Articles and Case Studies

Information security: prevention is better than cure

05 Jun 2019

Gae Nuttall B and W

by Gae Nuttall

Information security

In medical practice, you’re legally required to take reasonable steps to protect the security of the personal information you hold.

Failure to do so increases the risk of privacy breaches, harm to patients, reputational damage, disruption to the functioning of your practice, and substantial fines or penalties.

Here are some practical steps you can take to protect the information you hold.


  • IT service provider contract: Check their qualifications and experience, response times, backup frequency, security provided and monitoring. The Australian Cyber Security Centre (ACSC) website has useful questions to ask your provider to make sure they’re protecting your system and your data.
  • Data breach response plan: This can be a fairly simple document which sets out the roles and responsibilities for assessing and responding to a data breach and managing the incident from start to finish. The OAIC has a useful guide to help develop your own plan.
  • Policy for electronic communications with patients: E.g. email, SMS and weblinks. The RACGP has an internet and email policy template that you can customise to suit your practice.


  • Regular staff training: It’s helpful to keep staff updated and aware of cyber security and scams, e.g. what a phishing email looks like and what to do if you suspect one. Some basic material for training can be found in the Australian Digital Health Agency’s information security guide, and the ACSC has advice on improving staff awareness.


  • Staff access: Limit staff access to your data systems as appropriate to their role, e.g. most clinical software programs allow different access levels for administrative, nursing and medical staff. Restrict the ability to add new system software to the administrator only.
  • Screensavers: Use password-protected screensavers to prevent others accessing the system.
  • Passwords: Change passwords frequently, with a password of at least eight characters and a mix of letters (uppercase and lowercase), numbers and  symbols, or use a lengthy passphrase. Do not share passwords – see advice from the ACSC on understanding passwords.
  • Staff members leaving: Cancel system access, change passwords, and change access codes.
  • Upgrading or replacing devices: Remove sensitive data – don’t just ‘throw it in the bin’!


  • Firewall/virus protection: Ensure your systems have a good firewall to protect against intrusion by hackers and malicious viruses. This will also help prevent confidential information from being sent out from your computer without your permission.
  • Install updates: Don’t delay with installing updates when requested by your provider. These updates are designed to ward  off the latest threats. The same applies to ‘patches’ – keep them up to date.
  • Medical equipment: Equipment that contains patient data, has access to patient data, or has offsite backup provided by the manufacturer/distributor (e.g. ECG, spirometry, skin detection or ultrasound machines) must be kept secure. Also ensure upgrades are installed and patches are up to date. Check frequently and keep a log noting the date, time and the person who did the check.
  • Filtering: E.g. email spam filtering, whitelisting (listing rules for applications that are allowed to run on your computers) and blacklisting (blocking material known to be harmful).
  • Mobile devices: Consider mobile devices such as phones, portable data storage, remote access login and cameras – who has access, how many are there, are they safe? Aim for two-factor authentication and the ability to delete data remotely in case of theft or loss. Consider using a program to encrypt mobile devices and having a mobile phone that can be deactivated remotely in case it’s stolen.
  • Virtual Private Network (VPN): Consider a secure VPN for remote access login.
  • Disabling: Disabling functions such as AutoPlay or remote desktop, if not required, can make it harder for malware to run or an attacker to gain access.
  • Disconnect: If you suspect an electronic appliance is infected with malware, remove it immediately from the system and power.


  • Backups: Perform backups frequently (minimum daily),with backup drives ideally to be physically separated from the network. Regularly check that backups have worked (every 3-6 months) and know the location of your server.
  • Appointment systems: Enable access to the appointment system in an emergency, e.g. hard copy printed at the end of each day for the next day.
  • Cloud storage: It’s recommended that the server is located in Australia, to avoid the strict obligations under privacy law (APP8) if patient data is stored outside of Australia. It’s also recommended to have a reputable and preferably accredited provider, a contract specifying that you own the data, data encryption and multifactor authentication, and encrypted backup stored offline or with another cloud provider. The contract should also have a clause requiring the provider not to breach the Australian Privacy Principles (APP). The ACSC has a guide to cloud computing security.

Read more icon

Read our article – Must I report this privacy breach – which includes a handy flowchart you can download for use in your practice.

More resources icon 

More resources

Australian Cyber Security Centre:

Australian Digital Health Agency:

Office of the Australian Information Commissioner:

RACGP: Information security in general practice:

Gae Nuttall
Risk Adviser, MDA National

Confidentiality and Privacy, Medical Records and Reports, Practice Management, Anaesthesia, Dermatology, Emergency Medicine, General Practice, Intensive Care Medicine, Obstetrics and Gynaecology, Ophthalmology, Pathology, Practice Manager Or Owner, Psychiatry, Radiology, Sports Medicine, Surgery, Physician, Geriatric Medicine, Cardiology, Plastic And Reconstructive Surgery, Radiation Oncology, Paediatrics, Independent Medical Assessor - IME


My Career Journey with Dr Nick Coatsworth

Dr Nick Coatsworth is an expert in health policy, public administration and a practising infectious diseases physician. He held a national role in the Australian response to COVID-19 as Deputy Chief Medical Officer of Australia, becoming one of the most recognised medical spokespeople during the pandemic. Nick engaged the Australian community through a variety of media platforms most notably as the spearhead of the national COVID-19 vaccination campaign. Dr Micheal Gannon, Obstetrician & Gynaecologist, sits down with Dr Nick Coatsworth to discuss Nick's medical career journey, and what insights and advice he has for junior doctors. MDA National would like to acknowledge the contributions of MDA National staff, Members, friends and colleagues in the production of the podcast and note that this work is copyright. Apart from any use permitted under applicable copyright law, you may not reproduce the content of this podcast without the permission of MDA National. This podcast contains generic information only, is intended to stimulate thought and discussion, and doesn’t account for requirements of any particular individual. The content may contain opinions which are not necessarily those of MDA National. We recommend that you always contact your indemnity provider when you require specific advice in relation to your insurance policy or medico-legal matters. MDA National Members need to contact us for specific medico-legal advice on freecall 1800 011 255 or email We may also refer you to other professional services.


09 Jun 2022

Career complications and contending with uncertainty

Among the many challenges of the COVID-19 pandemic for junior doctors is how to respond to medical training impacts and career uncertainty. In this podcast, Dr Caroline Elton (a psychologist who specialises in helping doctors)and Dr Benjamin Veness (a Psychiatry registrar) share advice for coping with medical training and career delays, disruptions and unknowns.


10 Aug 2020