Your browser has 'Cookies' disabled, alert boxes will continue to appear without this feature.

Planned maintenance activity on Wednesday 18 July from 8pm to 10pm AEST may impact performance of the RACGP website.

Practice standards

Computer and information security standards

Standard 6: Internet and email usage

Our practice has processes in place to ensure the safe and proper use of internet and email in accordance with practice policies and procedures for managing information security

Compliance indicators

The compliance indicators listed in the matrix identify the specific actions that comprise good security practice for Standard 6.

It is assumed the practice will provide appropriate education and training to facilitate compliance with this Standard.

The compliance indicators at level 3 reflect the minimum level of computer and information security acceptable for this Standard. The compliance indicators for higher levels provide the basis for incremental security improvement.

Internet and email usage compliance indicatorsLevel 1 InitialLevel 2 RepeatableMinimumLevel 4 ManagedLevel 5 Optimised
Level 3 Defined
6.1 Policy content No formal policy No complete written policy Complete written policy Complete written policy, periodically reviewed Complete written policy, reviewed annually
6.2 Policy communication Policy not communicated to the practice team Policy communicated verbally to the practice team Policy communicated in written format to relevant practice team members Policy communicated in written format, training provided and all practice team members have access to the policy Policy available in written format to relevant practice team members
Regular training for the practice team and communication strategy reviewed against policy
All practice team aware of the content and implications of the policy
6.3 Internet configuration No usage monitoring
Open access to all sites or usage configuration unknown
Monitoring after incidents only
Open access to all sites
Reactive monitoring only
Monitoring and access control to certain sites and incidents Manual monitoring of usage
Regular reporting
Automatic usage monitoring and scheduled reporting and analysis, informing change in policy or prompting reinforcement of policy, whitelisting used
6.4 Internet use education Training at induction only or no training Ad hoc training following incidents or policy breaches and at induction All practice team members trained in good practice and policy All practice team members trained in policy requirements and good practice
Training in recognition of spyware
All practice team members receive ongoing education on recognition of insecure practices
Record of education time and content
Practice team members have signed a conditions of employment document about internet use
6.5 Email configuration No monitoring of email usage
Open use of all email accounts (e.g. Hotmail)
No limitations on email use or configuration unknown
Monitoring after incidents only
Open use of all email accounts (e.g. Hotmail)
Ad hoc monitoring
Reasonable use of email permitted
No confidential information sent via insecure email
Manual monitoring of usage
Email restricted to practice email only
No confidential information sent via insecure email
Automatic usage monitoring and scheduled reporting and analysis, informing change in policy or prompting reinforcement of policy
Sender policy framework and domain key identified mail used
6.6 Email use education Training at induction only or no training Ad hoc training following incidents or policy breaches All practice team members trained in good practice and policy All practice team members trained in policy requirements and good practice
Practice team members can recognise spam and respond appropriately
All practice team members receive ongoing education in policy /processes in practice
Practice team members able to detect unsafe email
Practice team members have signed a conditions of employment document about email use
Adapted and reproduced with permission from Dr Patricia Williams

Helpful templates for this Standard

There are no additional templates for this section.

Explanatory notes

There are many applications (programs) that can be installed that can be harmful to practice information and computer systems. While a significant amount of trust is placed in practice team members, it is remiss to disregard essential security measures that minimise potential risks in relation to usage of computer resources. Uses of external applications, software, websites and programs that can transmit information outside the practice pose a considerable security risk. This encompasses the use of both internet and email programs.

As social networking applications such as Facebook and Twitter have risen in popularity, the practice needs to be mindful of the desire of staff to be ‘constantly connected’. Therefore a reasonable use of internet and email policy should be provided. This will guide practice team members as to what is acceptable in the use of the practice internet and email. Limiting use of internet applications will also assist in defending against software attacks and the subsequent necessity for support services to fix these.

6.1    Policy content

Developing a practice policy that clearly defines and describes the management and use of internet and email by all practice team members within the practice will assist in mitigating security risks. This policy may also detail the practice policy on access to social networking websites such as Facebook and Twitter. The practice may develop a policy on what constitutes reasonable private use of internet and email by practice team members during office hours.

The practice policy will inform and guide the practice team on how to manage and use the internet and email. For example, is occasional personal use of the internet during lunch breaks allowed? The policy must provide guidance to all practice team members on the responsible use of these resources.

Make practice team members aware that it is not permitted to send emails that might be construed as offensive or sexually harassing to anyone.

If the practice chooses to communicate with patients via email or other electronic means, explain to patients and the practice team (e.g. via the practice website if you have one or via the practice information brochure) any limitations to the timeliness and nature of the advice that can be provided. You should also explain if you charge any fees for electronic consultations. Refer to the RACGP Standards for general practices (4th edition) for further information.

The practice needs to communicate to patients the way in which it will meet its privacy obligations. You can inform patients that no confidential information should be transmitted without encryption or other secure means. In addition to internal policies concerning access rights and other data handling processes, privacy law requires organisations that deal with personal information to make available to the public a policy about their data handling practices, including collection, use and disclosure. Practices should obtain legal advice about this and other obligations under privacy laws.

6.2    Policy communication

The policy should be in written format and communicated to relevant practice team members.

6.3    Internet configuration

Suggested considerations for appropriate internet use and configuration include:

  • internet use for business, clinical and research purposes only
  • all downloads accessed from the internet must be scanned for viruses
  • all sites accessed must comply with legal and ethical standards and practice policy
  • web browser security settings are not to be changed without authorisation.

Methods for limiting internet use could include the blocking of specific sites and applications; this can be set up by technical service providers. This is called whitelisting (permissible) and blacklisting (impermissible) website listing.

Configuring a sender policy framework is an advanced method to mitigate spoofed emails. Email spoofing is where an email appears to have originated from one source when it was sent from a fake email address. It is used to trick the user, much like phishing emails. Common examples of spoofed email that could affect the security of your system include emails alleging to be from the system administrator requesting password changes to specific characters, which often threaten suspension of an account if this is not done, or email requesting users to send copies of sensitive information or passwords. A sender policy framework has to be set up in conjunction with your email system and will require technical assistance. You can also use domain keys identified email using cryptographic authentication for recognised domain names.

Specific actions must include:

  • installing and using antivirus and anti-malware software, centrally installed and managed and locally deployed: keep this software active at all times
  • installing anti-spyware software (from a reputable supplier): ensure currency by setting up automatic updates and periodically check manually that the anti-spyware is current
  • applying patches to operating systems and application programs following advice from technical support providers.

Protection against hackers

  • Install hardware and/or software network perimeter controls such as firewalls and intrusion detection systems between computers and the internet (following advice from technical support providers).
  • If you install a software firewall, ensure that the practice knows how to use it (centrally installed, centrally managed).
  • Ask the technical support providers to test the firewall periodically and update it as required.
  • If you are using a wireless network, seek technical advice on how to prevent others with similarly equipped computers hacking into the practice network.

6.4    Internet use education

Practice team members should be educated and trained in best practice processes when using the internet. This includes learning about protection measures against viruses and spyware.

Protection against viruses

  • Do not open unexpected email even from people known to you as this might have been spread by a virus.
  • Use an antivirus mail filter to screen email before downloading.
  • Do not use the ‘preview pane’ in your email program as this automatically opens your email when you click on the header.
  • Save attachments and check for viruses before opening or executing them (note this does not relate to the clinical secure messaging but to attachments received through email and websites).
  • Do not run programs directly from websites. If files are downloaded, check for viruses first.
  • Enable security settings in your internet browser to medium or high.
  • Consider using internet browsers and email programs that are more secure.

Protection against spyware

  • Learn how to recognise (and delete) spyware.
  • Do not accept certificates or downloads from suspect sites.

General protection

If you have a useful list of internet favourites or bookmarks make a backup of the list.

6.5    Email configuration

Communication of clinical information to and from healthcare providers should be done from within the practice’s clinical software using a secure clinical messaging system. The use of a practice’s clinical software means that a record of communication is automatically retained in the patient’s medical record.

Protection against spam

  • Use a spam filtering program.

Encryption of patient information

  • Use server to server encryption such as SSL or TLS.

6.6    Email use education

General protection

  • If you rely on information held in your emails make sure that it is backed up with the rest of your data.
  • Do not download or open any email attachments where the sender is not known to you.
  • Email use that breaches ethical behaviours and/or violates copyright is prohibited.
  • Do not send or forward unsolicited email messages, including the sending of ‘junk mail’ or other advertising material (email spam).
  • Do not use email for broadcast messages on personal, political or non-business matters.

Protection against spam

  • Do not reply to spam mail.
  • Never try to unsubscribe from spam sites.
  • Remain vigilant: do not provide confidential information to an email (especially by return email) no matter how credible the sender’s email seems (e.g. apparent emails from your bank).
  • Use a spam filtering program.

Encryption of patient information

  • All email communications should be treated as confidential.
  • When sending patient information or other confidential data by email, it is best practice to use encryption.
  • Be aware that encrypted files are not automatically checked for viruses. They have to be saved, decrypted and then scanned for viruses before being opened.

Protection against the theft of information

  • There are significant risks if providing confidential information by email: only do so via the internet when the site displays a security lock on the task bar and with an https in the web address.
  • Do not inform people of your email password.
  • Be aware of phishing scams requesting logon or personal information (these may be via email or telephone).
Advertisement loading...