Hooded men at laptop surrounded by coding background

Cyber security framework gaps can be a costly oversight

Gail Wang, Risk Adviser - Member Advisory Services

Vanessa Seah, Claims Manager - Professional Conduct Claims BA/ LLB, LLM (Competition & Consumer Law), Grad Certificate in Emerging Technologies & Law

Tuesday, 24 September 2024

From July to December 2023, the healthcare industry reported the most data breaches to the Office of the Australian Information Commissioner (OAIC)1. Yet, many practices and sole practitioners operate without a cyber security framework — exposing them to risks that are costly.

Ignoring the problem can have dire results. A cyber-attack is not a question of 'if' but 'when,' as these Avant case studies show.

Data phishing

A medical practice received a phishing email disguised as a message from an existing patient, prompting staff to download a file via a malicious link.

After their login credentials failed, they contacted their IT provider, who quickly disabled the affected accounts. Since the hacked accounts did not have admin rights and weren’t linked to the practice’s software, only the mailbox contents were exposed. These included referral letters and personal information such as drivers' licence details and Medicare numbers.

Fortunately, the practice had complimentary cyber insurance with Avant, as part of their practice medical indemnity policy, and external experts were engaged for forensic analysis which identified 500 patients’ details were compromised.

Medicare fraud

A member had a laptop stolen, which they used to process Medicare claims through a secure payment platform.

Despite password protection on both the laptop and platform, criminals accessed patient information and updated bank account details to commit Medicare fraud.

The payment platform was able to identity the impacted patients, fewer than 100, and trace the criminals' IP address. With no other programs on the device, the evidence was minimal, and a full forensic analysis was not a viable option.

Email hacked

While working in shared rooms, a member discovered their secured email account had been hacked, resulting in nearly 4,000 emails being sent to patients and triggering a reportable privacy breach to the OAIC. The member did not have cyber insurance and notified Avant under their practitioner indemnity policy, but unfortunately the claim did not cover forensic analysis costs. However, Avant was still able to assist the doctor.

Avant’s assistance

In all three cases Avant’s Claims and Risk Advisory Service teams were able to assist with reporting obligations to the OAIC, notifications to impacted patients and remedial actions including implementing cyber security frameworks.

The first line of defence

The financial impact of a data breach can be significant. On average, each breach can cost a small medical practice approximately $46,0002. Cybercriminals can access your sensitive information from various sources, some obvious and some less apparent.

While cyber insurance may cover costs from a cyber event, it may not protect your reputation. You and your team need to establish cyber and privacy awareness frameworks as the first line of defence and ensure staff receive ongoing training in these areas.

Your frameworks must demonstrate reasonable steps, as required under the Privacy Act 1998 (Cth), to protect patients' sensitive information from misuse, interference, loss, and unauthorised access, modification, or disclosure.

Also, having multi-factor authentication systems in place will significantly enhance your cyber security by reducing the likelihood of unauthorised access.

The importance of cyber insurance

If your practice is attacked and you don’t have cyber insurance, you’ll need to cover the costs of forensic investigations, which can be significant. Additionally, appropriate cover is essential for managing damage to your practice’s digital assets, regulatory defence costs, and business interruption expenses.

Avant provides complimentary cyber cover* (to eligible practices) with its medical practice indemnity policy. This can be invaluable in avoiding these financial burdens.

Summary

No practice or sole practitioner is immune from a cyber-attack.  By acknowledging the inevitability of an attack and taking proactive measures, you mitigate risks and are better equipped to handle a cyber-attack if it arises.

Your practice's first defence should be a strong cyber security and privacy framework, along with staff training in these areas.

While Avant can assist members with reporting obligations, if you experienced a significant cyber-attack, without cyber insurance, you will likely have to deal with it on your own and at a considerable cost.

Further resources

Information security guide for small healthcare businesses - Australian Government Digital Health Agency
Cyber security training and support - Australian Government Digital Health Agency
Computer and information security standards - Royal Australia College of General Practitioners
Essential Eight - Australian Signals Directorate

More information

For medico-legal advice, please contact us on nca@avant.org.au or call 1800 128 268, 24/7 in emergencies.

For Avant Risk Advisory Services visit avant.org.au/risk-advisory-services.

Topic
Career stage

Other resources

  1. 4 things your practice must do to ensure healthcare governance compliance

  2. A guide to launching a private practice: 4 key considerations

  3. Doctor shaking hands

    Expanding Your Practice: When and How to Add New Locations or Services

More ways we can help you

Indemnity insurance
Health insurance
Practice solutions
Finance
Legal services
Life & income protection

Disclaimers

IMPORTANT: The Practice Medical Indemnity Policy is issued by Avant Insurance Limited, ABN 82 003 707 471, AFSL 238 765. This policy wording is available at www.avant.org.au or by contacting us on 1800 128 268. Practices may need to consider other forms of insurance including directors’ and officers’ liability, public and products liability, property and business interruption insurance, and workers compensation. Staff will not be covered when they are acting in their capacity as a medical practitioner.

The case discussed in this article is based on a real case. Certain information has been de-identified to preserve privacy and confidentiality.

This publication is not comprehensive and does not constitute legal or medical advice. You should seek legal or other professional advice before relying on any content, and practise proper clinical decision making with regard to the individual circumstances. Persons implementing any recommendations contained in this publication must exercise their own independent skill or judgement or seek appropriate professional advice relevant to their own particular practice. Compliance with any recommendations will not in any way guarantee discharge of the duty of care owed to patients and others coming into contact with the health professional or practice. Avant is not responsible to you or anyone else for any loss suffered in connection with the use of this information. Information is only current at the date initially published.

*Avant Cyber Insurance cover is available to eligible Avant Practice Medical Indemnity Policy holders up to the cessation of their policy and is provided under a Group Policy between Liberty Mutual Insurance Company ABN 61 086 083 605 (Liberty) and Avant Insurance.

  1. Australian Government, Office of Australian Information Commissioner, Notifiable data breaches report July to December 2023, https://www.oaic.gov.au/privacy/notifiable-data-breaches/notifiable-data-breaches-publications/notifiable-data-breaches-report-july-to-december-2023#:~:text=Malicious%20or%20criminal%20attacks%20remained,affected%20100%20or%20fewer%20people.
  2. Australian Signals Directorate, ASD Cyber Threat Report 2022-2023, https://www.cyber.gov.au/about-us/view-all-content/reports-and-statistics/asd-cyber-threat-report-july-2022-june-2023
To Top

NSW State Office AddressLevel 6, Darling Park 3, 201 Sussex Street, Sydney NSW 2000
Telephone 02 9260 9000 | Facsimile 02 9261 2921

Mailing addressPO Box 746 Queen Victoria Building NSW 1230

Connect with Avant

facebookxlinkedininstagramyoutube

In the spirit of reconciliation, Avant acknowledges the Traditional Custodians of Country throughout Australia, and their connections to land, sea and community. As a national organisation, we pay our respects to Elders past and present, of the lands on which we gather and work, and extend that respect to all Aboriginal and Torres Strait Islander peoples.

IMPORTANT: Professional indemnity insurance and the Practice Medical Indemnity Policy available from Avant Mutual Group Limited ABN 58 123 154 898 (Avant Mutual) are issued by Avant Insurance Limited, ABN 82 003 707 471, AFSL 238 765 (Avant). Avant Cyber Insurance cover is available to eligible Avant Practice Medical Indemnity Policy holders up to the cessation of their policy and is provided under a Group Policy between Liberty Mutual Insurance Company ABN 61 086 083 605 (Liberty) and Avant. Private health insurance products are issued by The Doctors’ Health Fund Pty Limited, ABN 68 001 417 527, a member of the Avant Mutual Group. Avant arranges Avant Business Insurance as agent of the insurer Allianz Australia Insurance Limited ABN 15 000 122 850, AFSL 234 708 (Allianz) and may receive a commission on each policy arranged. Avant Travel Cover is available under a Group Policy between QBE Insurance (Australia) Limited, ABN 78 003 191 035, AFSL 239 545 (QBE) and Avant Mutual. Avant Travel Cover is underwritten by QBE and Avant may receive a benefit for arranging cover. Avant Finance is a registered business name of Avant Doctors’ Finance Pty Ltd (ACN 637 769 361) and licensed to Avant Doctors’ Finance Brokers Pty Ltd (ABN 75 640 406 784). Avant Doctors’ Finance Brokers Pty Ltd is a wholly owned subsidiary of Avant Doctors’ Finance Pty Ltd. Loan products may be provided by Avant Doctors’ Finance Pty Ltd or arranged by Avant Doctors’ Finance Brokers Pty Ltd. Credit services or assistance to which the National Credit Code applies are provided by Avant Doctors’ Finance Brokers Pty Ltd as authorised Credit Representative (Credit Representative Number 523242) for LMG Broker Services Pty Ltd ACN 632 405 504 Australian Credit Licence 517192. Legal services are provided by Avant Law Pty Ltd ABN 63 136 429 153 (Avant Law). Liability limited by a scheme approved under Professional Standards Legislation. Legal practitioners employed by Avant Law are members of the scheme.


The information provided on this website is general advice only and has been prepared without taking into account your objectives, financial situation and needs. You should consider these, having regard to the appropriateness of the advice before deciding to purchase or continue to hold these products. For full details including the terms, conditions, and exclusions that apply, please read and consider the relevant Product Disclosure Statement or policy wording and Target Market Determination (TMD) which are available on this website or by contacting us on 1800 128 268. Information on this site does not constitute legal or professional advice, and is current as at the date of initial publication.