Cyber security checklist

Cyber security checklist

This cyber security checklist can assist you in reviewing security measures in your practice. If the check reveals your security measures are not adequate, update them.

PracticesGPsSpecialistChecklistsDigital healthFactsheets
29 / 07 / 2019

Establish a security culture

  • Designated team members are responsible for championing and managing computer information security
  • Checklists and policies for managing computer and information security are in place
  • Checklists and policies for information transfer, storage and destruction are in place
  • Education is kept up-to-date through regular training
  • The practice has up-to-date security against threats

Maintain good computer habits

  • Policies are in place specifying system maintenance procedures
  • Computers are free of unnecessary software and data files
  • Remote sharing and printing are disabled, unless security measures are in place
  • Systems and applications are updated or patched regularly (automatically where possible), as recommended by the manufacturer
  • Processes are in place to ensure safe and proper use of internet and email
  • Consider advanced threat protection security services for email and internet (e.g. web proxies) to restrict access to known malicious internet sites and email hygiene – review email for cyber threats
  • All staff log off the system(s) at the end of each day

Control physical access

  • Policies are in place prescribing the physical safety and security of devices
  • Computers are protected from environmental hazards, such as extreme temperatures
  • Physical access to secure areas is limited to authorised individuals
  • Equipment located in high traffic or less secure areas is physically secured
  • Physical storage devices, including hard disks and documents containing patient information, are securely stored and accounted for

Protect mobile devices

  • Policies are in place about the use of mobile devices
  • Mobile devices are configured and password protected to prevent unauthorised access
  • Patient health information on mobile devices is encrypted

Control access to health information

  • All staff understand and agree to abide by the practice’s access control policies
  • Each user has an individual account and their activity can be monitored
  • Users are only authorised to access information they need to know to perform their duties
  • There are reliable and secure systems in place for electronic sharing of patient health information with other specialists, patients and, when authorised, third parties

Limit network access

  • Access to the network is restricted to authorised users and devices
  • Staff are prevented from installing software without prior approval
  • Wireless networks use appropriate encryption
  • Separate and isolate internal wi-fi from public wi-fi that is accessible for patients. Protect wi-fi hotspots by changing the pre-installed password
  • Public instant messaging services that are not password protected are not used

Passwords and passphrases

  • Policies are in place that specify password obligations for your practice
  • Passwords/passphrases are at least eight characters in length, with a combination of upper and lower case, numbers and symbols
  • Each staff member has their own username and password
  • Login information is not shared between staff or with anyone outside the organisation
  • Computers are set to automatically lock after a period of inactivity
  • Where possible use two factor authentications

Antivirus software

  • Policies are in place requiring antivirus software
  • All staff know how to recognise symptoms of viruses or malware on their computer and what to do
  • Antivirus software is set to allow automatic updates from the manufacturer


  • All computers are protected by a properly configured firewall

Plan for the unexpected

  • A data breach response plan is in place
  • Policies are in place specifying back-up and recovery procedures
  • Staff understand the recovery plan and their duties during recovery
  • System restore procedures are known by more than one person within the practice and at least one trusted party outside the practice, such as your IT provider
  • A copy of the recovery plan is stored safely off site

Download factsheet


Download PDF