IT Security

Each practice supplies their own information for this topic via the tailoring questionnaire.

Policy

We keep our patients' electronic health information private and secure in accordance with the Privacy Act 2020 and the Health Information Privacy Code 2020.

We have systems in place to protect the security of the information we hold:

We use Medtech to record, store, and retrieve patient health information.
Practice systems are secure, backed up daily, and data can be restored if necessary.
Practice computers are configured to reduce the risk of health information being accidentally seen.
Access to systems, and any alterations, can be traced.
We check our processes when sending information electronically.
- When sending emails:
  - Double check new patient details before sending anything.
  - Check that the "To" field only contains the intended recipient.
  - Use "BCC" to email a group so that your list isn't visible to everyone.
  - Consider encrypting sensitive information – ask IT support for help if needed.
External storage devices/USBs are stored safely and, where possible, encrypted.

Q62

The practice manager is the IT coordinator and is responsible for all IT-related system security and maintenance. This includes services provided by external IT providers.

Our IT service provider is responsible for auditing our data systems and policies:

Q61

[name]
[contact info]

Use the RNZCGP IT Checklist to assess your practice's processes for using and securing health information.

Permissions and access

We allocate unique user IDs and passwords to staff during their practice induction, which they use to access electronic information, including patient health data.

Passwords are changed every three months, or when staff leave, or when there is a security breach. In addition to password security:

permissions to use Medtech are determined by the scope of staff roles.
- Access is only granted to staff who require it for clinical and administrative purposes.
- Administrative staff may be granted access to clinical information if they need it to fulfill their roles.
permissions and group access are authorised and managed by the practice manager and the IT service provider
all staff sign relevant confidentiality agreements.

We recommend that staff choose strong passwords. Use How Secure is my Password to check password strength.

Remote access

Remote access to practice systems must be authorised by the practice manager.

Staff who access practice systems from their home network are responsible for ensuring that their home IT security is robust, and that patient information cannot be seen or overheard.

When working remotely staff should be:

able to back up systems regularly and ensure data can be restored if necessary
mindful that their working environment should support patient privacy and confidentiality.

Own Your Online: Stay secure when working remotely has more guidance.

Cyber incidents

To report a cyber incident or get help, contact the Computer Emergency Response Team (CERT NZ) and follow the process for managing a privacy breach.

Staff working on site or remotely should be alert for known or suspected:

phishing emails
Phishing emails are designed to trick the recipient into revealing sensitive information that can be used for illegal or malicious purposes. They are becoming more sophisticated and can look very realistic. There are some things that can help you identfy a phishing email:
- The sender has addressed you in an unusual way.
- The spelling and grammar are poor.
- Your organisation's logo (position and general look) isn't right.
- When you hover over a link in the email, the 'tip' that appears doesn't match the typed words.
privacy breaches.

Any concerns should be reported to the IT coordinator as soon as possible.

See Health New Zealand | Te Whatu Ora: Cyber Hub for guidance on cyber security including how to safeguard against, respond to, and recover from a cyber security incident. Also, Own Your Online: Top online security tips for your business.

Data back-up and recovery

Patient data is backed up so that it can be recovered if systems are lost. Backups are stored securely:

Backups	The daily server back-up is done by our IT service provider.
Disaster recovery	Our IT person is responsible for disaster recovery.

Platforms and tools

The platforms, software, and other tools we use ensure patient health information is kept secure:

Antivirus protection	Our IT service provides our antivirus and spyware protection.
Digital photos	We use a practice (not personal) camera/device, and delete photos from that camera/device, and any computer files, after saving them in the PMS.
Patient Portals	Provided by ManageMyHealth. Staff receive training on security protocols and confidentiality.
PMS	The practice manager controls and monitors access to Medtech.
Referrals	ERMS (Electronic Request Management System)
Telehealth	Telephone consultation
Transferring records	GP2GP or EDI connection

Resources

Cert NZ: Critical Controls

Health New Zealand | Te Whatu Ora: Strengthen Your Digital Defence

Health New Zealand | Te Whatu Ora: Health Information Security Framework

Page Information

Last reviewed Last review: The date this page last had a comprehensive review by the GPDocs team. See the review schedule.	June 2024
Next review Next review: The date this page will next be reviewed by all GPDocs practices. See the review schedule.	March 2027
Topic type Topic Types There are two topic types: Core content Text outside the yellow highlighting (as shown on the model site) is there for compliance, legislation, or best practice. The text is not normally changed. Core content is continually reviewed and kept up to date. Customised Core content on this page has been changed on request by the practice. Customised topics must be reviewed and updated by the practice because they are not automatically updated by GPDocs.	Core content
Approved By:	Key Contact
Topic ID:	9638

Site Links

About us

Logout

Contact

Phone: 0800 473 627
Email: support@gpdocs.co.nz

IT Security

Page Information

Last review:

Next review:

Topic Types

Site Links

About us

Contact