Balancing technology’s convenience with digital safety

Digital tools and the use of technology cannot be disentangled with healthcare in our modern world.
 
I’m the first to rave about their benefits and advocate for their use, but I am also well aware of the significant responsibility I have to my patients and my practice to balance their convenience with digital safety and strong governance.
 
As GPs, we hold more patient data than ever before – often extracted from, or stored in, digital platforms – from electronic medical records to electronic prescriptions, online bookings, systems, and telehealth. 
 
Notifiable data breach reports by the Office of the Australian Information Commissioner (OAIC) consistently show that healthcare is the top sector to notify data breaches, with around two thirds of notifiable data breaches being a result of a malicious or criminal attack.
 
The sensitive nature of the data we retain is of significant commercial value to cyber criminals.
 
The impacts of cybercrime have a very personal impact on victims and can destroy businesses.
 
It is therefore imperative that we build a strong culture of information security within our profession and our practices.
 
Once thought to be the realm of IT professionals, it is now the responsibility of every individual interacting with patient data to understand the risks and imbed practices to secure and appropriately manage it.
 
Where to start? As the quote goes ‘the advanced level is mastery of the basics’.
 
I would recommend everyone start by reviewing the RACGP’s Information security in general practice and Privacy and managing health information in general practice resources, which provide practical advice designed to support you in meeting your legal obligations for information security.
 
These obligations don’t just sit with the practice owner or manager – all GPs and practice team members must be aware of their individual responsibilities.
 
Build a strong information security culture 
Each person in the practice needs to actively contribute to protecting the practice’s information systems. But to do so they need to be educated on the why and the how.
 
Practice owners need to invest in educating your practice team – initially and ongoing – on risks to your practice information systems and how to address them. Ensure practice policies outlining responsibilities to manage security risks are up to date, communicated and enforced.
 
Empower everyone to identify and report when systems are not working as expected or they feel there has been an attempted cyber-attack to the systems they use – even a suspicious email.
 
Understand your obligations
General practice is subject to stringent privacy obligations by virtue of handling health information.
 
As health practitioners we are legally obliged under the Privacy Act 1988  and the Australian Privacy Principles and various health records legislation, to take reasonable steps to protect personal information from misuse, loss, and unauthorised access.
 
We are also subject to the requirements of the Notifiable Data Breaches scheme, if an eligible data breach does occur. 
 
These obligations are outlined in resources by both the RACGP and the OAIC.
 
Keep software up-to-date
One of the simplest, most effective ways to protect data is to ensure software, operating systems, clinical information systems, antivirus tools, and firmware are regularly updated.
 
Software is regularly updated – not simply for functionality – but with security features to address emergent vulnerabilities.
 
Speak to your software providers or IT specialist to ensure routine updates or upgrades are scheduled. 
 
Regularly backup data
Practice data should be backed up routinely and regularly.
 
Keep separate copies in multiple places in case data loss occurs. This data needs to be kept safe, offsite and, if possible, encrypted. The more secure copies of data you have, the safer it will be. For practices using cloud-based systems, consider cloud-to-cloud backup solutions.
 
Data backups are your safety net and should be a key feature of any business continuity and emergency response plan.
 
Any plan needs to be trained and tested. This could be as simple as running a desktop drill.
 
Ensure strong password management
It’s believed the average Australian has over 250 individual passwords, with a survey finding 46% of people admit to having easy to guess passwords.
 
Weak passwords provide an open door to your practice data.
 
To ensure access to systems is controlled and secure, implement a strong password policy across your practice, and where possible, enable multifactor authentication. Consider using a password manager.
 
Avoid using simple, guessable passwords or reusing them across multiple platforms.
 
Along with the above, at my practice, the practice principals meet with our IT support team regularly to discuss developments that they may be aware of that may improve our security, as well as efficiency.
 
Dr Rob Hosking is a GP, practice owner, and Chair of the RACGP Expert Committee – Practice Technology and Management.
 
Log in below to join the conversation.
 

digital safety practice management technology