Articles and Case Studies

Cloud Storage of Medical Records

21 Feb 2018

Storing data in the cloud is becoming increasingly popular. Cloud storage involves storing data online, rather than storing it locally on a device such as a hard drive.

The data files are stored on a server owned by a cloud service provider such as Google Drive or Dropbox.

You must have connection to the internet to access the stored information. Benefits for businesses can include cost savings, access by multiple users, and data compatibility across different machines and browsers.

Security risk

Security is the big risk of handing over control of your data to an external vendor.

Medical records contain data that is sensitive and subject to strict legal requirements. They are also extremely vulnerable to theft, because the information they contain has “street value” – it could be used for identity theft, to falsify drug prescriptions, claim false health benefit payments, and even enable stalking.1

Loss of security of your medical records could breach privacy law, harm patients, damage your practice’s reputation, or affect the practice’s ability to function. Under Australian privacy law, a practice must take reasonable steps to protect personal information it holds from misuse, interference or loss; and from unauthorised access, modification or disclosure.2

Each practice’s circumstances must be taken into account. A cloud-based system may offer better security than a self-hosted system in a practice without security processes or qualified maintenance staff. In a well-publicised case in 2012, Russian hackers demanded a ransom after encrypting and disabling a Gold Coast GP clinic’s medical records.3

The fast pace of cloud development and the technical nature of data security may be daunting for doctors without extensive IT knowledge. External assistance is recommended.

A useful document is the Defence Department’s Cloud Computing Security for Tenants4 which aims to help a cloud user’s cyber security team, cloud architects and business representatives to work together to perform a risk assessment and use cloud services securely. Risk mitigations detailed include:

  • using a cloud service with particular accreditation (some providers may abide by the international standard for cloud privacy – ISO27018)
  • annually testing an incident response plan
  • encrypting data sent to the cloud
  • multifactor authentication
  • encrypted backup stored off-line or with another cloud provider
  • having adequate bandwidth for reliable network connectivity
  • contractually retaining legal ownership of your data.

Your contract with a cloud provider must address mitigations to security risks, persons who can access your data, and the security measures used to protect your data.

Server location

The location of servers is a vital consideration in choosing a cloud service provider – servers in Australia are recommended. Some well-known cloud services have servers located overseas. Australian privacy law requires that before personal information is disclosed overseas, a practice musttake reasonable steps to ensure that the overseas recipient does not breach the Australian Privacy Principles.5

If you believe the country where the servers are located has similar privacy laws to Australia, you should obtain documentation such as independent legal advice to support this. If not, your options are to:

  • not use that cloud service provider
  • enter into a contract with the cloud service provider requiring them not to breach the APPs
  • get consent from patients to disclose their information to the cloud service provider.

Seek further information and legal advice before embarking on any of these options.

Useful information on information security


  1. Funnell A. Your Health Information is Neither Safe Nor Secure. ABC News, 12 Nov 2016. Available at:
  2. APP11 – Security of Personal Information. More information available on the website of the Office of the Australian Information Commissioner:
  3. Hicks S. Russian Hackers Hold Gold Coast Doctors to Ransom. ABC News, 11 Dec 2012. Available at:
  4.  Department of Defence, Australian Signals Directorate. Cloud Computing Security for Tenants. April 2015. Available at:
  5. APP8 – Cross-border Disclosure of Personal Information. For more information see the Office of the Australian Information Commissioner. Available at:
Technology, General Practice, Practice Manager Or Owner


Doctors Let's Talk: Get Yourself A Fricking GP

Get yourself a fricking GP stat! is a conversation with Dr Lam, 2019 RACGP National General Practitioner of the Year, rural GP and GP Anesthetics trainee, that explores the importance of finding your own GP as a Junior Doctor.


25 Oct 2022

Systematic efforts to reduce harms due to prescribed opioids – webinar recording

Efforts are underway across the healthcare system to reduce harms caused by pharmaceutical opioids. This 43-min recording of a live webinar, delivered 11 March 2021, is an opportunity for prescribers to check, and potentially improve, their contribution to these endeavours. Hear from an expert panel about recent opioid reforms by the Therapeutic Goods Administration and changes to the Pharmaceutical Benefits Scheme. 

Diplomacy in a hierarchy: tips for approaching a difficult conversation

Have you found yourself wondering how to broach a tough topic of conversation? It can be challenging to effectively navigate a disagreement with a co-worker, especially if they're 'above' you; however, it's vital for positive team dynamics and safe patient care. In this recording of a live webinar you'll have the opportunity to learn from colleagues' experiences around difficult discussions and hear from a diverse panel moderated by Dr Kiely Kim (medico-legal adviser and general practitioner). Recorded live on 2 September 2020.