The data privacy amendment, Notifiable Data Breaches Act 2017, was recently enacted by the Australian federal parliament, to protect users from malicious internet attacks, which can include data breaches, security compromises, content and data leaks, ransomware attacks and so on.
The new regulations come into effect as of February 22nd, 2018.
The act draws cues from the Privacy Act 1988 and states that any business or individual must report to the Australian Information Commissioner (OAIC) if there is a known or suspected data breach.
“An entity must give notification if it has reasonable grounds to believe that an eligible data breach has happened, or it is directed to do so by the Commissioner.”
The new amendments clearly define what constitutes as a breach:
“An eligible data breach happens if there is; unauthorised access to, unauthorised disclosure of, or loss of, personal information held by an entity; including the accessing, disclosure or destruction is likely to result in serious harm to any of the individuals to whom the information relates.”
Data breaches are a common occurrence, however, determining if a breach requires reporting to the OAIC and any patients affected about can be difficult.
A useful guide containing information outlining the steps that should be taken to report a data breach is available from The Office of the Australian Information Commissioner’s website here.
The guide is currently being updated to reflect the new legislation and clarifies that a “data breach” is not limited to hacking or data theft, but it also covers accidental loss or disclosure of personal health data.
The OAIC Data Breach Notification Guide, available on the OAIC website, aims to educate users about how to handle personal information security breaches. In short, you need to take the following steps if you suspect that a data breach may have occurred;
A. Contain the breach
B. Evaluate the risks associated with the breach
C. Check that the data breach affords a report to the OAIC
D. Prevent future breaches and engage with your IT service provider (if they didn’t cause the data breach in the first place)
C. Notify the people potentially affected by the data breach and notify the Office of the Australian Information Commissioner
In reality, each step outlined above requires significant investments in time to plan and carry out correctly. On the other hand, the same is true for a preventative approach, introducing and enforcing strict workplace IT policy and by planning, training and ongoing monitoring.
The critical difference between the two approaches is that a reactive methodology is unpredictable, variable in cost. A data breach caused by negligence and ignorance will almost certainly cause damage to the reputation of a practice.
The take-home lesson is that adequate data protection takes time and financial commitment, regardless of the decision you make in choosing to prevent or react. Careful prevention is akin to an insurance policy set to protect against the worst outcomes should a notifiable data breach occur.
Consider that large amounts of capital are becoming available via means of anonymous, cryptographic transfer. The incentive for professional software developers to create custom packages designed to be purchased and used by nontechnically-minded criminals is massive.
The software (malware) is then used to target local business directly. Infection happens through social manipulation by using a USB key, CD, weblink, email attachment and so on.
Once infected, the malware encrypts (effectively locking) images and documents according to a secret key. The key or passphrase to decrypt the data can then be purchased from the extortionist using Bitcoin or other cryptographic currency as payment for the key, which they can convert to cash anonymously.
There is no guarantee that a brach won’t occur, even with the most careful planning and monitoring.
Just a few seconds of unsupervised access to a USB port, a compromised and targeted email to a staff member or even a trusted but newly infected website can leave the most well-protected practice network victim to extortion – with the added blow of having to report that breach to OIAC.
In this case, your preventative offsite backup has protected your data from destruction. So long as all the reasonable steps have been taken to prevent the infection and breach in the first place, a notification becomes more of a formality rather than a deterrent for lax IT security policy.
Exposing sensitive medical information of others is not the only risk. Breaches could also include the accidental release of names, addresses, phone numbers, Medicare details and health particulars.
The fines for breaches under the Act are significant and failing to notify the OIAC may result in substantial penalties, including fines of $360,000 for individuals and $1.8 million for organisations and business entities.
The OAIC is empowered to compel the offending entity to make a public apology or pay compensation to affected individuals.
Have discussions with your software vendor/IT consultant about the security of your practice records and management software, including any software that stores sensitive information such as names, addresses, patient records, and images.
Practices are generally doing the correct thing by using remote backups with cloud storage to protect their data and by operating software directly from the cloud.
Any information (both physical and virtual) must be secure. Check with your service providers that cloud data is encrypted during transport and at rest.
Consider the following;
How are workstations, servers, and devices protected? Does your Wifi network link to your practice network?
Who is authorised to take backups offsite? Does your backup provider use local data centres for storage?
How alert and educated are the staff members in data privacy matters?
Do your staff members understand what a breach is, when, and whom to report to in the workplace?
Has the matter been discussed in staff meetings?
Do your staff members feel empowered without fear to report errors or incidents?
Fostering a culture in your practice that encourages open conversations about possible risks in data security is advisable. You could later be liable if you do not have such a culture in your workplace.
Make data breaches a frequent topic in meetings to ensure awareness in clinic staff.
Disposal of sensitive records is also essential. Incorrect records disposal can be considered a potential data breach. Destroying radiographs, record cards, practice printouts and so forth must be carried out in a way which ensures compliance with the standard.
The ADA suggests clinic owners consider obtaining Cyber Risk insurance to provide financial protection if a data breach occurs in spite of your best efforts.
If you have any questions or concerns about the issues raised in this article, please contact an IT consultant!