Hooded men at laptop surrounded by coding background

Cyber security framework gaps can be a costly oversight

Gail Wang, Risk Adviser - Member Advisory Services

Vanessa Seah, Claims Manager - Professional Conduct Claims BA/ LLB, LLM (Competition & Consumer Law), Grad Certificate in Emerging Technologies & Law

Tuesday, 24 September 2024

From July to December 2023, the healthcare industry reported the most data breaches to the Office of the Australian Information Commissioner (OAIC)1. Yet, many practices and sole practitioners operate without a cyber security framework — exposing them to risks that are costly.

Ignoring the problem can have dire results. A cyber attack is not a question of 'if' but 'when,' as these Avant case studies show.

Data phishing

A medical practice received a phishing email disguised as a message from an existing patient, prompting staff to download a file via a malicious link.

After their login credentials failed, they contacted their IT provider, who quickly disabled the affected accounts. Since the hacked accounts did not have admin rights and weren’t linked to the practice’s software, only the mailbox contents were exposed. These included referral letters and personal information such as drivers' licence details and Medicare numbers.

Fortunately, the practice had complimentary cyber insurance with Avant, as part of their practice medical indemnity policy, and external experts were engaged for forensic analysis which identified 500 patients’ details were compromised.

Medicare fraud

A member had a laptop stolen, which they used to process Medicare claims through a secure payment platform.

Despite password protection on both the laptop and platform, criminals accessed patient information and updated bank account details to commit Medicare fraud.

The payment platform was able to identity the impacted patients, fewer than 100, and trace the criminals' IP address. With no other programs on the device, the evidence was minimal, and a full forensic analysis was not a viable option.

Email hacked

While working in shared rooms, a member discovered their secured email account had been hacked, resulting in nearly 4,000 emails being sent to patients and triggering a reportable privacy breach to the OAIC. The member did not have cyber insurance and notified Avant under their practitioner indemnity policy, but unfortunately the claim did not cover forensic analysis costs. However, Avant was still able to assist the doctor.

Avant’s assistance

In all three cases Avant’s Claims and Risk Advisory Service teams were able to assist with reporting obligations to the OAIC, notifications to impacted patients and remedial actions including implementing cyber security frameworks.

The first line of defence

The financial impact of a data breach can be significant. On average, each breach can cost a small medical practice approximately $46,0002. Cybercriminals can access your sensitive information from various sources, some obvious and some less apparent.

While cyber insurance may cover costs from a cyber event, it may not protect your reputation. You and your team need to establish cyber and privacy awareness frameworks as the first line of defence and ensure staff receive ongoing training in these areas.

Your frameworks must demonstrate reasonable steps, as required under the Privacy Act 1998 (Cth), to protect patients' sensitive information from misuse, interference, loss, and unauthorised access, modification, or disclosure.

Also, having multi-factor authentication systems in place will significantly enhance your cyber security by reducing the likelihood of unauthorised access.

The importance of cyber insurance

If your practice is attacked and you don’t have cyber insurance, you’ll need to cover the costs of forensic investigations, which can be significant. Additionally, appropriate cover is essential for managing damage to your practice’s digital assets, regulatory defence costs, and business interruption expenses.

Avant provides complimentary cyber cover* (to eligible practices) with its medical practice indemnity policy. This can be invaluable in avoiding these financial burdens.

Summary

No practice or sole practitioner is immune from a cyber attack.  By acknowledging the inevitability of an attack and taking proactive measures, you mitigate risks and are better equipped to handle a cyber attack if it arises.

Your practice's first defence should be a strong cyber security and privacy framework, along with staff training in these areas.

While Avant can assist members with reporting obligations, if you experienced a significant cyber attack, without cyber insurance, you will likely have to deal with it on your own and at a considerable cost.

More information

For medico-legal advice, please contact us on nca@avant.org.au or call 1800 128 268, 24/7 in emergencies.

For Avant Risk Advisory Services visit avant.org.au/risk-advisory-services.

Disclaimers

IMPORTANT: The Practice Medical Indemnity Policy is issued by Avant Insurance Limited, ABN 82 003 707 471, AFSL 238 765. This policy wording is available at www.avant.org.au or by contacting us on 1800 128 268. Practices may need to consider other forms of insurance including directors’ and officers’ liability, public and products liability, property and business interruption insurance, and workers compensation. Staff will not be covered when they are acting in their capacity as a medical practitioner.

The case discussed in this article is based on a real case. Certain information has been de-identified to preserve privacy and confidentiality.

This publication is not comprehensive and does not constitute legal or medical advice. You should seek legal or other professional advice before relying on any content, and practise proper clinical decision making with regard to the individual circumstances. Persons implementing any recommendations contained in this publication must exercise their own independent skill or judgement or seek appropriate professional advice relevant to their own particular practice. Compliance with any recommendations will not in any way guarantee discharge of the duty of care owed to patients and others coming into contact with the health professional or practice. Avant is not responsible to you or anyone else for any loss suffered in connection with the use of this information. Information is only current at the date initially published.

*Avant Cyber Insurance cover is available to eligible Avant Practice Medical Indemnity Policy holders up to the cessation of their policy and is provided under a Group Policy between Liberty Mutual Insurance Company ABN 61 086 083 605 (Liberty) and Avant Insurance.

To Top