Articles and Case Studies

Information security: prevention is better than cure

05 Jun 2019

Gae Nuttall B and W

by Gae Nuttall

Information security

In medical practice, you’re legally required to take reasonable steps to protect the security of the personal information you hold.

Failure to do so increases the risk of privacy breaches, harm to patients, reputational damage, disruption to the functioning of your practice, and substantial fines or penalties.

Here are some practical steps you can take to protect the information you hold.

PLAN

  • IT service provider contract: Check their qualifications and experience, response times, backup frequency, security provided and monitoring. The Australian Cyber Security Centre (ACSC) website has useful questions to ask your provider to make sure they’re protecting your system and your data.
  • Data breach response plan: This can be a fairly simple document which sets out the roles and responsibilities for assessing and responding to a data breach and managing the incident from start to finish. The OAIC has a useful guide to help develop your own plan.
  • Policy for electronic communications with patients: E.g. email, SMS and weblinks. The RACGP has an internet and email policy template that you can customise to suit your practice.

TRAIN

  • Regular staff training: It’s helpful to keep staff updated and aware of cyber security and scams, e.g. what a phishing email looks like and what to do if you suspect one. Some basic material for training can be found in the Australian Digital Health Agency’s information security guide, and the ACSC has advice on improving staff awareness.

ACCESS LIMITS

  • Staff access: Limit staff access to your data systems as appropriate to their role, e.g. most clinical software programs allow different access levels for administrative, nursing and medical staff. Restrict the ability to add new system software to the administrator only.
  • Screensavers: Use password-protected screensavers to prevent others accessing the system.
  • Passwords: Change passwords frequently, with a password of at least eight characters and a mix of letters (uppercase and lowercase), numbers and  symbols, or use a lengthy passphrase. Do not share passwords – see advice from the ACSC on understanding passwords.
  • Staff members leaving: Cancel system access, change passwords, and change access codes.
  • Upgrading or replacing devices: Remove sensitive data – don’t just ‘throw it in the bin’!

NETWORK & DEVICE SECURITY

  • Firewall/virus protection: Ensure your systems have a good firewall to protect against intrusion by hackers and malicious viruses. This will also help prevent confidential information from being sent out from your computer without your permission.
  • Install updates: Don’t delay with installing updates when requested by your provider. These updates are designed to ward  off the latest threats. The same applies to ‘patches’ – keep them up to date.
  • Medical equipment: Equipment that contains patient data, has access to patient data, or has offsite backup provided by the manufacturer/distributor (e.g. ECG, spirometry, skin detection or ultrasound machines) must be kept secure. Also ensure upgrades are installed and patches are up to date. Check frequently and keep a log noting the date, time and the person who did the check.
  • Filtering: E.g. email spam filtering, whitelisting (listing rules for applications that are allowed to run on your computers) and blacklisting (blocking material known to be harmful).
  • Mobile devices: Consider mobile devices such as phones, portable data storage, remote access login and cameras – who has access, how many are there, are they safe? Aim for two-factor authentication and the ability to delete data remotely in case of theft or loss. Consider using a program to encrypt mobile devices and having a mobile phone that can be deactivated remotely in case it’s stolen.
  • Virtual Private Network (VPN): Consider a secure VPN for remote access login.
  • Disabling: Disabling functions such as AutoPlay or remote desktop, if not required, can make it harder for malware to run or an attacker to gain access.
  • Disconnect: If you suspect an electronic appliance is infected with malware, remove it immediately from the system and power.

STORAGE & BACKUPS

  • Backups: Perform backups frequently (minimum daily),with backup drives ideally to be physically separated from the network. Regularly check that backups have worked (every 3-6 months) and know the location of your server.
  • Appointment systems: Enable access to the appointment system in an emergency, e.g. hard copy printed at the end of each day for the next day.
  • Cloud storage: It’s recommended that the server is located in Australia, to avoid the strict obligations under privacy law (APP8) if patient data is stored outside of Australia. It’s also recommended to have a reputable and preferably accredited provider, a contract specifying that you own the data, data encryption and multifactor authentication, and encrypted backup stored offline or with another cloud provider. The contract should also have a clause requiring the provider not to breach the Australian Privacy Principles (APP). The ACSC has a guide to cloud computing security.


Read more icon

Read our article – Must I report this privacy breach – which includes a handy flowchart you can download for use in your practice.

More resources icon 

More resources

Australian Cyber Security Centre: cyber.gov.au

Australian Digital Health Agency: digitalhealth.gov.au

Office of the Australian Information Commissioner: oaic.gov.au

RACGP: Information security in general practice: racgp.org.au

Gae Nuttall
Risk Adviser, MDA National




Confidentiality and Privacy, Medical Records and Reports, Practice Management, Anaesthesia, Dermatology, Emergency Medicine, General Practice, Intensive Care Medicine, Obstetrics and Gynaecology, Ophthalmology, Pathology, Practice Manager Or Owner, Psychiatry, Radiology, Sports Medicine, Surgery, Physician, Geriatric Medicine, Cardiology, Plastic And Reconstructive Surgery, Radiation Oncology, Paediatrics, Independent Medical Assessor - IME
 

Library

How to Respond to a Complaint

Even a complaint that may seem trivial is important to the patient. MDA national Medico-legal Adviser and practicing GP, Dr Jane Deacon, discusses how to respond to a complaint.

Podcasts

11 Apr 2019

Top Tips and Medico-legal Mistakes Part 1

MDA National Executive Professional Services Manager and GP, Dr Sara Bird, explains how to be better prepared and avoid common medico-legal mistakes.

Podcasts

11 Apr 2019