Home' News Bulletin : ADA News Bulletin April 2015 Contents 18
REASONABLE STEP EXAMPLE SMALL DENTAL PRACTICE
EXAMPLE LARGE DENTAL PRACTICE
Training for all staff on security awareness
One contact person responsible for oversight
Train senior management in advanced privacy and security
Create governance arrangements to promote compliance with
Establishing clear lines of authority for oversight and responsibility
for privacy practices.
Establish and document procedures ensuring
compliance with privacy requirements.
Establish mechanisms to ensure staff can
Create and maintain an updated personal information security
policy or policies ensure staff are aware of and implement
policies. Policies should use language and concepts consistent
with the Privacy Act.
Have an information security risk assessment undertaken to help
inform the development of these policies.
Consider ICT security measures when
deciding to purchase, build or upgrade ICT
Workstation level security software.
All incoming data is scanned before opening
to avoid malicious content.
Backups run frequently.
Educate staff on ICT communications security
i.e., personal information is vulnerable if
sent by fax or discussed over the phone.
When sending an email with health information in an
attachment, the email should be encrypted as a matter of
compliance and best practice.
Encryption and decryption should also be used on portable
devices, databases and hard drives.
Whitelisting (only allows certain content or applications to run).
Blacklisting (blocks material known to be harmful).
Software security deployed across all network components.
Downloaded files quarantined from network until it is ascertained
they are safe.
Number of users with administrative
Access promptly revoked when no longer
Use of strong passwords.
Computers automatically lock when left
Consider physically disabling USB or other external port access to
devices and/or disabling internal CD/DVD writers in devices.
Individuals accessing the system should be identifiable.
Ensure there are access controls on any non-public content held
on your web servers.
Third party providers
Generally, do not outsource data handling
if a small practice does use outsourcing,
considerations apply in the nature and
security levels of the systems used.
Conduct appropriate due diligence on the services to be provided
by the third party such as data storage services.
Consider which security controls and personal information
handling measures you expect the third party to use.
Include contractual terms ensuring security controls are protected.
If Cloud service provider is used, do they enable secure
transactions and encrypted storage?
Develop a data breach response plan
including procedures to contain the breach
and manage your response.
Educate staff about the plan and its
Data breach response plan clearly indicates responsible officers
and lines of command.
Plan clearly identifies which actions are legislative or contractual
Record management system which identifies
files and the location of responsible staff who
contain personal information.
Employees have access to secure storage
spaces near their work stations to secure
Security and alarm systems used to control entry into the
Able to identify staff movement from access logs.
Work areas with particular access to personal information (i.e.,
complaints handling) physically segregated from other areas of
Procedures governing the transmission or transport of personal
information to offsite work locations.
Procedures in place to determine whether
personal information held needs to be
retained under law destroyed or de-identified.
Staff educated on document destruction
If document destruction is outsourced, ensure steps are taken to
ensure appropriate handling of personal information.
Consider adopting a standard to assist with
compliance with the regime. Dentists may
wish to look at the National eHealth Safety
Security and Access Framework standards.
Adopt industry standards and conduct internal or external
auditing to ensure compliance with the relevant standards.
Seek certification of compliance with relevant standards.
Links Archive ADA News Bulletin March 2015 ADA News Bulletin May 2015 Navigation Previous Page Next Page