Information Security Prevention is Better than Cure

Medical practices are legally required to take reasonable steps to protect the security of personal information they hold. Failure to do so increases the risk of privacy breaches, harm to patients, reputational damage, disruption to the functioning of the practice, and substantial fines or penalties.

Here are some practical steps you can take, with links to useful resources.

PLAN

• IT service provider contract: Check their qualifications and experience, response times, backup frequency, security provided and monitoring. The Australian Cyber Security Centre (ACSC) website has useful questions to ask your provider to make sure they’re protecting your system and your data.
• Data breach response plan: This can be a fairly simple document which set outs the roles and responsibilities for assessing and responding to data breach and managing the incident from start to finish. The OAIC has a useful guide to help develop your own plan.
• Policy for electronic communications with patients, e.g. email, SMS and weblinks. The RACGP has an internet and email policy template which you can customise to suit your practice.

TRAIN

• Regular staff training: It’s helpful to keep staff updated and aware of cyber security and scams, e.g. what a phishing email looks like and what to do if you suspect one. Some basic material for training can be found in the Australian Digital Health Agency’s information security guide, and the ACSC has advice on improving staff awareness. 

ACCESS LIMITS

• Staff access: Limit staff access to your data system as appropriate to their role, e.g. most clinical software programs allow different access levels for administrative, nursing and medical staff. Restrict the ability to add new system software to the administrator only.
• Screensavers: Use password-protected screensavers to prevent others accessing the system.
• Passwords: Change passwords frequently, with a password of at least eight characters and a mix of letters (uppercase and lowercase), numbers and symbols, or use a lengthy passphrase. Do not share passwords – see advice from the ACSC on understanding passwords.
• Staff members leaving: Cancel system access, change passwords, and change access codes.
• Upgrading or replacing devices: Remove sensitive data – don’t just ‘throw it in the bin’!

NETWORK AND DEVICE SECURITY

• Firewall/virus protection: Ensure your systems have a good firewall to protect against intrusion by hackers and malicious viruses. This will also help prevent confidential information from being sent out from your computer without your permission.
• Install updates: Don’t delay with installing updates when requested by your provider. These updates are designed to ward off the latest threats. The same applies to ‘patches’ – keep them up to date.
• Medical equipment: Equipment that contains patient data, has access to patient data, or has offsite backup provided by the manufacturer/distributor (e.g. ECG, spirometry, skin detection or ultrasound machines) must be kept secure. Also ensure upgrades are installed and patches are up to date. Check frequently and keep a log noting the date, time and the person who did the check.
• Filtering: E.g. email spam filtering, whitelisting (listing rules for applications that are allowed to run on your computers) and blacklisting (blocking material known to be harmful).
• Mobile devices: Consider mobile devices such as phones, portable data storage, remote access login and cameras – who has access, how many are there, are they safe? Aim for two-factor authentication and the ability to delete data remotely in case of theft or loss. Consider using a program to encrypt mobile devices and having a mobile phone that can be deactivated remotely in case it is stolen.
• VPN: Consider a secure Virtual Private Network for remote access login.
• Disabling: Disabling functions such as AutoPlay or remote desktop, if not required, can make it harder for malware to run or an attacker to gain access.
• Disconnect: If you suspect an electronic appliance is infected with malware, remove it immediately from the system/power  

STORAGE & BACKUPS

• Backups: Perform backups frequently (minimum daily), with backup drives ideally to be physically separated from the network. Regularly check that backups have worked (every 3-6 months) and know the location of your server.
• Appointment systems: Enable access to the appointment system in an emergency, e.g. hard copy printed at the end of each day for the next day.
• Cloud storage: It is recommended that the server is located in Australia, to avoid the strict obligations under privacy law (APP8) if patient data is stored outside of Australia. It’s also recommended to have a reputable and preferably accredited provider, a contract which specifies that you own the data, data encryption and multifactor authentication, and encrypted backup stored offline or with another cloud provider. The contract should also have a clause requiring the provider not to breach the Australian Privacy Principles (APP). The ACSC has a guide to cloud computing security.

Summary of useful websites for more resources:

• Australian Cyber Security Centre
• Australian Digital Health Agency
• Office of the Australian Information Commissioner
• RACGP: Information security in general practice.