In recent years, cybercrimes targeting U.S. optometry practices have exposed personal health and financial information of millions of patients. Do you know how robust your data security systems are?
The Office of the Australian Information Commissioner noted a 41% increase in breaches caused by malicious and criminal attacks in its most recent report, to December 2022. The Australian Cyber Security Centre received 76,000 reports of cybercrime in 2021-22, according to its annual cyber threat report July 2021 to June 2022. That is one report every seven minutes.
Health data is attractive to cyber criminals and practices may experience attacks designed to expose patient healthcare and financial records and/or demand ransom payments.
As well as the risk to patient privacy and reputation, breaches may cripple practice operations, as an Avant member discovered after a ransomware attack: “All our records, all our appointments, all our contacts, all our address books are on the computer system which meant that we had no data at all. We didn’t have … billing information or any links to our health funds. We did have backups and we thought that was a good thing to do. Unfortunately, it turns out that the links to the backups were not secure and so the backups were infected as well.”
Protecting your practice systems and reducing risk
1. Establish a culture in your practice that takes cyber security seriously
No organisation is too small to be vulnerable to cyber breaches and your system may be connected to other systems including suppliers, hospitals or government. If you connect to the My Health Record, you are required to comply with legislated security requirements.
Malicious attacks often involve an element of human error, so training staff to be cyber security aware can help reduce your risk. Make sure staff understand and follow information security practices, such as using strong passwords, and thinking before you click on links.
Consider also taking out cyber insurance to cover the risks to your practice.
See the links in the online version of this article for a range of resources to assist including information guides, eLearning courses and other educational materials.
2. Make sure your security measures are up-to-date
Criminals take advantage of system vulnerabilities. Keep your systems up-to-date and use anti-virus and ad-blocking software. Apply security patches regularly and allow automatic updates from the manufacturer. Password security can be strengthened by using two factor authentication. Secure your backups.
An IT expert can undertake a security audit or risk assessment to test potential threats to your systems, including any devices that connect to your practice network.
3. Review your information handling practices
Review how you handle patient information including the information you collect, how you use that information, and how you store it. Also consider what information you need to share with suppliers such as eyewear and device manufacturers, and share only what is necessary.
Make sure your processes set out how long you need to keep information, and what you do with information when it is no longer needed.
Australian privacy law says you must destroy or permanently de-identify information collected for a specific purpose when you no longer need it for that purpose. However, in the case of health records, there are requirements regarding how long these must be kept and when and how they can be destroyed.
Avant members have told us patients contacted them after the Optus and Medibank breaches asking for all their records to be deleted. If you receive such a request, you may still be legally required to keep records even for former patients so seek advice if you are unsure.
4. Seek help if you have a cyber security incident
Call for help as you immediately become aware of an incident as your system may have been breached days or weeks earlier. Contact the Australian Cyber Security Hotline, your IT service provider or your insurer for further advice and assistance.
If patient data has been compromised you may have mandatory notification requirements under the Notifiable Data Breach scheme.
If you connect to the My Health Record system and there has been a potential compromise of that system, you are required to notify the Australian Digital Health Agency.
About the Author: Georgie Haysom BSc LLB (Hons) LLM (Bioethics) GAICD, is the General Manager Advocacy Education and Research at Avant.
More reading
Are your policies and procedures up to date?
Rethinking approaches to workplace psychosocial risks in healthcare workplaces
