Cyber Smart Week 

14 October 2019

It’s Cyber Smart Week, a timely reminder to think, ‘is our practice prepared against cyber-attacks?’

Cyber-attacks are becoming more frequent and can affect anyone. Many attacks aren’t targeting anyone specifically but are looking for easy ways to get money or information.

In August 2019, the Tū Ora Compass Health website was targeted by a widespread global cyber incident. As a precaution, the PHO shut down one of servers which hosted a third of its practice websites. 

You may have seen in the media coverage over the last couple of weeks that Compass had found evidence of earlier attacks dating back to 2016. While they cannot be certain that patient data has been accessed, they have assumed the worst and have laid a compliant with the Police and have been supporting practices and patients. 

The best thing you can do is prepare, because unexpected things can, and do, happen. 

To help practices and other health organisations protect themselves from a potential cyber threat, Patients First and Medical IT advisors have developed a simple cyber security self-check survey. This is split into five sections: organisation, people, policy, processes and technology. 

You can also complete the survey to find out how prepared your practice is. 

Below is an overview of how your practice can become cybersecure. The overview includes having a dedicated IT specialist and you will need their help with many of the suggestions. This list will guide your IT specialist in what your practice might need. 


The handling, processing, storing and communication of health information is at the core of the heath information security. 

  • Undertake a regular health information risk assessment 
  • Keep your medical application server secured against threat 
  • Have a documented disaster recovery and business continuity plan. 


Practice staff play a crucial role in the protection of personal health information. Patients expect their health information to be kept confidentially and securely by those authorised to use it. 

  • Have a dedicated IT specialist (in-house or external)
  • Assign a practice staff member to the role of information security officer 
  • Ensure practice staff only have access to information they need. 


Documenting policies set tactical direction for information security. 

  • Implement a policy to cover acceptable use of information and systems 
  • Make sure computers require a password to access from start-up and lock after 15 minutes of inactivity.


Processes must enable efficient and secure handling, processing, storage and communication of health information. 

  • Backup practice systems at least daily 
  • Store backups securely offsite through a paid system or professional off-site archiving company, also test the backup restoration process 
  • Have a standard operating procedure detailing how your practice protects documents and systems. 


Invest in secure technology that is continuously monitored and improved. 

  • Update servers and apply patches at least every month
  • Make sure computers have antivirus software installed and regularly updated
  • Send patient information securely
  • Regularly undertake a security risk and assessment of your cloud providers.

Visit the Cybersmart website for more information about Cyber Security Awareness Week and some general tips about password protection, privacy setting and who to report incidents to.