Protect Your Practice

Practice managers know that the data held in practice systems such as clinical and financial data, practice information and documents, is the most valuable asset of the practice. Computer and data security is a critical professional and legal requirement for using computer systems in healthcare practices. For a practice manager, it is a non-negotiable aspect of managing a practice. Remember, you can replace computer programs but it is difficult, if not impossible, to replace the actual data contained in the programs.

Systems and data

With our increased reliance on clinical and practice management desktop systems, the electronic management of information, the government’s push for eHealth and a Personally Controlled Electronic Health Record (PCEHR), the adoption and implementation of appropriate security management systems has become absolutely essential.

Procedures and policies

Developing the appropriate procedures and policies can be a challenge, especially with the rapid changes and advances associated with technology. In your role as a practice manager, you also need to be familiar with your responsibilities around privacy and protection of data as required under the Privacy Act and the Australian Privacy Principles (March 2014)

It is important that you understand the security risks and threats that are applicable to your:

  • Individual practice – internal environment.
  • The wider health sector external environment.

You can control your internal system through staff complying with your established procedures and policies; you cannot control how external users create or transfer data but you can ensure that your practice has systems in place to protect your environment from being damaged or infected by external data.

An extremely useful resource for practices is the RACGP Computer and information security standards; this is applicable to all health practices and can be easily adapted to suit your individual practice.

Improve your practice.

Each practice will have different procedures around particular issues but all will have similar areas that need to be addressed. It is important to understand your own practice and the risks that may apply to your practice.

Adopting comprehensive data security and management policies will:

  • minimise the likelihood of failure.
  • decrease system and operational downtime.
  • provide network reliability.
  • provide increased profitability, useability and productivity.
  • provide a secure reliable network.

Practice computer and information security manual

To assist practice staff, you should develop a practice computer and information security manual. Such a manual would provide information for staff around key areas in data management and security. (General practices are required to have a manual as part of the accreditation guidelines.)

The areas to include in your manual are:

Staff roles and privacy
Define IT contact/s and the role of staff.

Basic security

  • passwords – need for confidentiality, complexity and frequency of change, especially if a change in staff.
  • When a practitioner or staff member ceases working at the practice ensure the password is deleted/deactivated.
  • screen confidentiality: screen savers and positioning away from view of patients.
  • system protection including firewalls.
  • only practice manager or IT support personnel to install/upgrade programs.
  • control or limit access of staff to all areas of practice software e.g. financials, banking; practice reporting; clinical records
  • Remote access and Virtual Private Network (VPN) login

Anti-virus management
Ensure that the program is running on all PCs and that it is automatically updated.

Accessing internet
Consider the level of access and if there will be “blocked” sites. You should liaise with your IT support personnel to establish a policy. Some practices may block Facebook or sites that pose a high threat to security.

Secure electronic communication.

  • email
  • website
  • online systems: appointments, reminders, forms

Social media
It is imperative that you have a social media policy as part of your practice IT policies and procedures – include social media policies as part of the induction program.
There are many websites that can help you develop a social media policy.
The Mayo Clinic has a 12 word Social Media Policy:

  • Don’t lie.
  • Don’t Pry.
  • Don’t Cheat.
  • Can’t Delete.
  • Don’t Steal.
  • Don’t Reveal!

Disaster management, disaster recovery and contingency plan

Disaster recovery is also known as business continuity. A well organised practice will have a plan in place to manage the situation. You can find many free plans online.

  • server/hardware - Power (inc UPS - uninterruptible power supply)
  • network
  • software
  • virus

Sample business continuity plan template for SMBs: Free download and guide

Data back-up

  • local system and rotating external hard drives
  • off-site scheduled back-up. If you use such a service you need to ensure that your data is stored on a server within Australia.
  • frequency: hourly, twice per day, daily.
  • run a restore of your data on a regular basis (3-6 monthly).

IT support – Service level agreement (SLA)

  • Review your IT support on a regular basis (2 yearly).
  • Ensure that you have an agreement in place and it includes confidentiality.
  • Monthly and regular update of programs should be a part of your SLA.


Other practice-specific items
Depending on your practice, there may be particular items that need to be included: shared rooms, iPad/notebook access, wi-fi network/access/protection.

Ensuring that you have appropriate data security systems in your practice is essential to managing a modern medical practice, to maintain your professional responsibilities to your patients and ensuring that the information is accurate and available when required by users.

Next page

Accreditation bodies
  • Practitioners
  • General practice
  • Practice managers
  • Medical colleges
  • Accreditation bodies

This publication is proudly brought to you by Avant Mutual Group. The content was authored by Brett McPherson, reviewed by Colleen Sullivan and Avant Mutual Group.

This publication is not comprehensive and does not constitute legal or medical advice. You should seek legal or other professional advice before relying on any content, and practice proper clinical decision making with regard to the individual circumstances. Persons implementing any recommendations contained in this publication must exercise their own independent skill or judgment or seek appropriate professional advice relevant to their own particular practice. Compliance with any recommendations will not in any way guarantee discharge of the duty of care owed to patients and others coming into contact with the health professional or practice. Avant is not responsible to you or anyone else for any loss suffered in connection with the use of this information. Information is only current at the date initially published. © Avant Mutual Group Limited 2014.

IMPORTANT: Professional indemnity insurance products and Avant’s Practice Medical Indemnity Policy are issued by Avant Insurance Limited, ABN 82 003 707 471, AFSL 238 765. The information provided here is general advice only. You should consider the appropriateness of the advice having regard to your own objectives, financial situation and needs before deciding to purchase or continuing to hold a policy with us. For full details including the terms, conditions, and exclusions that apply, please read and consider the policy wording and PDS, which is available at or by contacting us on 1800 128 268. Practices need to consider other forms of insurance including directors’ and officers’ liability, public and products liability, property and business interruption insurance, and workers compensation and you should contact your insurance broker for more information. Cover is subject to the terms, conditions and exclusions of the policy. Any advice here does not take into account your objectives, financial situation or needs. You should consider whether the product is appropriate for you before deciding to purchase or continuing to hold a policy with us.