Cyber security checklist

This cyber security checklist can assist you in reviewing security measures in your practice. If the check reveals your security measures are not adequate, update them.

Sunday, 7 January 2024

Cyber security checklist

Establish a security culture

  • Designated team members are responsible for championing and managing computer information security
  • Checklists and policies for managing computer and information security are in place
  • Checklists and policies for information transfer, storage and destruction are in place
  • Education is kept up-to-date through regular training 
  • Orientation/induction for new team members includes education on cyber security
  • The practice has up-to-date security against threats

Maintain good computer habits

  • Policies are in place specifying system maintenance procedures
  • Computers are free of unnecessary software and data files. Software is uninstalled when it is no longer used
  • Remote sharing and printing are disabled, unless security measures are in place
  • Systems and applications are updated or patched regularly (automatically where possible), as recommended by the manufacturer
  • Processes are in place to ensure safe and proper use of internet and email
  • Consider advanced threat protection security services for email and internet (e.g. web proxies) to restrict access to known malicious internet sites and thoroughly examine emails to identify and mitigate potential cyber threats (email hygiene)
  • Implement policies and procedures requiring all staff to log off the system(s) at the end of each day

Control physical access

  • Policies are in place prescribing the physical safety and security of devices
  • Computers are protected from environmental hazards such as extreme temperatures 
  • Physical access to secure areas is limited to authorised individuals
  • Equipment located in high traffic or less secure areas is physically secured
  • Physical storage devices including hard disks and documents containing patient information are securely stored and accounted for
  • Mobile devices are configured and password protected to prevent unauthorised use
  • Log off/lock computers when not attended

Protect mobile devices

  • Policies are in place about the use of mobile devices
  • Mobile devices are configured and password protected to prevent unauthorised access
  • Patient health information on mobile devices is encrypted

Control access to health information

  • All staff understand and agree to abide by access control policies
  • Each user has an individual account and their activity can be monitored
  • Users are only authorised to access information they need to know to perform their duties
  • There are reliable and secure systems in place for electronic sharing of patient health information with other specialists, patients and, when authorised, third parties

Limit network access

  • Access to the network is restricted to authorised users and devices
  • Staff are prevented from installing software without prior approval
  • Wireless networks use appropriate encryption
  • Separate and isolate internal Wi-Fi from public Wi-Fi that is accessible for patients. Protect Wi-Fi hotspots by changing the pre-installed password
  • Public instant messaging services that are not password protected are not used

Passwords and passphrases

  • Policies are in place that specify password obligations for all users in your practice
  • Passwords should not be displayed in clear text when entered
  • Password length must be at least fourteen alphanumeric characters and include at least one special character (such as !, @, #, $, &, *, ?). Passphrases are encouraged as length and memorability are important security considerations
  • Each staff member has their own username and password
  • Passwords are never shared or written in an accessible place
  • Login information is not shared between staff or with anyone outside the organisation
  • Computers are set to automatically lock after a period of inactivity
  • Temporary passwords are changed on a successful login
  • Where possible use two factor authentications

Antivirus software

  • Policies are in place requiring antivirus software
  • All staff know how to recognise symptoms of viruses or malware on their computer and what to do
  • Antivirus software is set to allow automatic updates from the manufacturer

Firewalls

  • All computers are protected by a properly configured firewall

Plan for the unexpected

  • A data breach response plan is in place
  • Policies are in place specifying back-up and recovery procedures
  • Staff understand the recovery plan and their duties during recovery
  • Staff can access recovery plans and contact numbers without using the computer system
  • System restore procedures are known by more than one person within the practice and at least one trusted party outside the practice, such as your IT provider
  • Test recoveries from backup drives are performed reasonably regularly
  • A copy of the recovery plan is stored safely off site

Download factsheet

Cyber security checklist (PDF)

Download
Topic
Career stage

Disclaimers


IMPORTANT: This publication is not comprehensive and does not constitute legal or medical advice. You should seek legal or other professional advice before relying on any content, and practise proper clinical decision making with regard to the individual circumstances. Persons implementing any recommendations contained in this publication must exercise their own independent skill or judgement or seek appropriate professional advice relevant to their own particular practice. Compliance with any recommendations will not in any way guarantee discharge of the duty of care owed to patients and others coming into contact with the health professional or practice. Avant is not responsible to you or anyone else for any loss suffered in connection with the use of this information. Information is only current at the date initially published.

To Top

NSW State Office AddressLevel 6, Darling Park 3, 201 Sussex Street, Sydney NSW 2000
Telephone 02 9260 9000 | Facsimile 02 9261 2921

Mailing addressPO Box 746 Queen Victoria Building NSW 1230

Connect with Avant

facebookxlinkedininstagramyoutube

In the spirit of reconciliation Avant acknowledges the Traditional Custodians of country throughout Australia and their connections to land, sea and community. We pay our respect to their Elders past and present and extend that respect to all Aboriginal and Torres Strait Islander peoples today.

IMPORTANT: Professional indemnity insurance and the Practice Medical Indemnity Policy available from Avant Mutual Group Limited ABN 58 123 154 898 (Avant Mutual) are issued by Avant Insurance Limited, ABN 82 003 707 471, AFSL 238 765 (Avant). Avant Cyber Insurance cover is available to eligible Avant Practice Medical Indemnity Policy holders up to the cessation of their policy and is provided under a Group Policy between Liberty Mutual Insurance Company ABN 61 086 083 605 (Liberty) and Avant. Private health insurance products are issued by The Doctors’ Health Fund Pty Limited, ABN 68 001 417 527, a member of the Avant Mutual Group. Avant arranges Avant Business Insurance as agent of the insurer Allianz Australia Insurance Limited ABN 15 000 122 850, AFSL 234 708 (Allianz) and may receive a commission on each policy arranged. Avant Travel Cover is available under a Group Policy between QBE Insurance (Australia) Limited, ABN 78 003 191 035, AFSL 239 545 (QBE) and Avant Mutual. Avant Travel Cover is underwritten by QBE and Avant may receive a benefit for arranging cover. Avant Financial Services is a registered business name of Avant Doctors’ Finance Pty Ltd (ACN 637 769 361) and licensed to Avant Doctors’ Finance Brokers Pty Ltd (ABN 75 640 406 784). Avant Doctors’ Finance Brokers Pty Ltd is a wholly owned subsidiary of Avant Doctors’ Finance Pty Ltd. Loan products may be provided by Avant Doctors’ Finance Pty Ltd or arranged by Avant Doctors’ Finance Brokers Pty Ltd. Credit services or assistance to which the National Credit Code applies are provided by Avant Doctors’ Finance Brokers Pty Ltd as authorised Credit Representative (Credit Representative Number 523242) for LMG Broker Services Pty Ltd ACN 632 405 504 Australian Credit Licence 517192. Legal services are provided by Avant Law Pty Ltd ABN 63 136 429 153 (Avant Law). Liability limited by a scheme approved under Professional Standards Legislation. Legal practitioners employed by Avant Law are members of the scheme.


The information provided on this website is general advice only and has been prepared without taking into account your objectives, financial situation and needs. You should consider these, having regard to the appropriateness of the advice before deciding to purchase or continue to hold these products. For full details including the terms, conditions, and exclusions that apply, please read and consider the relevant Product Disclosure Statement or policy wording and Target Market Determination (TMD) which are available on this website or by contacting us on 1800 128 268. Information on this site does not constitute legal or professional advice, and is current as at the date of initial publication.