On the eve of the long-awaited introduction of the Notifiable Data Breach scheme, healthcare providers are being warned to shut the leaks, update software, train staff, implement an incident response plan, take caution with faxes and ensure they have insurance or they could face reputational and financial damage.
The Office of the Australian Information Commissioner has today released a Data breach preparation and response guide ahead of the legislation kicking into effect tomorrow, which could require organisations – including hospitals, GP surgeries and other healthcare providers – to inform patients when their private information has been leaked, breached, lost or misplaced.
A data breach can include a stolen mobile phone containing personal data, sensitive medical results faxed to the wrong number, or a hacked database, all of which are risks faced by organisations that are the custodians of individuals’ most sensitive and confidential information.
The OAIC has been on a communications blitz in the lead up to the scheme’s introduction, developing resources for organisations, targeting industries and dispatching representatives to speak at events.
“Regulated organisations should already have processes and systems in place to meet the scheme’s data breach notification and assessment obligations,” an OAIC spokesperson said.
The 2017 Australian Community Attitudes to Privacy Survey found that healthcare was considered one of the most trustworthy sectors, with 79 per cent of people trusting providers to protect and use personal information. But the proliferation of digital systems has compounded the risk.
“Building and maintaining this trust today, in an increasingly digital and data-saturated environment, depends on demonstrating transparency and accountability in personal information management,” the spokesperson said.
The NDB scheme mandates that Australian Government agencies and organisations with obligations to secure personal information under the Privacy Act 1988 notify individuals affected by data breaches that are likely to result in serious harm.
According to the OAIC, serious harm can include financial loss or emotional distress and it has provided a list of support services for people who will be informed that their personal information has been compromised once the scheme comes into force.
Despite the implications for individuals, the scheme is in line with community expectations. The survey found that 94 per cent of Australians believe they should be told if a business loses their personal information, while 95 per cent said they should be notified if a government agency suffers the breach.
“The Notifiable Data Breaches (NDB) scheme formalises existing community expectations for transparency when a data breach occurs,” the OAIC spokesperson said.
“Notification provides individuals with the opportunity to reduce their chance of experiencing serious harm through protective action, and it reinforces organisations’ accountability for the security of the personal information entrusted to them.”
Cybersecurity companies and legal firms have also been advising healthcare organisations on what they need to do.
“In the healthcare industry, a patient’s trust in the healthcare provider is particularly important. Patients want to know that their information is kept securely and that prompt action is taken to rectify any breaches. Failure to comply with the legislative requirements will place healthcare providers at risk of action from the Privacy Commissioner and at risk of significant reputational damage,” Special Counsel with MinterEllison Sonja Read said.
In addition to notifying individuals affected by an eligible data breach, organisations are required to notify the OAIC. Failures to comply with the NDB scheme can attract fines of up to $2.1 million.
MinterEllison recommends that providers put in place a data breach incident response plan, specific policies and procedures, and a dedicated and trained team drawn from legal, IT, communications and risk. The plan should be communicated to all staff, with appropriate training on how to monitor for breaches, and what do if they suspect or become aware of a data breach or other cyber security incident.
“It is key that organisations dedicate time and resources to knowing their data (what they hold, where it is held, how it is protected), developing a plan to respond to a data breach or suspected data breach, and training staff in the plan. Failure to take these steps may mean that data breaches will go undetected or there will be delays in investigations and reporting,” Read said.
The legal firm also recommends healthcare organisations review their insurance policies to assess if they are covered for data breach costs, claims and penalties and, if not, consider purchasing appropriate cyber liability insurance. The privacy and data security clauses in their contracts with third parties should also be revisited to assess if they support compliance with the new obligations and allocate responsibility for the assessment and notification steps if a breach occurs.
“Although we anticipate that there will be an increase in reported breaches under the mandatory reporting regime, consistent with the experience in other jurisdictions, the magnitude of this increase is difficult to predict for certain sectors. Whether there will be a significant increase in reporting in the healthcare industry depends on how many providers were already engaging in voluntary reporting,” Read said.
Targeted cyber intrusions remain the biggest threat to ICT systems, she said, with “many examples” of cyberattacks on hospital record systems both overseas and within Australia.
As part of her mitigation advice, Read advises healthcare organisations look to the Department of Defence’s Australian Signals Directorate, which has published Strategies to Mitigate Targeted Cyber Intrusions such as whitelisting, patching applications and operating systems, using the latest versions of software, and minimising administrative privileges.
The Australian Government’s national computer emergency response team CERT Australia also provides resources to explain and help prevent common cyber security threats, including ransomware.
“Even entities with a high standard of data security practices and processes can experience a cyberattack,” Read said.
Meanwhile, this week Australian Attorney-General Christian Porter announced that Australian Information Commissioner and Privacy Commissioner Timothy Pilgrim will be retiring on 24 March. He has served as privacy commissioner since July 2010 and previously was deputy privacy commissioner from 1998.