Cybersecurity in general practice: PDSA guide

Overview

Cybersecurity is now a core operational requirement for every general practice. Patient health records, Medicare billing data and practice financial systems are high-value targets. The Australian Cyber Security Centre reports that healthcare is among the most targeted sectors, and small to medium practices are particularly exposed because they typically lack dedicated IT security resources.

This guide takes your practice team through a complete PDSA cycle focused on cybersecurity. It covers risk assessment, staff awareness training, incident response planning and policy development. The worked example shows how a real practice identified and closed its most significant gaps over a 12-week period.

The guide aligns with the ePIP (eHealth Practice Incentives Program) and maps directly to requirements 1, 2 and 5. Completing the full cycle can contribute up to 40 CPD hours across Educational Activities, Reviewing Performance and Measuring Outcomes categories.

What the guide covers

Risk assessment

Identify vulnerabilities across your practice systems including clinical software, email, remote access, backup processes and physical device security. Includes a structured risk register template.

Staff training

Build a staff awareness program covering phishing recognition, password management, secure data handling and incident reporting. Includes session plans and assessment checklists.

Policy and response

Develop a cybersecurity policy and incident response plan tailored to general practice. Covers data breach notification obligations under the Notifiable Data Breaches scheme.

CPD hours breakdown

Completing the full PDSA cycle on cybersecurity can contribute approximately 9 CPD hours. The breakdown below shows how hours are allocated across RACGP CPD categories.

Educational Activities (3 hours)

Research into cybersecurity frameworks, ePIP requirements and best-practice guidance for healthcare settings. Includes reading, webinars and vendor briefings.

Reviewing Performance (3 hours)

Audit of current practice cybersecurity controls against the risk register. Gap analysis and benchmarking against ePIP compliance requirements.

Measuring Outcomes (3 hours)

Implementation of the improvement plan, post-cycle reassessment and documentation of changes. This is the core PDSA measurement stage.

Key topics

Risk assessment and gap analysis

Staff awareness and training program

Incident response and breach notification

Policy development and documentation

ePIP alignment and compliance mapping

Who should use this guide

GP practice owners responsible for data security and ePIP compliance who need a structured approach to improving cybersecurity controls.
Practice managers tasked with developing cybersecurity policies, running staff training and maintaining compliance documentation.
Clinical and administrative staff participating in practice-wide cybersecurity improvement activities as part of CPD requirements.

Dr Chris Mitchell AM

General practitioner, practice owner and healthcare business adviser with over 30 years of experience in Australian general practice. Senior roles with the RACGP, AGPN and multiple GP training organisations. Each guide is based on PDSA cycles run in his own practices.

Read the guide

This PDSA guide is free for Australian GP practices.

✓Complete PDSA cycle with worked example
✓Up to 9 CPD hours across EA, RP and MO
✓Risk register and policy templates
✓ePIP requirements 1, 2 and 5 mapping
✓Staff training session plans and checklists

Read online
Download PDF

← View all PDSA guides