Computer security and your practice: brushing up on the requirements
Did you know that cyber security threats on Australian healthcare businesses increased by more than 50% in 2020?
While this is attributed largely to the pandemic and increasing online shifts, it’s still relevant even as we transition back to in-person activities. As November 30 is World Computer Security Day, it’s an excellent time to revise your practice security needs and how to implement them.
As an Australian medical practice, exactly what are my computer security requirements?
The answer, unfortunately, is not the same across the whole country.
Australia’s Privacy Act (1988) requires that health service providers take “reasonable steps to protect the information from misuse, interference and loss, as well as unauthorised access, modification or disclosure” (APP 11.1).
The exact definition of this can vary by state. Most Australian states and territories have similar privacy laws, but some diverge in minor places.
For example, the definition of ‘personal information’ under New South Wales’ Health Records and Information Privacy Act (2002) is “information or an opinion […] about an individual whose identity is apparent or can reasonably be ascertained from the information or opinion”. Queensland’s Information Privacy Act (2009) specifies that this information is considered personal “whether true or not.” While quite similar in practice, this variation highlights the importance of checking your local computer and data security recommendations to keep your practice information secure.
As a general rule, caution is best. Ensuring your data is as secure as possible, within reason, is the best way to prevent security breaches and protect yourself from digital disasters.
What steps are usually considered ‘reasonable’?
The Office of the Australian Information Commissioner (OAIC) clarifies this further on their website. Once again, the expectations can vary depending on variations within your practice. These include:
- The size, resources, and complexity of business operations,
- The sensitivity of the information held
- The possible consequences of a data breach,
- The practicality of implementing security measures, and;
- Whether the security measures would invade a user’s privacy in themselves.
You may wish to learn more about these on the OAIC’s website.
What should I do to brush up my security?
A general security audit is always in order for every practice, at least annually.
Some simple actions you can take to improve your practice’s computer security include:
- Change your passwords – and avoid writing them down in easy-to-find places. There’s an old joke that the easiest way to break into a high-security hospital computer is to turn the monitor around and look at password taped to the back: avoid fulfilling this stereotype where possible.
- Back up your files – regular backups can make you less susceptible to ransomware attacks or software incidents.
- Check your firewall – your practice network is only as strong as your least-secured device. Ensure these are all up-to-date and consult your IT provider to find and implement the ideal type.
- Research your practice management software – have there been any reported security breaches recently, and have they been repaired? Is everything up-to-date? If not, talk to your IT provider about a solution.
- Implement or re-examine your destruction and de-identification policies – ensure that they are as thorough as possible and appropriate to the communication medium. Shredding a sheet of paper may be sufficient destruction of information, but dragging a computer file to your device’s recycling bin may not be.
More resources for your practice
You may learn more about computer security or access further resources for use in your practice via the links below.
- Australian Digital Health Agency – government resources specifically for improving computer and data security in healthcare.
- RACGP’s information security module – this read can educate you on implementing the right security governances for your practice (and you may claim CPD points for reading it).
- Office of the Australian Information Commissioner – learn which privacy laws are applicable in your state.
- Information security guide for small healthcare businesses – the Australian Government’s Stay Smart Online advice for practices.
- RACGP’s security in general practice guide – A downloadable PDF resource on setting up and maintaining strong practice information security.
- OAIC’s privacy action plan for your healthcare practice – A simple checklist for implementing the correct structures.