Establish a security culture

• Designated team members are responsible for championing and managing computer information security
• Checklists and policies for managing computer and information security are in place
• Checklists and policies for information transfer, storage and destruction are in place
• Education is kept up-to-date through regular training
• The practice has up-to-date security against threats

Maintain good computer habits

• Policies are in place specifying system maintenance procedures
• Computers are free of unnecessary software and data files
• Remote sharing and printing are disabled, unless security measures are in place
• Systems and applications are updated or patched regularly (automatically where possible), as recommended by the manufacturer
• Processes are in place to ensure safe and proper use of internet and email
• Consider advanced threat protection security services for email and internet (e.g. web proxies) to restrict access to known malicious internet sites and email hygiene – review email for cyber threats
• All staff log off the system(s) at the end of each day

Control physical access

• Policies are in place prescribing the physical safety and security of devices
• Computers are protected from environmental hazards, such as extreme temperatures
• Physical access to secure areas is limited to authorised individuals
• Equipment located in high traffic or less secure areas is physically secured
• Physical storage devices, including hard disks and documents containing patient information, are securely stored and accounted for

Protect mobile devices

• Policies are in place about the use of mobile devices
• Mobile devices are configured and password protected to prevent unauthorised access
• Patient health information on mobile devices is encrypted

Control access to health information

• All staff understand and agree to abide by the practice’s access control policies
• Each user has an individual account and their activity can be monitored
• Users are only authorised to access information they need to know to perform their duties
• There are reliable and secure systems in place for electronic sharing of patient health information with other specialists, patients and, when authorised, third parties

Limit network access

• Access to the network is restricted to authorised users and devices
• Staff are prevented from installing software without prior approval
• Wireless networks use appropriate encryption
• Separate and isolate internal wi-fi from public wi-fi that is accessible for patients. Protect wi-fi hotspots by changing the pre-installed password
• Public instant messaging services that are not password protected are not used

Passwords and passphrases

• Policies are in place that specify password obligations for your practice
• Passwords/passphrases are at least eight characters in length, with a combination of upper and lower case, numbers and symbols
• Each staff member has their own username and password
• Login information is not shared between staff or with anyone outside the organisation
• Computers are set to automatically lock after a period of inactivity
• Where possible use two factor authentications

Antivirus software

• Policies are in place requiring antivirus software
• All staff know how to recognise symptoms of viruses or malware on their computer and what to do
• Antivirus software is set to allow automatic updates from the manufacturer

Firewalls

• All computers are protected by a properly configured firewall

Plan for the unexpected

• A data breach response plan is in place
• Policies are in place specifying back-up and recovery procedures
• Staff understand the recovery plan and their duties during recovery
• System restore procedures are known by more than one person within the practice and at least one trusted party outside the practice, such as your IT provider
• A copy of the recovery plan is stored safely off site