1. Purpose

This Cyber Security Policy outlines how Metropolitan Anaesthesia protects its digital information and systems from cyber threats, ensuring the confidentiality, integrity, and availability of patient data and operational continuity.

2. Scope

This policy applies to all staff, contractors, and third parties who access or manage digital systems, patient information, or communications within Metropolitan Anaesthesia.

3. Legal and Regulatory Compliance

The practice complies with:

• Privacy Act 1988 (Cth) including the Australian Privacy Principles (APPs)
• Health Records and Information Privacy Act 2002 (NSW) (or state equivalent)
• Australian Digital Health Agency (ADHA) guidelines
• Australian Cyber Security Centre (ACSC) recommendations, including the Essential Eight

4. Roles and Responsibilities

• Practice Manager / Cyber Security Officer: Oversees cybersecurity implementation and compliance.
• All Staff: Must adhere to this policy and report security incidents promptly.
• IT Provider: Ensures systems are patched, monitored, and secure.
• In some cases, anaesthetists working with our practice may engage a trusted representative, such as a partner or administrative support person, to assist with data entry or billing processes. Where this occurs, it is the responsibility of the anaesthetist to ensure their nominated representative adheres to the same privacy and confidentiality standards as required by law and this policy.

Access to practice systems and personal information is restricted to authorised users only, and all individuals accessing data on behalf of the practice, including anaesthetists and their delegates, are expected to comply with our privacy and cybersecurity protocols.

5. Core Security Measures

5.1 Access Control

• Unique user accounts and role-based permissions.
• Two-factor authentication (2FA) required for sensitive systems.
• Immediate revocation of access upon staff termination or role change.

5.2 Data Protection

• Patient data encrypted at rest and in transit.
• Regular data backups stored securely offsite and in secure cloud environments.
• Confidential data only accessible to authorised personnel.

5.3 System Hardening & Patching

• All devices and software regularly updated.
• Unused services and ports disabled.
• Antivirus and anti-malware protection installed and updated.

5.4 Email and Internet Use

• No access to personal email or social media on practice devices. 
• Suspicious emails must be reported and deleted.

5.5 Personal Devices

• Staff are strictly prohibited from connecting personal device, such as iPhones, Android smartphones, tablets, or USB storage devices, to any practice computers.
• This includes charging devices via USB ports.
• External USB drives prohibited unless authorised by Practice Manager or IT Provider

5.6 Incident Response

• Cyber incidents must be reported to IT provider as soon as practical following detection.
• The Practice Manager will coordinate investigation and remediation with IT provider.
• Serious data breaches will be reported to the OAIC under the Notifiable Data Breaches scheme.

5.7 Training and Awareness

• Annual cybersecurity training for all staff and anaesthetists.
• Phishing simulations and periodic refresher sessions.

5.8 Remote Access and Mobile Devices

• Staff and Anaesthetists remote access permitted via secure login with 2FA. 
• All mobile devices must have password protection and encryption enabled.

5.9 Third-Party Vendors

• All IT vendors and cloud providers must access and manage data of the practice in compliance with with the Privacy Act 1988 (Cth), including the Australian Privacy Principles and Health Services Act 2016 (WA)

6. Monitoring and Review

Cybersecurity systems and logs are monitored for suspicious activity by IT provider.