Whether you are a practice manager, a doctor or owner of a medical practice or an advisor, when it comes to introducing new software or technology into a practice, there is much to consider. As technology has become an increasingly prominent part of our daily lives, it is unsurprising that it has well and truly made its way into the healthcare setting. This has resulted in an unprecedented amount of information about patients being put into easy to access places, such as cloud-based services.

We know there are a range of reasons why a practice may be looking for one or more solutions. Some of those reasons may include:

  • To meet client expectations to book an appointment 24×7
  • To become paperless and have everything accessible in 'the cloud'
  • To find ways to increase practice profitability
  • To increase efficiencies
  • To reduce task load for the admin team
  • To have a more efficient, modern practice
  • To fulfil a desire for an innovative, future-focused practice
  • To increase practice valuation
  • To connect solutions for comprehensive business intelligence insights

These outcomes can be realised through the use of one or a combination of solutions that you have no doubt been approached by. If you have attended any medical conferences over the last five years, around 50% of sponsors are medical or health technology companies. This is a growing area, so it's easy to see how you might feel bombarded by the opportunities and pressure to make a decision.

Types of Medical Practice Software & Tech Solutions

Medical practice management software, medical business intelligence (BI) and appointment booking solutions may include the following capabilities:

  • Online patient registration
  • Tracking of appointments and revenue per hour by doctor
  • Room utilisation - track room usage & profitability
  • Accessibility for appointments to be booked 24x7
  • Appointment reminder services
  • Script renewal systems (e-scripts)
  • Monitoring and tracking of 'no shows'
  • Electronic referrals (e-referrals)
  • Online payment gateway
  • Driving enquiries to your practice website
  • New patient acquisition and retention tracking

While this list above is not exhaustive, it is clear that the capabilities in existence are incredible and can go a long way in aiding the optimisation of efficiencies and practice profitability.

The next step is to ensure you are making wise decisions for not only your practice, but also your patients.

What to be alert to

When salespeople pitch their software and solutions, or you hear from someone you trust that one product is better than another, I recommend exercising caution. 'Why is that?' I hear you ask.

Before I go on, I want to assure you that I'm not suggesting these salespeople and solutions are to be feared. The creators of medical solutions like these are often entrepreneurial doctors who have identified an issue in their own practice and set out to do something about it.

While the benefits of these solutions are no doubt beneficial, they bring added risk that is not automatically managed. Although a company may be credible, and it may have been without issue in the past, as we've highlighted in a number of articles, patient health data is highly valuable on the dark web. The information you collect, hold and transfer is as desirable as banking or personal financial data.

Many of these solutions integrate or 'plug in' to other solutions. For instance, practice management software and BI tools that integrate with bookkeeping software, appointment setting tools and e-referral solutions. As in most health tech solutions, they are not built only to be purchased once and used. The solution will have constant iterations to improve user experience and functionality. Updates are made to ensure any data transfer and processes continue to work and share information effectively. Sometimes these solutions break when another integrated solution makes its own updates. When this happens the solution provider will usually notify you about issues that affect you and will advise on fixing timelines. These solutions require maintenance and can be out of action for a short period of time, typically out of business hours to minimise impact. This is typical to allow for optimal functionality and continuous improvement of any tech solution. The information that is being shared between solutions and practices can, at times, be vulnerable.

While the ability to have multiple capabilities in play is highly beneficial, it does not come without risk.

Breaches of patient data via tech capabilities

You do not have to look back too far to see how real the risks are. In 2021, the South Australian government's database of employees, including doctors, was hacked. This affected a minimum of 38,000 employees whose records were stolen (possibly as many as 80,000). This information has likely been on-sold. It has proven to be incredibly disruptive. All employees impacted now have a unique protocol for any communications with the ATO.

This is not an isolated experience, and it is not only large organisations' data that is targeted.

Over the years we've written extensively about unauthorised sharing of patient information by health tech companies as well as privacy breaches via the use of these kinds of solutions. In particular, we have highlighted privacy breaches and ongoing compliance issues with a widely-adopted medical appointment setting solution.

The risk is genuine for medical clinics and centres of all sizes. The information that can be collected, stored and transferred is considerable.


At a minimum, patient data include personal contact details, identity information and health records. It is estimated that 90% of hackers steal data for financial gain and do so by extortion or phishing. Phishing is fraudulent communications or websites (typically indecipherable from legitimate sources) which enables them to collect information deceitfully, including fraudulent billing transactions. What is unclear is what the other 10% do with that patient data. However, given what we know about how data was used in the Cambridge Analytica data scandal, it could be assumed that data points might be used collectively in other ways to gain significant insights.

Of the notifiable data breaches reported Australia-wide in the last two six-month reporting periods of January - June 30, 2021 and July - December 2021 (the most recent reports at the time of publishing), health services was the industry ranked the highest of the industry sectors to notify of data breaches. This was followed by the finance industry (including superannuation). In this period, of all of the total breaches across industries, contact information details were breached (which includes emails which are where phishing is prevalent), 55% of all breaches exposed identity information such as date of birth, driver's licence and passport details, and in 43% of breaches, financial details, such as bank account and credit card numbers, were involved.

Source: Office of the Australian Information Officer - Notifiable Data Breaches Scheme.

The consequences of managing a breach of patient data can be significant. While we won't go into those here, you can read more in this previous article.

This is a timely reminder that patient information is vulnerable to exploitation, no matter the size of your business or organisation. Does this mean you shouldn't adopt these solutions? No, that's not what we're suggesting. To be confident in making the best choice, start with the solution provider's privacy policy.

What to do before signing on to any solution

Patient privacy is protected under the Australian Privacy Act and entities or organisations that are considered Australian Privacy Principles (APP) entities. APP entities need to treat information in a certain way. As a medical practice, you deal with sensitive health information, which is a subcategory of personal information, meaning you must take particular care with all the information you receive, collect and transfer.

When you sign up with software companies that collect, store and/or transfer patient information of any kind, you are allowing permission to a third party to collect that information for you. Therefore, the privacy policy of the software company you are dealing with should be reviewed before committing to purchase or subscribe to use any of these solutions.

That being said, your practice's own privacy policy should also accommodate and manage this risk. This also includes website terms and conditions. If you don't have these two policies up to date and in place, we can assist you with getting those in place and tailored for your practice's specific needs.

Narrow down your options. What's next?

If you are planning to integrate more technology in your practice, whether it be to streamline processes, reduce pressure on your staff, increase profitability or attract more patients, ensure you are armed with knowledge. Ask many questions of the salespeople.

Often they are former practice managers themselves and have a great passion and understanding of the industry. They also understand the pressures that practice owners and practice managers are under and what impacts profitability. This understanding of the challenges that you face helps develop a connection, however, you need to look beyond that.

Having worked closely with doctors and practice owners for many years, we know that decision-making is often made with a reliance upon a combination of reviews, an endorsement of its functionality from someone you trust or who has used the solution. A credible, well-known brand that does what it says it should is often a good sign. However, it's not sufficient if you are serious about protecting your practice and patients.

What can be done today and for the future

Seeking specialist advice via a review of the privacy policy of the solution is the first step. If that looks good, then the next step is making sure your own privacy policy and website terms and conditions cover you effectively given the additional technology being added into your practice.

The other piece to this is to make sure your team members are aware of their obligations. In the last two reports referred to earlier, of the Notifiable Data Breaches Scheme, human errors accounted for 30% to 41% of all data breaches. If you do not have an in-house Data Breach Process Manual yet, consider this medical industry based manual here.

If you are intending to add or integrate more technology, seek specialist legal advice first. In an initial conversation with us, we can alert you to the right questions to ask of the people offering meetings or demonstrations of their solutions.

If you have narrowed down your preferred options, ensure you have a specialist, like those on our team, review the provider's policy, along with your own. We can take into account the unique needs of your practice and assist in helping you identify if your selection will be suitable based on your needs or future plans.

Related Articles: Suspect a Patient Data Breach? 5 steps to be prepared

Why does a medical practice need a privacy policy and website terms and conditions?