Contents

IT Security

Policy

We keep our patients' electronic health information private and secure in accordance with the Privacy Act 2020 and the Health Information Privacy Code 2020.

See also Safeguarding Patient Information and Disclosing Patient Information.

We have systems in place to protect the security of the information we hold:

• We use Indici to record, store, and retrieve patient health information.
• Practice systems are secure, backed up daily, and data can be restored if necessary.
• Practice computers are configured to reduce the risk of health information being accidentally seen.
• Access to systems, and any alterations, can be traced.
• We check our processes when sending information electronically.
  • When sending emails:
    • Double check new patient details before sending anything.
    • Check that the "To" field only contains the intended recipient.
    • Use "BCC" to email a group so that your list isn't visible to everyone.
    • Consider encrypting sensitive information – ask IT support for help if needed.

• External storage devices/USBs are stored safely and, where possible, encrypted.

Q62

The IT Lead is the IT coordinator and is responsible for all IT-related system security and maintenance. This includes services provided by external IT providers.

Our IT service provider is responsible for auditing our data systems and policies:

Q61

Cloudland Ltd Email: support@cloudland.co.nz Phone: 0800 123 25683

Use the RNZCGP IT Checklist to assess your practice's processes for using and securing health information.

Permissions and access

We allocate unique user IDs and passwords to staff during their practice induction, which they use to access electronic information, including patient health data.

Passwords are changed every three months, or when staff leave, or when there is a security breach. In addition to password security:

• permissions to use Indici are determined by the scope of staff roles.
  • Access is only granted to staff who require it for clinical and administrative purposes.
  • Administrative staff may be granted access to clinical information if they need it to fulfill their roles.
• permissions and group access are authorised and managed by the practice manager and the IT service provider
• all staff sign relevant confidentiality agreements.

We recommend that staff choose strong passwords. Use How Secure is my Password to check password strength.

Remote access

Remote access to practice systems must be authorised by the practice manager.

Staff who access practice systems from their home network are responsible for ensuring that their home IT security is robust, and that patient information cannot be seen or overheard.

When working remotely staff should be:

• able to back up systems regularly and ensure data can be restored if necessary
• mindful that their working environment should support patient privacy and confidentiality.

Own Your Online: Stay secure when working remotely has more guidance.

Cyber incidents

Page 9 of Health New Zealand | Te Whatu Ora: Strengthen Your Digital Response has a step-by-step guide for responding to a cyber incident.

Notify the Computer Emergency Response Team (CERT NZ) for help and support, and follow the process for managing a privacy breach.

All staff, whether working on site or remotely, should be alert for known or suspected:

• phishing emails

  Phishing emails are designed to trick the recipient into revealing sensitive information that can be used for illegal or malicious purposes. They are becoming more sophisticated and can look very realistic. There are some things that can help you identfy a phishing email:

  • The sender has addressed you in an unusual way.
  • The spelling and grammar are poor.
  • Your organisation's logo (position and general look) isn't right.
  • When you hover over a link in the email, the 'tip' that appears doesn't match the typed words.

• privacy breaches.

Any concerns should be reported to the IT coordinator as soon as possible.

See Health New Zealand | Te Whatu Ora: Cyber Hub for guidance on cyber security including how to safeguard against, respond to, and recover from a cyber security incident. Also, Own Your Online: Top online security tips for your business.

Data back-up and recovery

Q062

Patient data is backed up so that it can be recovered if systems are lost. Backups are stored securely:

Backups	The daily server back-up is done by our IT service provider, every 12 hours (minimum).
Disaster recovery	Our IT service provider is responsible for disaster recovery.

Platforms and tools

The platforms, software, and other tools we use ensure patient health information is kept secure:

Antivirus protection	Our IT service provides our antivirus and spyware protection (Crowdstrike).
Digital photos	We use a practice (not personal) camera/device, and delete photos from that camera/device, and any computer files, after saving them in the PMS.
Patient Portals	Provided by MyIndici. Staff receive training on security protocols and confidentiality.
PMS	The IT Lead controls and monitors access to Indici.
Referrals	Email, BPAC, SR Referrals, and ERMS (Electronic Request Management System)
Telehealth	Doxy.me and Webex (Outbound VoIP Platform)
Transferring records	GP2GP preferred, or via email with password protected OneDrive link, with a 30-day retention.

Resources

National Cyber Security Centre: Critical Controls

Health New Zealand | Te Whatu Ora: Strengthen Your Digital Defence

Health New Zealand | Te Whatu Ora: Health Information Security Framework