Articles and Case Studies

Security of Electronic Records | Defence Update

11 Sep 2013

Julian Walter clover

by Dr Julian Walter

Cyber-crime is not new, however the targeting of health practices has recently appeared as an emerging risk. In December 2012, the widely publicised hacking and encryption for ransom of a Gold Coast medical centre’s records brought this issue to the attention of doctors and public alike. Media sources stated that there had been 11 similar intrusions in Queensland during 2012.


While no security measures are foolproof, it is essential that preventative action is taken by practices to minimise the risk of data loss and intrusion. Private sector organisations are required to take reasonable steps to protect the personal information they hold from misuse, loss or unauthorised access.3  Significant civil penalties may apply.4

New mandatory data breach notification obligations come into effect in February 2018. This means that practices must take steps to notify affected persons and the Information Commissioner where the entity believes an eligible data breach has occurred or when directed to do so by the Commissioner. For further information regarding eligible data breaches see  

The Royal Australian College of General Practitioners (RACGP) Computer and Information Security Standards (CISS) provide a helpful guide5 including:

  • the need to maintain appropriate security measures (including firewall / antivirus software)
  • having an adequate backup system
  • seeking appropriate technical support
  • formulating a disaster recovery/business continuity plan (in a worst case scenario, what will you do to ensure you are able to maintain continuity of care and recover your lost data and records).

Adequate, reliable and timely database backup is critical. The interval period between backups will dictate the minimum amount of data that cannot be recovered in the event of data loss. Backups need to be rotated, securely stored off-site (thus not accessible to network intrusion) and periodically tested for integrity. Your computer system and configuration should also be backed up (although less frequently).


In the event of data loss it is critical to know where your most recent backup is located. Loss of documents cover is provided under the MDA National Practice Indemnity Policy and Professional Indemnity Insurance Policy6 and includes indemnification for reasonable costs and expenses incurred in replacing or restoring certain lost or damaged documents, subject to the terms and conditions of the Policies.

If your records and backups are damaged, third party technical assistance may be required to try and rebuild the records. This is expensive and time consuming and it may only be possible to partially recover the lost data, requiring manual re-entry of the data.

Privacy breach

In the event of a third party intrusion into your practice software, there may also be a privacy breach if the records can be accessed by the intruder. In a situation involving the theft of a practice database, this may include the breach of a substantial number of confidential and sensitive medical records.

The Office of the Australian Information Commissioner (OAIC) has a helpful guide to the handling of personal information security breaches. The guide notes that when responding to a privacy breach, there are four steps to consider7:

  1. containment and assessment
  2. evaluation of risks associated with the breach
  3. notification
  4. prevention.

Computer intrusion, data loss and privacy breaches are serious matters that can cause significant disruption to practices and result in claims, complaints and investigations. Members can seek advice from our Medico-legal Advisory Service on 1800 011 255.

Julian Walter, Medico-legal Adviser, MDA National.

  3. Australian Privacy Principle 11 
  4. Federal Court proceedings brought by the Privacy Commissioner can award civil penalties of up to $340,000 for serious or repeated breaches of the Privacy Act. These changes will commence on 12 March 2014 following changes to the Privacy Act 1988 (Cth) by the Privacy Amendment (Enhancing Privacy Protection) Act 2012 (Cth).
  6. Disclosure Documents and Policy Wording 

Confidentiality and Privacy, Practice Management, Technology, Anaesthesia, Dermatology, Emergency Medicine, General Practice, Intensive Care Medicine, Obstetrics and Gynaecology, Ophthalmology, Pathology, Practice Manager Or Owner, Psychiatry, Radiology, Sports Medicine, Surgery


Doctors Let's Talk: Get Yourself A Fricking GP

Get yourself a fricking GP stat! is a conversation with Dr Lam, 2019 RACGP National General Practitioner of the Year, rural GP and GP Anesthetics trainee, that explores the importance of finding your own GP as a Junior Doctor.


25 Oct 2022

Systematic efforts to reduce harms due to prescribed opioids – webinar recording

Efforts are underway across the healthcare system to reduce harms caused by pharmaceutical opioids. This 43-min recording of a live webinar, delivered 11 March 2021, is an opportunity for prescribers to check, and potentially improve, their contribution to these endeavours. Hear from an expert panel about recent opioid reforms by the Therapeutic Goods Administration and changes to the Pharmaceutical Benefits Scheme. 

Diplomacy in a hierarchy: tips for approaching a difficult conversation

Have you found yourself wondering how to broach a tough topic of conversation? It can be challenging to effectively navigate a disagreement with a co-worker, especially if they're 'above' you; however, it's vital for positive team dynamics and safe patient care. In this recording of a live webinar you'll have the opportunity to learn from colleagues' experiences around difficult discussions and hear from a diverse panel moderated by Dr Kiely Kim (medico-legal adviser and general practitioner). Recorded live on 2 September 2020.