Your browser has 'Cookies' disabled, alert boxes will continue to appear without this feature.

Planned maintenance activity on Wednesday 18 July from 8pm to 10pm AEST may impact performance of the RACGP website.

Practice standards

Computer and information security standards

Standard 9: Computer network perimeter controls

Our practice has reliable network perimeter controls

Compliance indicators

The compliance indicators listed in the matrix identify the specific actions that comprise good security practice for Standard 9.

It is assumed the practice will provide appropriate education and training to facilitate compliance with this Standard.

The compliance indicators at level 3 reflect the minimum level of computer and information security acceptable for this Standard. The compliance indicators for higher levels provide the basis for incremental security improvement.

Computer network perimeter controls compliance indicatorsLevel 1 InitialLevel 2 RepeatableMinimumLevel 4 ManagedLevel 5 Optimised
Level 3 Defined
9.1 Policy content No formal policy No complete written policy Complete written policy Complete written policy, periodically reviewed Complete written policy, reviewed annually
9.2 Policy communication Policy not communicated to the practice team Policy communicated verbally to the practice team Policy communicated in written format to relevant practice team members Policy communicated in written format, training provided and all practice team members have access to the policy Policy available in written format to relevant practice team members
Regular training for the practice team and communication strategy reviewed against policy
All practice team aware of the content and implications of the policy
9.3 Firewall Firewall configuration Internet service provider gateway- based firewall used Local LAN firewall, default installation setup Local LAN firewall set up to meet practice policy Local LAN and personal firewalls issued
Practice policy used for configuration
Conformance to practice policy
Antivirus (anti-malware) software active on firewall
Packet filtering, application proxy and stateful inspection (authorised connections)
Firewall monitoring No activity monitoring Manual monitoring of some systems activities System-prompted exception monitoring Automated monitoring for user, system and policy violations Automated monitoring and attack pattern recognition
Firewall auditing No auditing/log file examination Manually basic security log files examined Log files examined periodically All log files routinely examined All log files routinely examined by trained practice team members (either inhouse or external)
9.4 Intrusion detection system (IDS) IDS configuration Default configuration Installation setup (no practice policy link) Periodic automated check of some system and network vulnerabilities Periodic automated check of all systems and networks Automated configuration checking of each system and networks daily using port scanning tools
IDS activity monitoring No activity monitoring Manual monitoring of some system activities System-prompted exception monitoring Automated monitoring for user, system and policy violations Automated monitoring of abnormal attack patterns on the system and all user activities and policies
IDS auditing No auditing or log file examination Security log files examined manually Log files examined periodically Log files automatically examined for router and server periodically All log files for router, server, process and other security logs examined automatically each day
9.5 Demilitarised zone (DMZ) Not installed or status unknown Pseudo DMZ using router Installed for web services Installed for web services and email server Configured to conform to practice policy including for web services email server and VOIP server
Proxy server used
9.6 Secure remote access: virtual private network (VPN) and remote desktop protocol (RDP) (also see Access control) Not installed for remote connections RDP used without additional security RDP with additional SSL TLS security VPN installed VPN installed
9.7 Content filtering No content filtering in place Software application filtering only for email Software filtering via specific applications: email, antivirus Files scanned by user prompt Access to trusted websites only
All files scanned automatically
9.8 Perimeter vulnerability testing No testing Scanning performed ad hoc Scanning performed regularly inhouse Professional testing, including scanning, and network violation analysis Annual professional testing
9.9 External technical support Not used Technical support engaged ad hoc after critical incidents External technical support engaged used for initial configuration and ad hoc as required External technical support engaged for regular maintenance External technical support engaged for regular maintenance and monitoring
9.10 Wireless networks Wireless network encryption No encryption or unknown WEP (wireless encryption protocol) WPA2 (Wi-Fi protected access 2) WPA2-PSK (Wi-Fi protected access 2-pre-shared key) specifically using random letter or random word passphrase WPA2-ENT (Wi-Fi protected access 2 enterprise) or higher used, specifically using random letter or random word passphrase
Wireless network configuration Default configuration or configuration unknown Disable network broadcasting Disable network broadcasting
Change SSID (service set identifier/public name) to not identify practice or equipment brand
Disable network broadcasting
Change SSID (service set identifier/public name) to not identify practice or equipment brand
MAC address filtering used
All wireless connections to network such as wireless printers and mobile devices also use password authentication to connect
Wireless network footprint mapped and adjusted to limit power
MAC address filtering used
Disable network broadcasting
Change SSID (service set identifier/public name) to not identify practice or equipment brand
All wireless connections to network such as wireless printers and mobile devices also use password authentication to connect
Use of smart card, USB token or software token
Use of wireless intrusion prevention systems (WIPS) or wireless intrusion detection systems (WIDS)
Adapted and reproduced with permission from Dr Patricia Williams

Helpful templates for this Standard

Templates 9.1–9.2 will assist in achieving compliance. Completion of these templates will ensure you have fully documented the requirements of this Standard.

Explanatory notes

Network perimeter controls are the hardware and software tools used to protect the practice system by analysing data entering and leaving your network. It includes technical measures such as firewalls and intrusion detection systems. It is recommended that qualified technical support be sourced for installation and configuration. This will help achieve a balance between protections and allowing authorised remote access to practice systems. In network perimeter security, it is necessary to use multiple techniques and tools to protect the information systems: this is known as layering or defence-in-depth. This involves multiple protection mechanisms, such as firewalls, intrusion detection systems, virtual private networks (VPNs), content filtering and antivirus protection.

Hackers can steal information and can cause harm to your computer system through loss or corruption of data. Network perimeter controls are essential for the long-term protection of patient information; even an inadvertent breach may infringe privacy laws and doctor–patient confidentiality.

9.1 Policy content

Network perimeter controls provide details of the systems (hardware and software) that protect the network and necessarily extend to include remote and wireless access networks. This may include firewall and intrusion detection hardware and software, content filtering and their related procedures. The network perimeter control policy and associated procedure will include access to network perimeter control hardware and software, its configuration and appropriate settings for the practice. This will need to be developed with assistance from your technical service provider or experts in this area.

All hardware and software perimeter controls used and their configuration should be documented. Some of this information may already be recorded as part of the asset register in the risk assessment process.

An antivirus program also forms a component of network perimeter controls (discussed in Standard 8).

The practice policy on remote access and use of wireless systems should be documented. Technical assistance may be required with this. Aspects that should be considered include:

  • allowable access channels (e.g. guest accounts, wireless, modem access)
  • allow resources and system access when using remote access
  • disallow downloading or installing additional programs and utilities
  • establish third party and vendor access rights and confidentiality agreements (see Sections 3.4 and 3.5)
  • use a VPN for all remote access
  • avoid public or open, unsecured networks.

9.2 Policy communication

The policy should be in written format and communicated to relevant practice team members.

9.3 Firewall

Firewalls check messages coming in to and out of a network and block unauthorised access to a practice network. These can be either software or hardware. A firewall is configured to a set of rules to allow and disallow messages to flow in and out of the practice network. It adds a layer of protection between the practice computers and the internet. Unless you are using a standalone computer, it is advisable to install a hardware firewall for extra security rather than a software one. Firewalls need to be properly configured and periodically tested to ensure that they are still working. These are usually matters for a technical service provider.

Record the hardware and software configuration of firewall devices. These should be consistent with the network protection policies.

Hardware and/or software network perimeter controls need to be correctly installed and configured.

9.4 Intrusion detection systems (IDS)

Intrusion detection systems (IDS) monitor network and system activity to detect malicious and unauthorised actions and policy violations. They are usually software based and raise alerts if there has been unauthorised access to your systems. Intrusion detection systems do not prevent attacks on your system but they inform you that there is a potential problem so action can be taken. These systems are devices and programs that need technical knowledge to install and configure correctly. Record the hardware and software setup of IDS devices. These should be consistent with the network protection policies.

9.5 Demilitarised zone (DMZ)

A demilitarised zone (DMZ) acts as a neutral zone or protected space between the internal practice networks and the external facing connections, such as the internet, web services and email. It prevents access by outside users to the internal servers holding practice and patient data. It adds an additional layer of security to the local network for outside security attacks. For instance, if the practice website were hacked, while there may be corruption of the web pages, other practice information would not be placed at risk. Additionally, a proxy server is often placed in the DMZ where an intermediate server controls access to and from the internet.

9.6 Secure remote access

Secure remote access means communicating from your remote computer to the practice server securely. There are two commonly used methods to do this: virtual private networks and remote desktop protocol.

Virtual private networks (VPN) provide a secure and reliable connection over the internet – sometimes referred to as a ‘VPN tunnel’. A VPN uses encryption to prevent unauthorised reading of messages (confidentiality), authentication to ensure only authorised users have access to the system being connected to (authentication) and also uses authentication to ensure messages are not altered (integrity). It is most often used for remote access (access from outside the practice) to practice systems (e.g. accessing a practice system while visiting a nursing home). Establishing this service requires technical assistance.

Remote desktop protocol (RDP) is less secure than VPN. RDP is a Microsoft proprietary facility incorporated into the Microsoft operating system. It allows connection remotely from one computer to another over a network connection. One end of the connection runs the client software and the other the RDP server software. It uses a remote desktop service (the terminal server) and a remote desktop connection (the terminal service client).

The communication through RDP is encrypted at the transmission level, which protects it from the risks associated with interception of information; however, it lacks the authentication component to verify the identity of the server that is inherent in using a VPN. Note the encryption level is dependent on the version of the remote desktop connection client application as older versions do not support the higher levels of encryption.

You can increase the level of security by combining the use of RDP with secure socket layer (SSL) transport layer security (TLS) for authentication of the server and to encrypt the session connection information. This requires expert technical knowledge to set up correctly.

9.7 Content filtering

Content filtering is the use of software programs that can filter email and restrict access to the internet. Filtering for spam is the most common type of email filtering. Limiting access to known and trusted websites is commonly used.

9.8 Perimeter vulnerability testing

Testing the vulnerability of your network is called penetration testing. This uses methods such as scanning networks to discover security weaknesses, and network violation analysis, which examines logs for unauthorised access and unusual or inappropriate activity. If this is required it should be undertaken by a specialist in this field.

Network perimeter controls are essential for anyone using the internet. Like viruses, unwanted intruders can invade your system. Your technical service provider can inform you about logs of unauthorised activity on your system. A form for recording the types and configuration of the network perimeter controls installed on your system can be found in Templates 9.1 and 9.2.

9.9 External technical support

Remote access is also used by technical service providers to support your computer system. You should ensure that the methods used to access your system for IT support cannot also become security vulnerabilities. Procedures should be in place to minimise these risks, such as the use of a VPN (see Section 9.6). In addition, since third parties may have access to your system legitimately, a list of suggested guidelines to include in a contractual agreement, as well as a sample confidentiality agreement for such providers, is given in Template 1.4.

Technical IT service provider support should be used to install and configure appropriate network perimeter controls. Other, more complex controls may include technical solutions such as the use of hidden network addressing. Further, external technical support should be used for regular system and network maintenance and monitoring.

9.10 Wireless networks

Remote access to your practice computer system includes wireless networks and increases the convenience of access to practice information. However, it also requires additional security measures so that eavesdroppers cannot gain unauthorised entry to your computer system. There is increasing use of Wi-Fi (or Bluetooth) enabled laptops and other handheld devices (e.g. for home and aged care visits), and you should obtain technical advice on how best to keep the equipment and information they hold secure. Wi-Fi devices must have encryption set up to ensure the confidentiality of information. Care should be taken when using devices in public places to avoid information being sighted, as well as when connecting via open or unsecured public networks.

Wireless networks (remote access systems) must be configured securely by a technical service provider expert and should include:

  • encrypting the data transfer using WPA2 (Wi-Fi protected access 2) or stronger encryption standards to avoid information exposure
  • limiting the power of the router’s radio (Wi-Fi) signal so that it does not extend past the walls of the practice (known as the wireless footprint)
  • disabling network broadcasting to reduce the risk of devices on the network announcing themselves to other devices on the network
  • enabling media access control (MAC) address filtering to restrict unauthorised devices from connecting to the wireless network. A MAC address is unique to a specific computer or device
  • changing the service set identifier (SSID) or the public name of the wireless network to something unique that does not identify the brand of device used or the business name
  • using password authentication for all wireless connections to the network, such as wireless printers and mobile devices
  • considering using a smart card, USB token or software token authentication
  • implementing a wireless intrusion prevention system (WIPS) or a wireless intrusion detection system (WIDS) for maximum protection. A WIPS and WIDS monitors for the presence of unauthorised wireless access points. A WIPS can take action to prevent intrusion using any detected unauthorised access points, while a WIDS notifies the computer system administrator.
Advertisement loading...