Medical Practice Cybersecurity Compliance Checklist: Are You Accreditation-Ready?

# Medical Practice Cybersecurity Compliance Checklist: Are You Accreditation-Ready?

Every medical practice in Australia faces accreditation — and increasingly, the IT component is where practices stumble. Not because their clinical care is lacking, but because nobody told the practice manager exactly what the assessors expect to see from their IT systems.

This isn't another article about why cybersecurity matters. You already know that. This is the practical checklist your practice manager can use to verify your IT environment is accreditation-ready — and what to fix if it isn't. If you're unsure where your clinic currently stands, our medical IT support for practices in Perth team can help assess your environment.

The Three Standards Your Practice Must Satisfy

Your IT compliance sits at the intersection of three frameworks. Each has different requirements, and assessors may reference any of them:

Most existing guides explain what these frameworks are. This checklist tells you what to actually check.

The Checklist: 25 Items Across 5 Categories

Print this. Walk through it with your IT provider. If they can't demonstrate each item, that's the conversation you need to have before your next accreditation cycle.

Category 1: Access Control & User Management

• 1. Individual user accounts — every person who touches your clinical software has their own login (no shared "reception" accounts)
• 2. MFA on Windows logins — multi-factor authentication on the Windows accounts used to access clinical software (BP Premier, Medical Director, and Genie don't have built-in MFA — securing the Windows login that opens them is how you protect access)
• 3. MFA on email — every M365 or Google Workspace account has MFA (not SMS — use authenticator app or hardware key)
• 4. MFA on remote access — any VPN, RDP, or remote desktop tool requires MFA
• 5. Quarterly access reviews — documented review of who has access to what, with evidence that departed staff have been removed
• 6. Admin privilege restriction — clinical staff do not have local admin rights on workstations (Essential Eight control #5)

Category 2: Data Protection & Backup

• 7. Daily automated backups — of your clinical database, documents, and configuration, managed through secure healthcare IT backup systems designed for medical practices
• 8. Off-site backup copy — at least one backup stored off-site or in a geographically separate cloud region
• 9. Monthly restore test — documented evidence that you restored from backup and verified data integrity (not just "backup completed" logs)
• 10. Backup encryption — backups encrypted at rest and in transit
• 11. Retention policy documented — how long you keep backups, aligned with Privacy Act requirements (minimum 7 years for health records after last contact, or until patient turns 25, whichever is longer)

Category 3: System Maintenance & Patching

• 12. OS patching within 48 hours (critical) / 2 weeks (routine) — Essential Eight control #6
• 13. Application patching — clinical software, browsers, PDF readers, Java updated within the same timeframes
• 14. End-of-life software eliminated — no Windows 10 (EOL Oct 2025), no unsupported clinical software versions
• 15. Firmware updates — firewalls, switches, access points on current firmware
• 16. Macro settings configured — Microsoft Office macros blocked for users who don't need them (Essential Eight control #3)

Category 4: Network & Endpoint Security

• 17. Business-grade firewall — not a consumer router; with IDS/IPS, content filtering, logging enabled
• 18. Network segmentation — clinical systems, business systems, and patient/guest WiFi on separate VLANs
• 19. EDR on every endpoint — endpoint detection and response (not just antivirus) on every workstation and server
• 20. Email security — SPF, DKIM, DMARC configured on your domain; anti-phishing filtering active
• 21. Encrypted connections — HTTPS enforced for all web-based clinical tools; TLS for email

Category 5: Governance & Documentation

• 22. Incident response plan — documented procedure: who to call, how to contain, when to notify OAIC (30-day window), when to notify patients. This is often required for cyber insurance coverage for medical practices
• 23. Data breach register — maintained log of any suspected or confirmed breaches, even if notification threshold wasn't met
• 24. Privacy policy current — published privacy policy that reflects your actual data handling practices, including My Health Record participation
• 25. Staff security acknowledgment — signed by each staff member annually, confirming they've read and understood your IT security and privacy policies

What Assessors Actually Look For

RACGP accreditation assessors aren't IT auditors — they're checking governance. They want to see:

1. Evidence you've thought about it — a documented IT security policy, even if simple

2. Evidence someone is responsible — who manages IT security? Is there a named person or provider?

3. Evidence of action — backup test reports, patch logs, access review records

4. Evidence of response planning — what happens when something goes wrong?

They're not going to test your firewall rules. But they will ask your practice manager: "How do you protect patient information on your computer systems?" If the answer is "our IT guy handles it" with no documentation to back it up, that's a finding.

The Most Common Gaps We See in Perth Practices

After auditing practices across Perth, these are the items that fail most often:

These aren't expensive fixes. They're process gaps — and they're exactly what accreditation assessors flag.

How to Use This Checklist

Step 1: Print it or share it with your practice manager.

Step 2: Book a 30-minute call with your IT provider. Go through each item. Ask them to show evidence for each one (not just "yes, we do that" — actual logs, reports, or documentation).

Step 3: For any items marked "no" or "unsure," ask your IT provider for a remediation timeline and cost.

Step 4: File the completed checklist with your accreditation documentation. It demonstrates proactive governance even if not every item is perfect yet.

What This Checklist Doesn't Cover

This is an IT compliance checklist, not a complete accreditation guide. It doesn't cover:

• Clinical governance and care quality standards
• Physical security (building access, server room locks — though your IT provider should advise on this)
• Staff HR policies beyond IT security acknowledgments
• Medical software clinical content updates (drug databases, clinical guidelines)

For the full RACGP accreditation picture, refer to the RACGP Standards for General Practices (5th Edition).

For a deeper look at how RACGP IT requirements connect to accreditation, see our guide: RACGP IT Requirements for Accreditation in 2026.

How SkyComm Helps Perth Clinics Meet RACGP IT Standards

Many Perth clinics struggle to translate RACGP cybersecurity guidance into practical IT controls. SkyComm helps medical practices implement Essential Eight controls, secure Microsoft 365 environments, and document the governance evidence accreditation assessors expect to see. Our healthcare IT support team works with GP clinics, specialists, and day surgeries across Western Australia to maintain secure, compliant IT environments.

Frequently Asked Questions

Is there a specific cybersecurity standard mandated for Australian medical practices?

There is no single mandated cybersecurity standard for medical practices. However, the Privacy Act 1988 requires "reasonable steps" to protect personal information, the RACGP Standards include information security criteria for accreditation, and the ACSC Essential Eight is increasingly referenced as a baseline by insurers and assessors. Meeting all three is best practice.

How often should a medical practice conduct an IT security audit?

At minimum, annually — ideally timed 3-6 months before your accreditation cycle so there's time to remediate any gaps. Quarterly access reviews and monthly backup tests should happen year-round.

What happens if we fail the IT component of accreditation?

A single IT finding won't typically fail your accreditation outright. Assessors will note it as a "not met" criterion and give you a timeframe to remediate. However, repeated or systemic IT governance failures can delay accreditation.

Can our IT provider help us prepare for accreditation?

Yes — but only if they understand healthcare compliance. Ask them to walk through this checklist with you. If they can't speak to RACGP CISS, Privacy Act obligations, or the Essential Eight, they may not be the right fit for a medical practice.

Do we need to implement all 25 items at once?

No. Start with the highest-risk items: MFA on Windows, email, and remote access (#2-4), backup restore testing (#9), and incident response plan (#22). These are the most impactful and most commonly flagged by assessors.

---

Need Help Getting Accreditation-Ready?

SkyComm works with Perth medical practices to close IT compliance gaps and cybersecurity risks before accreditation. Our medical IT support services for healthcare providers help practices meet RACGP, Privacy Act, and Essential Eight requirements. We'll walk through this checklist with your practice manager, provide evidence for every item we manage, and remediate anything that's missing.

📞 Call 1800 957 977

✉️ Email: admin@skycomm.com.au

🌐 Book a free IT compliance review: skycomm.com.au/contact-us

---

Related Reading

• RACGP IT Requirements for Accreditation in 2026
• Perth Medical Clinic Cyber Insurance: What Claims Adjusters Actually Look For
• Lessons from the Medibank Breach for Perth Medical Practices
• Medical IT Support Perth: The Complete Guide
• Medical IT Services & Support Perth
• Cybersecurity Services

---

This checklist is based on SkyComm's 20+ years of experience auditing and securing medical practice IT environments across Perth and Western Australia, combined with current RACGP accreditation standards, Privacy Act requirements, and ACSC Essential Eight guidelines.