Transcription
Informationsecurityin gp.org.auHealthy Profession.Healthy Australia.
Information security in general practiceDisclaimerThe information set out in this publication is current at the date of first publication and is intended for use as a guide of ageneral nature only and may or may not be relevant to particular patients or circumstances. Nor is this publication exhaustiveof the subject matter. Persons implementing any recommendations contained in this publication must exercise their ownindependent skill or judgement or seek appropriate professional advice relevant to their own particular circumstances whenso doing. Compliance with any recommendations cannot of itself guarantee discharge of the duty of care owed to patientsand others coming into contact with the health professional and the premises from which the health professional operates.Whilst the text is directed to health professionals possessing appropriate qualifications and skills in ascertaining anddischarging their professional (including legal) duties, it is not to be regarded as clinical advice and, in particular, is nosubstitute for a full examination and consideration of medical history in reaching a diagnosis and treatment based onaccepted clinical practices.Accordingly, The Royal Australian College of General Practitioners Ltd (RACGP) and its employees and agents shall haveno liability (including without limitation liability by reason of negligence) to any users of the information contained in thispublication for any loss or damage (consequential or otherwise), cost or expense incurred or arising by reason of any personusing or relying on the information contained in this publication and whether caused by reason of any error, negligent act,omission or misrepresentation in the information.Recommended citationThe Royal Australian College of General Practitioners. Information security in general practice. East Melbourne, Vic:RACGP, 2017.The Royal Australian College of General Practitioners Ltd100 Wellington ParadeEast Melbourne, Victoria 3002Tel 03 8699 0414Fax 03 8699 0400www.racgp.org.auABN: 34 000 223 807ISBN: 978-0-86906-481-8Published February 2018 The Royal Australian College of General Practitioners 2018This work is subject to copyright. Unless permitted under the Copyright Act 1968, no part may be reproduced in any waywithout The Royal Australian College of General Practitioners’ prior written permission. Requests and enquiries should besent to permissions@racgp.org.auWe acknowledge the Traditional Custodians of the lands and seas on which we work and live, and pay our respects toElders, past, present and future.
ContentsIntroduction1About this resource2Overview for practice owners and managers4Information security considerations8Information security for cloud computing10111Setting up your information security governance1.1 Roles and responsibilities of your practice team111.2 Policies and procedures for managing information security151.3 Managing access to your information systems and data16218Assessing the risks and keeping your practice running2.1 Risk assessment182.2 Business continuity and information recovery212.3 Information backup23326Securing the network and your equipment3.1 Network perimeter controls263.2 Maintenance of your computer hardware, software and operating system273.3 Mobile electronic devices30432Online safety4.1 Internet and email use324.2 Malicious software344.3 Electronic sharing of information354.4 Third-party software security37Information security in general practiceiiiii
IntroductionInformation security is critical to the provisionof safe, high-quality healthcare and the efficientrunning of a general practice. It is a fixed costof doing business, and requires adequateallocation of financial and human resources toensure business continuity and the protectionof information assets.Information security involves prevention ofinappropriate access, protection of personalinformation and preservation of practice data.The threat of cybercrime – inappropriate orunauthorised criminal access to practices’electronic data – is growing significantly.General practices frequently face new forms ofmalicious software and cleverly designed socialengineering scams that can place your clinicaland business data at risk. The single leadingpotential risk in a general practice’s informationsecurity is an internal breach through humanerror or malicious intent. Cyber-criminals areknown to target smaller businesses, like generalpractices, as their information security defencesare more easily breached in contrast to largerbusinesses that often dedicate more resources todigital information security.Information security in general practiceYour entire practice team has a responsibility toensure cybersecurity measures are in place toprotect your practice information systems fromcybercrime and online threats. Each personin the practice needs to actively contribute toprotecting the practice’s information systems.Patient or practice team data that is lost, stolen,inappropriately used or accessed can result inidentity theft or privacy breaches that couldultimately place your practice at risk of incurringsubstantial fines or penalties.1
About this resourceInformation security in general practice reflectsthe changing technology environment and newsecurity risks and threats. It does not imposenew professional obligations but is designedto assist you to meet your legal obligationsfor information security and the requirementsnecessary for accreditation against The RoyalAustralian College of General Practitioners(RACGP) Standards for general practices (5thedition).This resource details and recommends essentialbusiness practice, policies and proceduresto help you protect your general practiceinformation systems. It is not designed to be atechnical document, but as an educational andtraining resource for you and your practice team.Relevant indicatorWhere there is a ‘must have’in the Standards for generalpractices (5th edition), we directyou to the relevant indicator foreach section.Recommendations are providedto assist general practices tomeet the required accreditationstandards.Each section of this resource: refers you to the relevant indicator underCriterion C 6.4 – Information security fromthe RACGP Standards for general practices(5th edition), available at -forgeneral-practices-(5th-edition) provides specific policy content information.Information security in general practice2
Practice information security policiesPolices should be created to support information security processes in your general practice.To be effective, your policies should be: publicised and provided to all existing and new members of your practice team easily accessible (eg kept in policy manuals or available on your intranet) explained to team members through information and training sessions, at team meetingsand during induction reiterated and discussed regularly to maintain relevance periodically reviewed to ensure they are current, and updated when changes are made ininformation security processes in your practice or to relevant legislation re-issued to the practice team when updated.Policies should include:Practice team education a purpose and objectives definition of information security incidentsand their consequencesThis resource recommends you provide accessto education and training for your practiceteam to support information security in yourgeneral practice. You should keep a record ofwhen team members have undertaken training.Education can include: organisational structure and defined roles,responsibilities and levels of authority induction training reporting requirements and contact forms discussion at practice team meetings processes for providing access to trainingfor your practice team. formal ongoing training when changesare made in the practice or to legislativerequirementsUse the RACGP practice policy templatesample to create your practice policies,available at information/informationsecurity practice exercises to test processes(eg a training activity to test your practice’sbusiness continuity and information recoveryplan can be undertaken using practicalexercises in the same way fire drills arepractised). scope (ie to whom and what the policyapplies, and under what circumstances)Information security in general practice3
Overview for practice owners and managersInformation security in general practice describes the fundamentals of implementing informationsecurity controls into your general practice. As a practice owner or manager you need to ensure theseprocesses are in place to safeguard your practice systems, and appoint a member of your practice teamto be accountable and responsible for monitoring information security controls across your practice.Introduce information security governanceAddressing information security at a governance level is crucial. A security governance frameworkwill define the acceptable use of information technology (IT) in your practice and outlineresponsibilities. Information security roles and responsibilities should be allocated to membersof your practice team. These team members should coordinate security-related activities anddetermine when it is appropriate to engage external technical service providers. Information securityrequires regular attention at a practice level and your practice team members need to be awareof their responsibilities to protect practice information. Information security processes should bedocumented and followed.When developing your information security governance framework, it is important to consider: the legal and professional requirements for protection of the information held in your practice.Under the Australian Privacy Principles (APPs), APP 11 requires that reasonable steps aretaken to protect personal information from misuse, interference, loss, unauthorised access,modification or disclosure. Further information is available in the Office of the AustralianInformation Commissioner’s (OAIC’s) Guide to securing personal information what capabilities your practice has in terms of security knowledge and expertise who makes the decisions about the security protections required what processes are in place to assist in decision making about the use of information forpurposes other than for what it was collected (eg providing health information to externalorganisations for research or population health planning [secondary use of data]) how you know the system and process are working as intended.You can read more about this in 1.1 Roles and responsibilities of your practice team.Information security in general practice4
Protect your WiFi networkIf your practice has a WiFi network or offersfree WiFi for patients, have a policy for its use.Ensure you have strong authentication andencryption standards if using an internal WiFinetwork and isolate it from other networksto limit exposure if compromised. Set up astrong password to restrict access to the WiFinetwork so it is only accessible to authorisedpeople.You can read more about this in 3.1 Networkperimeter controls.Create a culture of informationsecurityAn information security culture should bepromoted within your practice. Educateyour practice team on risks to your practiceinformation systems and ensure practicepolicies outlining responsibilities to managesecurity risks are up to date and communicated.Train your practice team to identify and reportwhen systems are not working as expected.Make sure your team has a process to followto report suspicious activity or if issues withexisting security measures arise.You can read more about this in 1.1 Roles andresponsibilities of your practice team.Allocate resourcesRecognise and plan for the fixed costsof maintaining hardware and softwarethat supports information security. Manybusinesses assume spending moneyon information security means they areadequately protected. The right budget foryour security requirements will depend on thespecific needs of your business. Having aninformation security professional review canhelp identify security gaps and save costs inthe long term.Manage access to your systemsand your dataReduce security risks in your practice byintroducing access controls. Practice teammembers only need access to the minimumdata required to do their work. This limits therisk of data breaches and protects your practicedata. Establish a strong and unique passwordpolicy to make sure access to systems iscontrolled and secure. Access managementensures accountability and allows you toascertain who has entered or altered data.It is good practice to separate your data ondifferent servers if possible. Ensure your clinicaldata is on a separate network and server toyour website and other business data. Dataseparation helps contain the risk of dataexposure across your entire system.You can read more about this in 1.3 Managingaccess to your information systems and data.Information security in general practice5
Measure the effectiveness of your security controlsThe effectiveness of any information security control procedures you have in place in your practiceneeds to be measurable. This allows you and your practice team to monitor and assess if yourinformation security controls and processes are working. The challenge with information security isto find a balance between good protection and ease of use. Make sure your security controls areregularly tested.To measure your information security controls, consider the following questions: How will you know if your information security controls are effective? Are they too restrictive? Do they make your systems difficult for the practice team to use? What resources are needed if changes to your practice’s information security controls arerequired?Use the ‘List of information security considerations’ on page 8 to assist with monitoring andmeasuring your controls.Perform a risk assessmentSecuring the information held in yourpractice systems is essential to running yourgeneral practice, maintaining professionalresponsibilities to your patients, and ensuringpractice information is available when required.It is important to analyse and understand thesecurity risks and threats to business andclinical information in your practice. Identifygaps in security and implement strategies tolessen any potential risks.You can read more about this in 2.1 Riskassessment.Information security in general practiceHave a business continuity plan withinformation recovery proceduresYour general practice needs a documentedbusiness continuity plan which includesinformation recovery procedures to preserveaccess to your practice data. In the event ofan ‘information disaster’, this will ensure youcan respond as soon as possible to minimisepotential loss or corruption of information.This plan should detail how to maintain criticalbusiness functions when there is an unexpectedsystem event. The plan should be reviewed,updated and tested periodically.You can read more about this in 2.2 Businesscontinuity and information recovery.6
Have a resilient backup andrestoration process for practicedataCritical data in the practice should be regularlybacked up and validated. The backupprocedure needs to be documented androutinely tested to ensure the backup systemfunctions correctly and data can be quicklyrestored if an incident such as a server failureoccurs. A robust backup process enables youto restore your business functionality in theshortest time possible. Ensure your backupmedia is secure from unauthorised access andcopies are held at an alternative location incase of theft or a natural disaster at the primarylocation. Backup and restoration may notapply if your practice data is stored in the cloudand provided as Software as a Service (SaaS).In this case, it becomes an obligation of yourcloud service provider and should be includedas part of your contractual agreement.You can read more about this in 2.3Information backup.Educate and train your practiceteamYour practice team needs to know andunderstand that security breaches canand will happen. You need to educate yourpractice team about the importance of dataprotection and how to recognise signs of asecurity breach. You should have a processfor your practice team to access training sothey approach their jobs with a security focus.Share information on security breaches, nomatter how small, when they happen. Showyour practice team why they need to becareful.Regularly update software andsystemsEnsure your software is current and supportedby your software provider. All of your practicesoftware, including web browsers andoperating systems, should have the latestsecurity updates installed. Ideally, operatingsystem and application security updates shouldbe deployed automatically and be scheduledto update at a time that suits your practice.These updates are key in your defence againstmalicious software and other online threats.You can read more about this in 4.2 Malicioussoftware.Keep mobile devices secureHave a policy on the use of mobile electronicdevices for both business and clinicalpurposes. Mobile electronic devices cancontain confidential business informationor easily access information via your localnetwork. If you allow the use of mobile devices,these should be password protected, havedata encrypted where possible, and haveappropriate security applications or softwareinstalled. When using public and potentiallyunsecured networks on such devices, do notsend or access sensitive data in case yourcommunication is intercepted.You can read more about this in 3.3 Mobileelectronic devices.You can read more about this in 1.1 Roles andresponsibilities of your practice team and in4.2 Malicious software.Information security in general practice7
Information security considerationsThis list is a guide to help you assess, achieve and maintain effective information security controls inyour practice.1 Setting up your information security governance frameworkSecurity considerationExplanatory notes and recommendationsDoes your practice have designatedpractice team members for championingand managing information security? Dothese team members have their rolesand responsibilities documented intheir position descriptions? Does yourpractice have training scheduled forthese roles and responsibilities?Your practice should have a documented policyoutlining the specific roles and responsibilities ofall team members.1.2 P olicies and proceduresfor managing informationsecurityDoes your practice have documentedpolicies and procedures for managinginformation security?Your practice should have a policy and proceduremanual outlining the security requirements foryour practice. These policies and proceduresshould be clear and contain simple instructions.1.3 Managing access to yourinformation systems anddataDoes your practice have well-establishedand monitored authorised access tohealth information?Your practice should have a policy containinginformation on access rights, unique passwordmaintenance, password management, remoteaccess controls, and auditing and appropriatesoftware configuration.1.1 R oles and responsibilitiesof your practice teamPractice team members should receive regulartraining on all of the practice policies andprocedures to ensure they understand their roles inmaintaining information security.2 Assessing the risks and keeping your practice runningSecurity considerationExplanatory notes and recommendations2.1 Risk assessmentDoes your practice have a structured riskassessment of information security andidentified improvements as required?Your practice should have a policy detailingvulnerability management, risk assessment andsecurity breach reporting procedures. This willinclude recording assets in the practice, a threatanalysis and a reporting schedule.2.2 B usiness continuity andinformation recoveryDoes your practice have documentedand tested plans for business continuityand information recovery?Your practice should have a documented businesscontinuity plan to ensure the practice can continueto operate when a practice information systemsfailure occurs.This includes an information disaster recovery planto restore data so the practice information systemscan be brought back to working order as quickly aspossible.The practice team should be aware of their rolesin relation to business continuity and disasterrecovery and receive training as required.2.3 Information backupDoes your practice have a reliableinformation backup system to supporttimely access to business and clinicalinformation?Your practice should have documented proceduresfor the backup of your practice systems. Thisshould include: how often backups are run the type of backup, media type and rotation the use of encryption reliability testing and restoration checking where the backups are stored who has access to the backups access to data from previous practiceinformation systems.Information security in general practice8
3 Securing the network and your equipment3.1 Network perimetercontrolsSecurity considerationExplanatory notes and recommendationsDoes your practice have reliable networkperimeter controls?Your practice should have documented informationon the systems protecting your practice networkand any remote or WiFi networks.This should include firewall and intrusion detectionand prevention hardware and software, and contentfiltering software with configuration and settingsappropriate for your practice security needs.3.2 M aintenance of yourcomputer hardware,software and operatingsystemDoes your practice manage andmaintain the physical facilities andcomputer hardware, software andoperating system with a view toprotecting information security?Your practice should have documentedinformation on how team members can prevent theunauthorised viewing of confidential informationsuch as using lock screensavers.Your practice should document how access ismanaged to restricted areas such as server roomsand how equipment can be secured from theftor damage.Your practice needs to document how hardware isdisposed of safely and how software and hardwareis maintained.3.3 Mobile electronic devicesDoes your practice have processes inplace to ensure the safe and proper useof mobile electronic devices?Your practice should have a documented policyon the use of mobile devices, including usingwireless networks and remote access to yourpractice systems.The practice team should be made of aware ofwhat devices can be used in the practice and howto use their personal mobile devices in line withpractice policies.4 Online safetySecurity considerationExplanatory notes and recommendations4.1 Internet and email useDoes your practice have a process inplace to ensure the safe and proper useof internet and email?Your practice should have a policy clearly definingand describing how the practice team use emailand the internet for business purposes. Thismay include access to social media and what isconsidered acceptable personal use of email andthe internet by the practice team.4.2 Malicious softwareDoes your practice have reliableprotection against malicious software?Your practice should document the installationand monitoring of protection against malicioussoftware.4.3 Electronic sharing ofinformationDoes your practice have reliable systemsfor the secure electronic sharing ofconfidential information?Your practice should document how information issent outside of the practice using secure electroniccommunication. This will include the appropriateconfiguration of secure electronic messaging, digitalcertificate management and your practice website.4.4 Third party softwaresecurityDoes your practice know how thirdparty software is using your practicedata?Your practice should have a policy around theuse of any third-party software that is installed,and how it meets your security requirements.Third-party software regularly uses practice datato perform its function, but can also open up yourpractice to security threats. Ensure that you candemonstrate an understanding of how it is usingyour practice data and that consent has beenobtained for any secondary use of data.Information security in general practice9
Information security forcloud computingCloud computing involves storing and accessingdata and programs over the internet instead oflocally from a computer or server. Most generalpractices currently run their IT environmentfrom a physical server located at the practice.Cloud-based services in general practice aremore commonly used for data storage or forpublic services such as website hosting. Ascloud-based technology has advanced, anumber of clinical software vendors now offercloud alternatives for general practices and thereare new opportunities to move more businessfunctionality into a cloud environment. Cloudcomputing services can be an efficient wayfor your general practice to manage your IT,providing access to your practice informationsecurity systems from anywhere there is aninternet connection.Moving to cloud-based services can reduce thecost of managing and maintaining your localIT systems. Rather than purchasing expensivehardware for your business, you use the resourcesof your cloud service provider, reducing the costsassociated with:Cloud-based services can improve your practice’sability to communicate and may increaseefficiencies through: the easy sharing of records with third parties the ability to access patient records outsideof your practice during home visits or caseconferences more flexible work practices, through theability to quickly and easily access data regular and automated updates or upgradesincluded in your contract improved backups and restoration that can bemuch simpler and more timely.Information security in a cloud-basedenvironment requires additional considerations.When patient and practice data is surrenderedto a third-party cloud service provider, you mayneed to consider the increased potential fordata breaches, ownership rights to the data andongoing data access. system upgrades new hardware and software external IT staff energy consumption, because you no longerhave to provide specific environmentalconditions for servers and other hardware.Information security in general practice10
1Setting up yourinformation securitygovernance1.1 Roles and responsibilitiesof your practice teamIt is vital for practice team members to be awareof their roles in information security. All practiceteam members require a position descriptionclearly defining and documenting their rolesand responsibilities and access to clinical and/orbusiness information.It is recommended that your practice appointsan information security lead to champion andmanage information security. The informationsecurity lead does not need to have advancedtechnical knowledge but should be comfortablewith your practice’s computer operating systemsand other relevant software. The lead willneed to determine what aspects of informationsecurity in the practice are outsourced toexternal technical service providers. Theinformation security lead requires managementskills to develop information security policiesand to raise awareness of information securitygovernance, help foster a strong security cultureand ensure access to adequate and appropriatetraining for your practice team.Information security in general practiceRelevant indicatorC6.4 A Our practice has ateam member who has primaryresponsibility for the electronicsystems and computer security.You must have at least oneteam member who hasprimary responsibility forthe electronic systems andcomputer security.11
Create a policyYour practice policy should include the specificinformation security roles and responsibilitiesof practice team members.Your policy should cover: specific information on the roles andresponsibilities of each practice teammember in relation to information security,to determine the required levels of accessto information systems assignment of an information security leadwho has access to ongoing training asrequired who is responsible for specific informationsecurity tasks access to ongoing training for your practiceteam as required education for your practice team inidentifying errors or abnormal softwarebehaviour.The position description ofthe information security lead caninclude responsibilities such as: overseeing development of informationsecurity policies and procedures testing business continuity andinformation recovery plans reviewing and updating policies andprocedures as practice and legislativechanges occur regular monitoring to ensure practicesecurity policies are followed maintaining an up-to-date riskassessment ensuring technical advice is soughtwhere required ensuring secure transfer of electronicinformation arranging access to ongoing informationsecurity awareness training for thepractice team updating the practice management onoutstanding security issues regular reporting on information securityto the practice team regular monitoring of system logs andaudit reports.Information security in general practice12
Internal and external staff roles formanaging information securityPractice team agreementsYou should document all confidentiality and privacy agreements for practice team members, togetherwith an appropriate internet and email use agreement. Practice team members and relevant externalproviders should sign these agreements. These agreements act to protect practice owners in the eventof legal action should a security breach occur.External service provider agreementsYour practice has a responsibility to ensure anyone who has access to practice clinical and/or businessinformation is aware of their obligations to comply with your information security policies. Technicalservice providers are usually granted unrestricte
Introduce information security governance Addressing information security at a governance level is crucial. A security governance framework will define the acceptable use of information technology (IT) in your practice and outline responsibilities. Information security roles and responsibilities should be allocated to members of your practice team.
