If a clinic owner suspects a violation, seek help immediately, as it may have occurred days or weeks ago.
In recent years, cybercrime targeting optometry practices in the United States resulted in the loss of personal health and financial information for millions of patients. Do you know how robust your company’s data security system is?
TIn its latest report, the Australian Information Commissioner’s Office noted a 41% increase in breaches from malicious criminal attacks by December 2022. According to its annual cyber report, the Australian Cyber Security Center received 76,000 cybercrime reports in 2021-22. Threat report from July 2021 to June 2022. This is his 1 report in 7 minutes.
Healthcare data is attractive to cybercriminals, and healthcare organizations may be subject to attacks aimed at exposing patients’ medical and financial records or demanding ransom payments.
In addition to the risks to patient privacy and reputation, breaches can disrupt practice operations, as Avant members discovered after a ransomware attack. “All our records, all our appointments, all our contacts, all our address books were on a computer system, which meant we had no data at all. We…had no billing information or links to health funds. We didn’t have one. We had a backup and we thought that was a good thing. Unfortunately, it turned out that the link to the backup was not secure, so the backup was also infected.”
Protect your practice system and reduce risk
1. Establish a culture in your business that takes cybersecurity seriously
No organization is too small to be vulnerable to a cyber breach, and their systems may be connected to other systems such as suppliers, hospitals, and governments. When connecting to My Health Record, you must comply with statutory security requirements.
Malicious attacks often include an element of human error, so training your staff in cyber security knowledge can help reduce risk. Make sure your staff understands and follows information security practices, such as using strong passwords and thinking twice before clicking on links.
You may also consider purchasing cyber insurance to cover operational risks.
For a variety of helpful resources, including information guides, e-learning courses, and other educational materials, follow the links to the online version of this article.
2. Make sure your security measures are up to date
Criminals exploit system vulnerabilities. Keep your system up to date and use antivirus and ad blocking software. Apply security patches regularly and allow automatic updates from manufacturers. You can increase the security of your passwords by using two-factor authentication. Protect your backups.
IT professionals can conduct security audits or risk assessments to test potential threats to systems, including devices that connect to business networks.
3. Review how information is handled
Find out how we handle patient information, including the information we collect, how that information is used, and how it is stored. Also consider what information you need to share with suppliers, such as eyewear or device manufacturers, and only share the information that is necessary.
Make sure your processes set out how long information must be retained and what to do with it when it is no longer needed.
Australian privacy laws require that when information we collect is no longer needed for a particular purpose, it must be destroyed or permanently anonymized. However, for health records, there are requirements for how long they must be kept and when and how they can be destroyed.
Avant members said that after the Optus and Medibank breaches, patients contacted them to delete all their records. If you receive such a request, please contact us if you are unsure, as even if you are a former patient, we may be legally required to keep your records.
4. Seek help if you have a cybersecurity incident
Your system may have been compromised days or weeks ago, so seek help as soon as you notice the incident. If you require further advice or assistance, please contact the Australian Cyber Security Hotline, your IT service provider or your insurance company.
If patient data is breached, mandatory notification requirements may be imposed under the Notifiable Data Breach Scheme.
If you connect to the My Health Record system and believe that system has been compromised, you must notify the Australian Digital Health Authority.
About the author: Georgie Haysom BSc LLB (Hons) LLM (Bioethics) GAICD is the General Manager of Advocacy Education and Research at Avant.
Read more
Are your policies and procedures up to date?
Rethinking approaches to workplace psychosocial risks in healthcare settings