Conduct an assessment of Cyber Security and IT controls

Increase team capability and awareness of good cybersecurity practices and help develop robust systems and processes to better safeguard patient data. 

• Completed either self-assessment or optional third-party assessment
• Plan developed to meet recommendations post-assessment
• (Optional) Essential Eights Level 1 maturity
• Re-assess annually to review what’s been completed and update plan for continuous improvement
• All staff undergone Cyber Awareness Training
• Conducted a non-physical simulation for staff

PREPARE:

• Review the Small Business Cyber Security Guide and Learn the basics  from the Australian Cyber Security Centre (ACSC)

• Discuss with your principal or owner. Leadership is critical to success.

• Decide if you wish to complete an optional third-party assessment (may be cost to practice) OR conduct yearly self-assessment to ensure continuous improvement.

• Speak with your IT about your decision and the intention for this to support quality improvement

• Once decided, inform your staff so they are aware and understand the process and their role.

YEARLY SELF-ASSESSMENT:

• Complete cyber security self-assessment available through the Australian Government, Australian Signals Directorate

• Conduct a controlled, simulated, non-physical activity to further assess your organisations response to cyber security threats – Pick one of two Exercise in a Box

• Bring the ‘team’ together, including staff, principle/owner and IT to discuss how to address each ‘immediate action’ area identified on report and observations from the activity conducted.

• Develop PDSA based off feedback and agreed actions and priorities of the team.

• Ensure you include cyber awareness training for all staff

OPTIONAL THIRD-PARTY ASSESSMENT (associated costs):

It is recommended that an assessment is conducted by a provider other than your current IT provider. 

• Research & decide on third-party provider, you may wish to compare multiple quotes

• Provider will conduct a semi-informal interview & conversation about the Practice IT systems, practices and processes

• Practice will receive assessment report with recommended improvements (an example of the type of report is available here)

• Bring the team together to review recommendations and brainstorm how to get it done. Listen. The more you involve staff and hear their thoughts, the more invested they will be in the outcome.

• Develop PDSA based off feedback and agreed actions and priorities of the team.

• Ensure you include cyber awareness training for all staff

Healthy North Coast held an expression of interest to identify providers who will work with general practice to conduct cyber security assessments. Below is the list of these providers that responded, however this list is not exclusive and there may be other providers in your region.

• NoDa IT (Northern Rivers)
• ClubIT (Tweed Heads to Port Macquarie)
• Cloud Voice and Data (Ballina)
• TCA (Tweed Heads to Port Macquarie)
• C3 Group (Coffs Harbour and Port Macquarie)

It is recommended that an assessment is conducted by a provider other than your current IT provider.

STAFF TRAINING RESOURCES:

• Listen to “Cybersecurity essentials for primary care with Prof. Neil Curtis” episode on Western NSW PHN digital health podcast.

• Australia Digital Health Agency eLearning module: Cyber security training for healthcare providers

• Australian Digital Health offers tailored group learning and webinars

• Cyber Wardens FREE On-demand webinar

• Healthy North Coast FREE On-demand Cyber Security in Aged Care webinar

• RACGP Cyber security in your Practice resource list

• Provide the results from the third party assessment to your IT Provider to plan implementing improvements 
• Normalise calling out poor practices so users feel safe in trying to improve. (no sticky note passwords, no sharing login details, lock the safe, set the alarm etc)
• Ask the team for input. Are there any areas of improvement or suggestions for your quality improvement topic(s). You can even make it anonymous.
• Add cybersecurity as a standing item on team meetings, including any staff awareness of security risks
• Assign a quality improvement lead and have staff take turns in analysing processes and looking for improvement opportunities
• Conduct a regular audit, making note of how you went last time so you can measure your improvements
• Talk with peers and colleagues in neighbouring practices about their quality improvement activities and the impact it’s had on their practice and patients
• Display flyers or updates around your practice, your patients will appreciate knowing their data is safe
• Aim to meet Essential Eight Level 1 maturity or higher

Share your experience so others can learn from you 

• Let us know what you are working on. Many topics in our library came from the work of practices in our region. These topics have had a great impact and go on to be picked up by other practices. 

• Share your PDSA, no matter how detailed or simple. Every QI activity is an achievement to be celebrated in our region. We share them on our website and in our newsletter and are a great source of learning and inspiration to other general practices in our region.