Protect Your Medical Practice Against a Data Breach – Part 1
Data breaches are becoming more frequent and sophisticated both in Australia and overseas.
Under the Notifiable Data Breach (NDB) scheme, organisations must report a breach to the Office of the Australian Information Commissioner (OAIC) when a data breach is likely to result in serious harm to an individual whose personal information (e.g. date of birth, address, medical records) is involved.
Data breaches in the healthcare sector
The health sector continues to be the most impacted sector, accounting for the highest number of data breaches compared to all other sectors. According to the OAIC’s Notifiable data breaches report (July to December 2022), 14 per cent (71 data breaches) of all breaches in Australia occurred in the health sector during the reporting period.
A malicious or criminal attack was the main cause of data breaches in the health sector, occurring in 52 per cent of breaches.
Data breaches can create a myriad of challenges for organisations – financial, reputational and operational challenges to name but a few. On an individual level, these types of breaches can lead to physical, psychological, emotional, financial or reputational harm, which is why protecting data within your medical practice is a top priority.
Financial implications
The short-term and long-term financial costs associated with a data breach can be staggering. In November 2022, the Australia government approved the Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022, increasing the maximum penalties for serious or repeated privacy breaches from $2.22 million to the greater of $50 million, three times the value of any benefit obtained through the misuse of information or 30 per cent of a company’s adjusted turnover in the relevant period.
Furthermore, between March 2021 and March 2022 the healthcare industry had the highest average cost of a data breach when compared to other industries, and these figures have been consistent for the last 12 years.
When compared to global costs, a data breach outside of Australia costs around $3 million more on average (approximately US$3.86 million or AUD$5.39 million) according to 2020 figures.
And the financial implications don’t end there; the consequences of a data breach can continue to impact an organisation’s bottom line for years following the incident. For highly regulated industries such as healthcare and financial services, over half of the costs associated with a breach are incurred during the second and third years following the event, which is why safeguarding your organisation from data breaches should be considered a short-term and long-term strategy.
What can medical practices do?
General practices have a crucial role to play in protecting the privacy of their patients’ health information. This is outlined by the RACGP: Privacy and managing health information in general practice, which emphasises the importance of general practices staying across current legislative framework for managing health information.
Within a medical practice, as with every type of organisation, data security is the responsibility of every employee. Protecting data within your medical practice is so much more than ensuring the technology you use has stringent privacy and security software; how to keep data safe should be reiterated through staff training, ongoing awareness and putting practices in place to ensure staff remain vigilant to cybercrime.
Healthcare professionals can use several measures to better protect data within their provider, including:
Access controls: limiting access to sensitive data to only those who need it;
Backup and disaster recovery plans: regularly backing up data and having a plan in place to recover data in the event of a disaster;
Regular security updates and patches: keeping software and systems up-to-date with the latest security fixes. For MedicalDirector customers on cloud-based solutions, these updates occur automatically approximately every fortnight;
Employee training and awareness: educating employees on the importance of data security and how to identify and prevent security threats;
Strong password practices: using strong passwords, not re-using passwords, storing passwords securely and using multi-factor authentication and testing the security of systems and processes to identify and fix vulnerabilities.
Stringent data protection software: MedicalDirector Shield can help to protect your medical practice through recommendations tailored to your organisation, training, reports, physical intrusion detection and 24/7 monitoring;
Compliance with regulations: it’s important for healthcare organisations to be aware of and comply with relevant laws; and
Engage cyber security services: engage experts to assess vulnerabilities, implement robust cyber security practices and prepare the practice to respond in the event of a cyber incident.
Current legislation for safeguarding your practice
In Australia, several laws govern the handling and storage of healthcare data, including:
The Privacy Act 1988: This Act regulates the handling of personal information by both the public and private sector, including healthcare organisations. It sets standards for collecting, storing, and using personal information, and gives individuals the right to access and correct their personal information;
State and territory health records and privacy acts: Australian states and territories have specific rules for the handling of health information requiring medical practices to take steps to protect the confidentiality and security of health information and sets out penalties for breaches;
The My Health Records Act 2012: This Act establishes a national electronic health record system and sets out the rules for the collection, storage, and use of health information in the system; and
The Australian Privacy Principles: These principles, set out in the Privacy Act 1988, outline the obligations of organisations in handling personal information (including collection, storage, usage, and disclosure) and this includes health information.
Storing health data – at home or overseas?
In Australia, there are laws and regulations that govern the handling and storage of personal health information. Data stored domestically is subject to the protections afforded by the Privacy Act and the Australian Privacy Principles (APPs). If you choose to store your data offshore, it’s essential to include that information in your privacy model and ensure that you are meeting all relevant obligations under Australian law. Additionally, there is a legal obligation to inform your customers if their data are stored overseas.
While many technology vendors offer lower costs to store healthcare data offshore, this often invites higher risks. Given the complexities and potential risks involved in offshore data storage, we recommend medical practices keep their data within Australia. Doing so can provide greater certainty and control over how data is managed, and can minimise the compliance burden associated with international data protection laws. In addition, the effort of ensuring overseas compliance with Australian legislation may represent a significant burden for Australian-based businesses.
Utilising software which stores data in local data warehouses means that Australia’s strict privacy laws are complied with for handling and storage of personal health information. Storing data locally makes it easier to monitor and control access to the information and can provide peace of mind around the physical security of data centres and servers that store the information. If issues arise with data stored in Australia, you can rely on Australian data protection and handling laws (some of which are noted in the previous section).
MedicalDirector’s Helix sits on the industry-leading Microsoft Azure platform, which is supported by secure, billion-dollar infrastructure. The Azure platform is a reliable software which ensures data is backed-up across two Australian data centres, with stringent Australian privacy and data security standards ensuring data are handled and stored appropriately.
Further resources
For further information, we recommend referring to the following resources.
Office of the Australian Information Commissioner
RACGP’s Privacy and managing health information in general practice
RACGP Managing notifiable data breaches in general practice
RACGP Notifiable data breaches fact sheet
Keep an eye out for part 2 of this blog series where you can find out about the types of cyber vulnerabilities to look out for, and how to better protect your medical practice against a data breach.