Late last year, close to 50,000 Australians and 5,000 federal public servants had sensitive personal information exposed online in one of the nation's biggest ever data breaches1.
This year, since the mandatory Notifiable Data Breaches (NDB) scheme came into effect, 63 notifications were reported to the Office of the Australian Information Commissioner (OAIC)2 – in the first quarter alone.
It is important to note that among the top five industry sectors, the largest proportion of eligible data breaches reported to the OAIC was from health service providers, at 24 per cent. This is in stark contrast to the 2017 report by the OAIC which found that healthcare was the most trustworthy sector, with 79 per cent of people trusting providers to protect personal information3.
But first, what is a data breach?
Data breaches can range from the accidental (disclosure of sensitive information due to internal error or failure to follow information handling processes and procedures) to the malicious (attack on computer systems through hacking and malware).
So if you run a practice, protecting the privacy and confidentiality of the patient health data you hold is an important professional and legal obligation. The risks of not having a robust system in place can result in significant financial loss, possible legal liability, reputational damage and misuse of patient data.
This is even more important now with new privacy laws that came into effect on 22 February regulating the reporting and notification of eligible data breaches to impacted individuals and the OAIC.
How we protect your data
We make sure your data is safe and secure by following industry best practices. Our arrangements with our various software providers ensure all our member information is stored in a secure environment and protected by robust security architecture. All data is encrypted within the database, we do not hold sensitive financial data such as credit card details and all web transactions are securely transmitted. Control frameworks and continuous staff training support the Information Technology infrastructure in place. In addition, our systems and processes are rigorously audited independently each year.
What can you do to protect the security and privacy of your patient data?
- Make privacy a priority: By law, all health service providers in the private sector are required to protect the security and privacy of personal health information. The Commonwealth’s Privacy Act 1988 (Privacy Act) requires any entity holding personal information to take such steps as are reasonable in the circumstances to protect information. Click here to read more about privacy law.
- Swap passwords for passphrases: Passphrases can be much longer and can contain spaces as well. For example: Test@123 vs “The only thing constant is change”. A passphrase is easier to remember, satisfies complex rules easily and is almost impossible to crack.
- Restrict access privileges: Staff with administrator privileges for computers should not use their account when performing non-admin duties such as reading email or accessing external websites. This poses an added risk to the computer being used and the network by extension.
- Encrypt disk drives: If you store patient health data on individual computers, safeguard your data by encrypting the drive in case it’s stolen or lost.
- Prohibit non-business computers from plugging in: Laptops, tablets or mobile phones that are not secured by the IT systems and policies of your practice are at high risk for security bugs that can be exploited. Put a strict policy in place to prevent them from connecting to your network.
- Virus-scan all external devices: Ensure all that USBs, external hard drives and DVDs are scanned automatically with your anti-virus software before using them.
- Limit application installation: Only install what you need on your computers. Fewer applications mean fewer security bugs, and fewer applications that need to be kept up-to-date.
- Increase staff awareness: Even the most secure systems are susceptible to human error. Opening attachments from unknown emails addresses, clicking on suspicious links, downloading unsafe applications, etc., are just a few of the potential security risks staff are exposed to everyday. This is why increasing awareness of the risks associated with poor safety practices is absolutely important. There are many resources available online to help you and your staff stay in the know. www.staysmartonline.gov.au is a great place to start.
While this list of measures is in no way comprehensive, implementing these basic security practices will help protect patient data and ensure greater security for your computers and devices.
1 Data breach sees records of 50,000 Australian workers exposed, 2 November 2017, https://www.smh.com.au/public-service/data-breach-sees-records-of-50000-australian-workers-exposed-20171102-gzdef3.html
2 Quarterly Statistics Report: January 2018 – March 2018, Pg 1, https://www.oaic.gov.au/resources/privacy-law/privacy-act/notifiable-data-breaches-scheme/quarterly-statistics/Notifiable_Data_Breaches_Quarterly_Statistics_Report_January_2018__March_.pdf
3 Australian Community Attitudes to Privacy Survey, Pg 8, May 2018, https://www.oaic.gov.au/resources/engage-with-us/community-attitudes/acaps-2017/acaps-2017-report.pdf