Family and domestic violence leave
January 19, 2023The Lismore experiment
January 19, 2023WORKPLACE RELATIONS
Cyber security
Practices have a responsibility to keep patients’ healthcare information safe. Here are a few tips to strengthen your cyber security. Written by Melanie Fayad, AMA (NSW) Workplace Relations Advisor (Legal & Policy)
IN RECENT MONTHS, several high-profile cyberattacks, such as those suffered by Optus and Medibank, has drawn greater attention to cyber security, particularly when it comes to healthcare information.
Changes to the way medical practices manage information, such as migration to cloud based technologies, have made health information more vulnerable to security breaches. In fact, for the 2021-22 financial year, the Australian Cyber Security Centre (ACSC) reported that, aside from government sectors, the healthcare and social assistance sectors reported the highest number of cyber security incidents.
Cyber security breaches can cause financial loss, reputational damage, and possible legal liability, all of which can be devastating for a medical practice where privacy is key to the doctor-patient relationship. According to ACSC, the average financial loss for a small business per reported cybercrime incident was $39,000. This figure does not capture the cost to customers or patients, nor the capital and recurring costs of cyber security incident remediation, nor the reputational damage suffered.
We know cyberattacks are on the rise – up by 13% in 2021-22 from the previous financial year (ACSC). So, what are medical practices required to do to protect health information and what steps can be taken to manage the risk of a cyber security incident?
Legislative framework
In NSW, all private health service providers must comply with both Federal and State privacy laws when handling health information. This legislation includes:
• The Privacy Act 1988 (Cth) (“Privacy Act”), which outlines 13 Australian Privacy Principles (“APPs”) that regulate the handling of personal information by APP entities, which includes private health service providers.
• The Health Records Information Privacy Act 2002 (NSW) (“HRIP Act”), which outlines 16 Health Privacy Principles (“HPPs”) that govern the handling of private health information.
With respect to security of personal information, both the APPs and HPPs state that health service providers must take ‘reasonable’ steps to protect the information from misuse, interference, and loss, as well as unauthorised access, use, modification or disclosure.
To understand what steps are ‘reasonable’ for APP entities to secure personal information, the Office of the Australian Information Commissioner (OAIC) has developed a ‘Guide to Securing Personal Information’ (“Guide”). Although the Guide is not legally binding, the OAIC will refer to the Guide in investigating and assessing whether an entity has complied with its personal information security obligations.
In the event personal health information is compromised, health service providers are required under the Privacy Act to notify individuals and the OAIC of ‘eligible’ data breaches. A data breach is ‘eligible’ if it is likely to result in serious harm to any of the individuals to whom the information relates.
Steps to protect your practice
There are a few steps you may consider taking to strengthen your practice’s cyber security.
1. Establish a cyber-secure culture among staff
Promote a culture of cyber security awareness through appropriate training, resourcing, governance, and management. Cyber security is no longer isolated to the control of IT specialists but is a shared responsibility amongst all members of the practice. Personal information, privacy and security should be an integrated component of the business and should be reviewed regularly and reinforced as technology advances.
2. Control access to health information
Limit internal access to health information only to those staff members who require access to do their job.
Appropriate authentication should be used to gain access to networks, systems and the information within it. This should include the use of complex passwords and passphrases for each authorised individual (no sharing of login details) and, where possible, two-factor authentication for additional protection. Importantly, all staff should log off software and systems at the end of each day.
3. Secure transmission of health information
As the sharing of health information is now often done by electronic means, strategies should be implemented to ensure such information is shared securely. For example, email is not a secure form of communication and additional security measures should be put in place to protect this information from cyberattacks including, but not limited to, password protecting files attached to emails, encrypting emails and/or attachments, and using secure file-sharing services to link to secure files.
4. Review third-party software
Third-party software is commonly used in medical practice to optimise practice and clinical processes, to transfer and communicate health information and, more recently, for electronic prescription exchange. The use of this third-party software can expose a practice’s networks and systems to cyberattacks, so it is important to ensure it is secure by using antivirus software and updating software when required. Your IT provider should be able to assist with this.
5. Plan for when things go wrong
In the event of a cyberattack or breach of personal information, ensure the practice has a response plan that is understood by all staff. This plan should outline the procedures and line of authority for containing the breach or attack, reporting details of the incident, managing the practice’s response, and accessing IT and legal advice when required. AMA (NSW) can assist you with a Data Incident/Breach Report Form template if required.
It is also important to ensure that frequent and off-site backups are kept of all critical information and systems, should a cyberattack prevent access to the practice’s systems and files.
The information provided in this article is necessarily general in nature and should not be regarded or relied upon as legal or IT advice.