Confidential Proposal
Privacy Act Compliance &
Security Assessment
Comprehensive review of the patient portal to ensure regulatory compliance and robust cybersecurity protection.
Scripted Clinic's patient portal enables patients to see their prescriptions and purchase products as per prescription. Because the platform handles sensitive health and personal information, it must comply with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs).
In addition to compliance, ensuring strong cybersecurity controls through regular testing is essential to protect patient data and maintain trust.
This proposal covers a combined review of the Privacy Act compliance and security posture (VAPT) of the patient portal only. It does not include other organisational systems or operations.
- Assess how personal and health data is collected, stored, and shared
- Review consent processes, privacy notices, and data retention policies
- Verify compliance with all 13 Australian Privacy Principles
- Review access controls, user permissions, and data deletion procedures
- Map all data flows between the portal and third-party systems (hosting, messaging, pharmacy integrations)
- Identify gaps and provide practical recommendations for remediation
- Implement the remediation as per the recommendation
- Perform vulnerability scanning and penetration testing on the patient portal web application and connected APIs
- Assess authentication, session management, and data security controls
- Check for OWASP Top 10 and MITRE ATT&CK vulnerabilities
- Simulate real-world attacks to test system resilience and data protection
- Provide detailed report with severity ratings, evidence, and remediation guidance
- Perform the fixes
- Conduct one re-test after fixes have been implemented
Privacy Act Compliance Report and Data Flow Diagram
Gap Analysis against APP 1–13
VAPT Report with findings, severity ratings, and recommendations
Remediation Plan and prioritisation guide
Implementation of the fixes as per the remediation plan