical facilities and computer hardware, software and operating system with a view to protecting information security

Compliance indicators

The compliance indicators listed in the matrix identify the specific actions that comprise good security practice for Standard 11.

It is assumed the practice will provide appropriate education and training to facilitate compliance with this Standard.

The compliance indicators at level 4 reflect the minimum level of computer and information security acceptable for this Standard. The compliance indicators for higher levels provide the basis for incremental security improvement.

Physical facilities, hardware, software and operating system compliance indicatorsLevel 1 InitialLevel 2 RepeatableLevel 3 DefinedMinimumLevel 5 Optimised
Level 4 Managed
11.1 Policy content No formal policy No complete written policy Complete written policy Complete written policy, periodically reviewed Complete written policy, reviewed annually
11.2 Policy communication Policy not communicated to the practice team Policy communicated verbally to the practice team Policy communicated in written format to relevant practice team members Policy communicated in written format, training provided and all practice team members have access to the policy Policy available in written format to relevant practice team members
Regular training for the practice team and communication strategy reviewed against policy
All practice team aware of the content and implications of the policy
11.3 Physical protection No access control to physical location of equipment Access to practice team members only Physical restriction to servers Physical restriction to servers
Environmental conditions controlled
Physical restriction to servers
Environmental conditions controlled
Anti-theft cables fitted
Removal of assets lists kept up to date
11.4 Uninterruptible power supply (UPS) Not used Surge protector (power line conditioner) on server UPS on server and monitor UPS on server and monitor
Surge protectors on all computers and network equipment
Automatic server shutdown initiated by UPS
UPS tested monthly
UPS on server and monitor
Surge protectors on all computers and network equipment
11.5 Secure disposal Unknown Ad hoc and no formal process Ad hoc but hard drives reformatted Secure disposal process established Secure disposal process monitored
11.6 Confidentiality No screen savers Clear desk policy followed Clear desk policy followed
Screen savers used
Clear desk policy followed
Screen savers used with reactivation using password
Clear desk policy followed
Screen savers used with reactivation using password
System auto logoff activated
11.7 System maintenance No maintenance undertaken Maintenance activities undertaken invoked by incident Ad hoc: temporary files deleted, hard disk capacity checked, status of anti-virus software checked Periodic maintenance activities undertaken including temporary files deleted, hard disk capacity checked, status of anti-virus software checked Scheduled regular maintenance undertaken including temporary files deleted, hard disk capacity checked, status of anti-virus software checked and disk defragmentation, checking of error logs, system maintenance log kept
11.8 Software maintenance No maintenance undertaken Maintenance activities undertaken invoked by incident Operating system patches applied to all computers manually
Software upgrades applied when enforced by software provider
Operating system patches applied to all computers automatically
Software upgrades applied when convenient
Operating system patches applied to all computers automatically
Software upgrades applied as soon as available
Checking for installation of unauthorised programs
Software maintenance log kept
Adapted and reproduced with permission from Dr Patricia Williams

Helpful templates for this Standard

Templates 11.1–11.6 will assist in achieving compliance. Completion of these templates will ensure you have fully documented the requirements of this Standard.

Explanatory notes

Preventive strategies are required to keep the computer system running properly. It is best to have an arrangement with a technical service provider that includes proactive routine network maintenance; do not treat their role as limited to providing reactive emergency treatment when problems arise. There are certain maintenance procedures which, if performed regularly, will ensure that computers and other equipment run smoothly. The practice policy and procedures for these can be addressed as three separate areas:

  • physical protection and maintenance
  • system maintenance (e.g. the amount of free space on a hard disk)
  • software maintenance (e.g. updates and patching).
  • In addition to protecting information you must also protect the computer systems physically. There are several components to this policy and associated procedures:
  • label ‘server’ so that all practice team members are aware which computer is the server
  • clean around the back of computers and other equipment so that dust does not accumulate near the fans and power supplies
  • restrict physical access to the server
  • secure all equipment from theft
  • control the environmental conditions (e.g. extreme heat)
  • limit damage from power interruptions and/or fluctuations
  • ensure the secure disposal of hardware, in particular where it may contain clinical and/or business information.

11.1 Policy content

This policy will communicate to all practice team members the practice policy on the use of screensavers and other precautions such as the positioning of monitors to prevent unauthorised viewing of patient medical records and other confidential information. This policy will also detail restrictions of physical access, for instance to the server, and how to secure equipment from theft and damage by power interruptions. In addition, it will detail the safe disposal of hardware and practice information. Document details of routine computer maintenance that is required. This includes hard disc ‘clean-ups’ (e.g. by a defragmentation utility program). It also addresses software maintenance procedures.

The policy should also include how to minimise and prevent unauthorised and accidental viewing of patient and practice information. This policy can include:

  • the physical positioning of monitors in open access areas, consulting rooms and reception
  • appropriate use of screensavers
  • clear screen policy
  • clear desk policy
  • the requirement to remove documents from printers and faxes immediately.

The practice policy and procedures should document the disposal of old, decommissioned and replaced hardware, particularly devices with any data on them. This could include:

  • securely deleting all data on a device or media. Reformatting the media is not sufficient as forensic techniques can still access data on the device and media
  • disposing of equipment through appropriate destruction.

11.2 Policy communication

The policy should be in written format and communicated to relevant practice team members.

11.3 Physical protection

Location

Physical security is the first level of defence. It provides protection from theft and unauthorised access. The physical location of the server is important, for instance locking it in a safe place or using antitheft steel cables. Password access to the server should be limited to key members of the practice team. Desktop and laptop computers and other portable devices should always be kept physically secured. Locking away software, disks and backup media limits physical access.

The practice computers and network are valuable and therefore limiting unauthorised personnel access to this equipment is recommended. The practice policy will document which personnel have authorisation to access such equipment.

Heat, dust and humidity

Environmental protection includes positioning computers, backup media and other components of the network where they are not subjected to excessive heat (e.g. away from direct sunlight). All computers should be kept reasonably dust free, particularly over intakes for the cooling fans. To minimise the possibility of equipment failure, the server room temperature should be regularly monitored with consideration given to installing dedicated air conditioning if required.

Some buildings switch air-conditioning off at night to save power; however, if the server is still running it might overheat.

Securing equipment from theft

All removable computer equipment should be secured from theft or damage.

This is particularly important where equipment is in areas that are frequented by patients and visitors to the practice. This policy should include items such as:

  • use cable device locks for notebook and desktop computers and monitors and other mobile devices when in use in the practice
  • lock laptops and similar equipment away at night if left on the premises
  • do not leave USBs and software media in an unsecured environment.

11.4 Uninterruptible power supply (UPS)

Power outages and fluctuations can happen at any time. An uninterruptible power supply (UPS) is a device that contains commercial batteries that provide power to enable computers (especially servers) to shut down normally when the main electricity is lost. This is important so data being processed is not lost or corrupted while the blackout occurs.

A UPS also helps with power surges that can cause hardware damage. The batteries in most units only provide power for an average of 10–30 minutes. In a prolonged blackout, the UPS should automatically shut the server down in an orderly manner to prevent data corruption or loss – it is not designed to run practice systems. This requires installation of the dedicated UPS monitoring software and a connection from the UPS to the server (ethernet or USB).

The management of prolonged blackouts requires the installation of a generator; however, this purchase will require careful consideration.

A UPS should be installed on the main server and other essential devices, such as routers, switches and IP phones. Simple surge protectors may be sufficient on other workstations in the practice. The network itself, including other devices attached to it such as modems, also need to be protected from power fluctuations that can cause data loss and hardware failure.

The controlled shutdown procedure should be documented. Refer to the Templates, Standard 11 to record this procedure and details of the power protections installed in the practice. To ensure that the batteries in the UPS are checked appropriately, apply a sticker to acknowledge battery life, and when to replace them, or preferably record this in the templates register.

11.5 Secure disposal

Appropriate and secure disposal of old or decommissioned computer equipment, and importantly any data storage media especially hard disks, is vital. Password protection and/or encryption are not sufficient when disposing of old equipment. Disks and backup media should be securely erased (overwritten), disposed of using a secure document collection company or physically destroyed. There are many commercially available products capable of secure erasure. Seek advice from your technical service provider.

Recording removal of assets from the practice premises

To reduce the potential loss or theft of equipment and assets, all removal from the practice premises should be formally recorded to minimise loss and theft. This will include recording the date out, date in and location when offsite. Template 11.3 provides a form for this.

11.6 Confidentiality

Clear screen – computer screen confidentiality

This Standard is not specifically about privacy principles, although keeping information on the computer screen confidential is an instance in which a ‘privacy’ matter overlaps with information security. Information security in the consulting room is more about clinical practice team member behaviour than technical matters. For example, some healthcare professionals like their computer screens to be clearly visible to their patients during consultations. However, it is important to be vigilant about inappropriately exposing information to a third party, for example it might not be acceptable for a parent to see the past history of their adolescent child. More importantly, patients should not be able to view the clinical record of another person (e.g. the patient previously consulted). Similarly, receptionists need to be careful that patients do not have inappropriate visual access to any information on computer screens at the front desk.

There are various methods by which the information can be kept private. For example, remember to exit the previous patient’s electronic file before the next patient enters the consulting room. Screen positioning can also help keep information private, including computers used by reception staff at the front desk. Other options worth considering are:

  • the use of ‘clear screen’ function keys, which instantly close down an open file or switch off the monitor
  • the use of password protected screensavers. These can be set so that you have to use your password to log back into your system (suggested default of 15 minutes)
  • log off when leaving terminals or use automatic session time-outs.

Whichever method you consider most appropriate to your circumstances, the important thing is that all practice team members are aware of how they can keep sensitive information from being inadvertently viewed.

Clear desk policy

To avoid accidental and unauthorised viewing of documents, it is recommended to use a clear desk policy. This means at the end of each day each practice team member clears their desks of all documents, notes and media. In addition, all documents should be removed from printers and fax machines immediately after being copied, sent or received.

11.7 System maintenance

While some preventive system maintenance can be carried out by authorised and trained practice team members, most is usually undertaken by a technical service provider. This will include checking disk capacity (hard disk space), defragmenting the hard disk when necessary, deleting and tidying up system and temporary files, checking error logs, checking that antivirus and other protective software is up to date, checking battery life on the UPS and documenting all maintenance performed and completed on the system. An example of a system maintenance log can be found in Template 11.4. Simple system maintenance can be carried out by authorised and trained practice team members, such as ensuring that areas near and around computer equipment are clean and dust free.

11.8 Software maintenance

Software maintenance means the ‘maintenance’ work on the computer system software on an ongoing and regular basis. This can also include monitoring for signs of potential incidents using file integrity checking programs or using an external monitoring service.

  • Patching is vitally important to keep the software up to date, especially your operating system software (e.g. Windows). Patches are program updates essential to rectifying security ‘holes’ in earlier versions.
  • Restrict user access to avoid full administrative access. This will limit vulnerabilities to malware as this limits the ability of users to install additional applications and programs. This also protects against modification of software configuration settings (such as security settings in web browsers).
  • Limit access to system utilities to full administrative access only. Seek advice from a technical service provider in this matter.
  • Check for installation of unauthorised programs.
  • Software configuration: install and maintain software in accordance with the vendor’s guidelines to ensure security is maintained. This may also include ensuring that auditing is turned on to log operating system and application activity as this information can be very useful when an incident occurs.
  • Run file integrity software periodically. This software is sometimes provided by your software vendor to check the integrity of the database and files.
  • Consider the use of an external network and system monitoring service.
  • Keep a software maintenance log.

Unless you have sufficient technical knowledge and skills among the practice team, seek technical advice on how to keep your computer software functioning efficiently.

Advertisement loading...

Advertisement

The Royal Australian College of General Practitioners Ltd

Contact Us

General Inquiries

General Enquiries

Opening hours 8:00 am-8:00 pm AEST

1800 4RACGP

1800 472 247 | +61 (3) 8699 0300 (international)

Payments

Payments

Pay invoices online

RACGP automated payment service: 1800 198 586

Follow us on

Follow RACGP on Twitter Follow RACGP on Facebook Follow RACGP on LinkedIn


Healthy Profession. Healthy Australia Logo

The Royal Australian College of General Practitioners Ltd (RACGP) ABN 34 000 223 807
RACGP House, 100 Wellington Parade, East Melbourne, Victoria 3002 Australia

Terms and conditions | Privacy statement
Sponsor conditions | Delegate conditions