In my recent OAIC Notifiable Data Breach (NDB) summary, I pointed out that Health service providers represented the top industry sector by notifications reported.
This was the case in both human errors and cyber security issues.
Given the specific references in our Privacy Act 1988 (Privacy Act) relating to Health service providers I wanted to understand the insights.
In the following chart, we can see that human error and malicious or criminal attack are the main issues.
What exactly is human error?
Human error is defined by the OAIC as set out by the following glossary table:
I found this glossary useful to get a sense of what can be done at a cultural level to protect against pure human error. And the rest seem to be contributed to by system choices.
Most are preventable by working with systems designed with healthcare information privacy in mind. For example all the issues around email and fax can be absolutely minimized by working with secure messaging products when you’re sending or receiving client information between providers.
TIP: If you haven’t known or done so already, register for coreplus’s Secure Message Delivery service from within your dashboard and settings and don’t use email or fax for this type of communication.
What exactly is malicious or criminal attack?
Here is OAIC’s glossary for cyber attack issues:
Understanding these terms will help you review IT systems & security policies.
Generally the level of security in small business IT systems (servers, pc’s, firewalls etc…) is pretty average. And password management is not top of mind for a lot of people.
TIP: If you’re not using two factor authentication, I strongly encourage you to activate this and if you need any assistance contact our customer service team via your in product direct messaging.
What information was breached?
Here is the OAIC’s glossary of “information” breached:
Health information is not the only thing you need to be concerned about.
Having client information stored securely, safely and limited in terms of who/ what and how it can be accessed is key.
TIP: Using fit for purpose systems designed for Australia healthcare regulations along with segmented privileges and high end security will go a long way to minimizing your risk of a breach.
Overall, the types of issues reported are not surprising. I see a lot of it when meeting and working with small practices. The good news is that it’s relatively easy and cost effect to do something about minimizing the risk of a breach.
Tips on minimizing risk
Here’s some things to think about that can really lower your risk of data breaches by human error or cyber security:
- Work with practice management products/ software that allow you control where your client data is stored so that you can control who has what type of access and under what conditions NB: Having your practice data in Australia is preferable;
- Use secure messaging systems for practice to practice communications relating to client information;
- Focus on products that have been built for Australian health providers and are Australian Privacy Act focused, NOT GDPR as EU Law compliance won’t relieve you of your legal responsibility here in Australia.
- Use a password manager built for creating and storing complex passwords and changing them regularly in line with a stated password policy in your practice.
- Choose products that offer you two factor authentication as then a hacker would have to steal your password and your phone to gain access to your systems.
- Be careful using products designed for overseas markets that are integrate-able with your core practice management systems as they often share data between systems without privacy in mind, or, without you realizing that it’s being done and generally send your client data overseas.
- Review APP Guidelines and update your practice policies accordingly. If you’re using a lot of cloud products, focus on Cross border disclosure of personal information
Hopefully there’s value for you in this breakdown and understanding of what could cause a data breach in your health practice. Also, I hope you’ll lower risk by using a specifically designed for Australian health service provider product like coreplus with two factor authentication turned on.
Overall, think of privacy as a cultural and have well advised policies & procedures, appropriate systems that ensure your Australian privacy obligations are met.
Thanks for taking the time to read this. Feel free to message me via LinkedIn if you want to talk health-tech or contact our awesome customer service team with any questions on how coreplus works to help with the above.