Data breaches can be many and varied, and can range from a malicious attack on computer systems (hacking and malware); the inadvertent disclosure of sensitive information due to an internal error or failure to follow information handling processes and procedures; through to damage of files (paper or electronic) because of a natural disaster such as a fire or flood.
Protecting the privacy and confidentiality of the personal information you hold is an important professional and legal obligation.
Not only can a data breach or breach of privacy leave you open to a complaint to the Office of the Australian Information Commissioner (OAIC) or disciplinary action by regulatory authorities. A data breach can also have a significant impact on your relationship with your patients, as well as causing reputational damage to you and your practice.
Steps you can take to prevent data breaches:
1. Ensure you and your staff are aware of your privacy obligations.
2. Review and update information handling practices, procedures and systems.
3. Review and update your contracts and arrangements with third party providers.
4. Implement mitigation strategies to prevent cybersecurity incidents.
Ensure you and your staff are aware of your privacy obligations
Your practice has an obligation under the Commonwealth Privacy Act 1988 to take all reasonable steps to protect the personal information you hold from misuse, interference and loss, and from unauthorised access, modification or disclosure (APP 11).
- Train your staff and regularly update them about their privacy obligations, security of your systems and policies and procedures in your practice.
- Keep up to date with changes to privacy laws and obligations.
- Appoint a senior staff member to be responsible for privacy compliance in your practice.
- Talk about privacy and security at practice meetings, including any privacy incidents or near misses.
Avant’s Top 10 privacy tips, Privacy essentials and Avant guide to privacy reforms are resources that can help to remind you of your privacy obligations.
Review and update information handling practices, procedures and systems
Reviewing your information handling practices, procedures and systems can help to ensure that your processes and systems are up to date, reduce the risk of a privacy or security breach in your practice and reduce the time and expense involved in addressing any breaches.
You should have the following in place at your practice:
- documented privacy and security processes and procedures, including processes for managing staff authorisation, authentication and access to records
- a process for proactively detecting data breaches
- a data breach response plan to apply if a privacy or security breach is discovered
- a business continuity plan and disaster recovery plan, so that if there is a disruption to your systems you can continue to operate your practice.
The RACGP Computer and information security standards provides detailed information and templates for ensuring computer and information security at medical practices.
Consider the security measures in place at your practice, and if they are not adequate, update them. Our cybersecurity checklist can assist you in reviewing the security measures in place at your practice.
- protection from human error, natural disasters, power interruptions, malicious attacks – firewalls, encryption, password policies, anti-virus/antimalware protection
- where information is stored and if you have measures in place to ensure the security of information held on servers, back-ups (onsite or off-site), in the cloud (in Australia or overseas), on portable devices (memory sticks, flash drives, smart phones, laptops)
- If information can be accessed remotely, ensure it can be deleted remotely if necessary
- physical security of information you hold – where physical files are kept, and who has access to them, where you make telephone calls to patients or other healthcare providers and who has access to the premises during the day and after hours.
If documents need to be destroyed, ensure you use a secure document destruction company and that they have adequate security measures in place to guarantee safe transit and destruction.
OAIC Guide to Securing personal information
RACGP Computer and information security standards
Review and update your contracts and arrangements with third party providers
- Ensure third party providers who store information (e.g. in the cloud; outsourced backup providers), have security measures in place to protect private information.
- Ensure your contracts with IT software and hardware providers include a clause that protects the practice if there is a breach due to a system error or fault.
Implement mitigation strategies to prevent cybersecurity incidents
The Australian Signals Directorate recommends that organisations implement eight essential strategies to mitigate the risk of a cybersecurity incident. These are:
1. Application whitelisting – only allows selected software to run on computers.
2. Patch applications – to fix security vulnerabilities in software.
3. Disable untrusted Microsoft office macros – macros can enable the download of malware.
4. User application hardening – to block access to browsers which can be ways to deliver malware.
5. Restrict administrator privileges.
6. Patching operating systems - to fix security vulnerabilities in operating systems.
7. Multi-factor authentication.
8. Daily backup of important data and store securely offline.
An external expert view can be helpful. Consider hiring an IT consultant to undertake a security audit, testing and threat or risk assessment, and to help implement these mitigation strategies.
Australian Digital Health Agency Information Security Guide for small healthcare businesses
Australian Signals Directorate Essential Eight Explained