7 steps to avoiding a human data breach
Monday, 22 July 2024
Dramatic cyberattacks may make the headlines, however according to the most recent Notifiable Data Breaches Report, human error makes up 30% of all notifiable data breaches (second to malicious or criminal attack at 67%).
The July to December 2023 report released by the Office of the Australian Information Commissioner (OAIC) also found that health service providers reported 104 data breaches which was the largest source of notifications.
Of the breaches involving human error in all sectors, 33% were the result of personal information being sent to the incorrect email address.
We’ve reviewed the OAIC report and calls to Avant involving data breaches, and have identified the following key learnings.
1. Check before pressing send
Errors such as private information being sent to the wrong recipient accounted for 33% of all human error breaches as reported in the 2023 OAIC report.
This was also high on our list of reasons for calls — and the source of considerable angst. It is an easy error to make if you are emailing or texting patients.
2. Check before posting
We also had a number of calls where information was posted to incorrect addresses or information such as recall letters intended for several recipients was included in one envelope.
While many practices are cautious about sending sensitive information electronically, it is important also to check you have robust procedures in place for posting information.
3. Beware the autocorrect
Another emerging theme was the perils of auto text. This can be a problem in both email programs and word processing software, which may default to including recently or frequently used addresses.
This can contribute to the problem of information being sent to the incorrect address.
It could also lead to patient information in reports or referral letters being sent to the wrong provider.
4. Secure patient information
Laptops, USBs, logbooks, or physical files lost or stolen from homes, cars or public transport accounted for another significant group of calls.
While it is not possible to completely guard against theft, precautions such as having protocols for when and how patient information can be taken out of the practice, password protection and encrypting files, and locking devices can help.
Protocols for ensuring devices can be remotely located or wiped and ensuring regular and secure back-ups not linked to your system will mean you can wipe devices without loss of data.
Where the loss or theft involved physical files, these were often found discarded, so it is also important to report a loss.
5. Lock unattended devices
Phones left unlocked or with no password protection and computers left logged on and unattended were another source of data breach.
Check the security settings on office computers and have appropriate controls on any devices that have access to patient information files.
6. Closed unused browser and application windows
Having multiple windows open and flicking through them might be convenient.
However, there have been reported cases where this practice has led to medication errors.
It has also resulted in the wrong patient information being inserted into referrals or pathology requests.
7. Be prepared
All these errors have the potential to lead to patient harm, as well as regulatory action and reputational damage.
Since the introduction of the Notifiable Data Breaches scheme, the OAIC has taken an educative approach.
The 2023 Privacy Act Review recommends enhanced enforcement provisions, so it is possible the OAIC may undertake broader enforcement activities in the future.
The good news is that many of these breaches are preventable, and our experience is that the time taken to avoid having a data breach is definitely preferable to the time and stress of having to respond to a breach.
Final suggestions
Review your privacy procedures and make sure that everyone in your practice, including temporary staff and contractors, understands their responsibilities.
You need a data breach response plan. Whether or not you end up having to report a data breach to the OAIC, you will need to be able to respond promptly and document what steps you have taken.
Even the most secure systems can be vulnerable to human error. Remind staff about the need for secure passwords and the dangers of phishing and other scams to gain access to your systems.
If you are not sure who is asking for information, always check.
Reference and further reading
Avant collection - Cyber: what you need to know
More information
For medico-legal advice, please contact us here, or call 1800 128 268, 24/7 in emergencies.
Disclaimers
IMPORTANT: This publication is not comprehensive and does not constitute legal or medical advice. You should seek legal or other professional advice before relying on any content, and practise proper clinical decision making with regard to the individual circumstances. Persons implementing any recommendations contained in this publication must exercise their own independent skill or judgement or seek appropriate professional advice relevant to their own particular practice. Compliance with any recommendations will not in any way guarantee discharge of the duty of care owed to patients and others coming into contact with the health professional or practice. Avant is not responsible to you or anyone else for any loss suffered in connection with the use of this information. Information is only current at the date initially published.
More ways we can help you
Our CPD courses for Avant members
Tick off some CPD hours and learn more with our in-depth eLearning courses, free for Avant members. Our courses include education activities, reviewing performance and measuring outcomes.