Privacy and data breaches in businesses across different sectors are becoming increasingly common. Recent news reports of data breaches at telecommunications and private health insurance businesses remind us of the importance of maintaining data security and meeting your privacy legislation obligations.
With more sensitive patient and practice information being stored electronically, we can expect the risks of a practice experiencing a data breach or cyber attack to be ever-increasing. And ASIC has recently warned company directors that a failure to adequately address cyber risk or comply with disclosure and reporting requirements may be a breach of directors’ duties. Fines can be crippling, with the Federal Court of Australia recently ordering one business to pay $750,000 in costs to ASIC in connection with failing to adequately manage its cyber risks.
Here, we’ll look at privacy principles, and how you can plan to mitigate risk of a privacy and data breach or cyber attack at your practice.
Know the privacy principles and your obligations
Under the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs), persons who collect, deal with or disclose personal information are subject to certain obligations.
‘Personal information’ is defined as:
- any information or opinions about an identified individual (or an individual who is reasonably identifiable), and
- includes sensitive information.
Businesses have an obligation to meet 13 APPs, and certain additional obligations may be imposed under your relevant state or territory privacy laws.
How might a cybersecurity incident or privacy breach impact your practice?
A data or privacy breach, or cyber attack, can have devastating financial, operational and reputational impacts for your practice. You may experience business interruption if the Office of the Australian Information Commissioner (OAIC), the body responsible for the enforcement and regulation of the Privacy Act, investigates a breach.
Serious and repeated breaches of the APPs may carry civil penalties of up to $2.2 million (for a body corporate) or $444,000 (for individuals).
Accredited medical practices may face potential impacts on continued certification with potential related financial implications, including access to Practice Incentive Program (PIP) payments.
To help avoid these impacts, it’s crucial to adopt a whole-practice approach to complying with your privacy obligations, from directors and managers to admin staff. ASIC’s Cyber resilience good practices guide is helpful, covering how to meet the 11 elements below in more detail:
- Board engagement
- Governance
- Cyber risk management
- Third party risk management
- Collaboration and information sharing
- Asset management
- Cyber awareness and training
- Protective measures and controls
- Detection systems and processes
- Response planning
- Recovery planning.
How your practice can mitigate cyber and data breach risks
Up-to-date and APP-compliant policies and procedures are one of the key ways to manage and mitigate your potential exposure to cyber risk.
With an online practice management platform like PracticeHub, you have customisable and compliant policy and procedure templates on board, so they’re easy to adapt and implement into your daily practice operations. Templates include:
- Privacy and confidentiality policy: transfer of information, informing patients how to access their health records, sharing information with third parties
- System security and responsibilities: firewalls, system backup, confidentiality, remote access
- My Health Record security and access
- Email use policy: obtaining and recording patient consent to email communication, verifying email addresses, password protection and encryption.
PracticeHub also includes registers for your practice equipment, contracts and insurances, to help you comply with point 6 of ASIC’s Cyber resilience guide: Asset management. In the contracts register, you can include subscriptions to software platforms, such as antivirus, and other third-party products or services, including your IT provider.
Keeping all your processes and documentation in one place with PracticeHub allows for easy access among your team, and oversight by the practice manager.
Training is another important part of managing your privacy and cybersecurity risk. PracticeHub’s onboard learning modules include one on privacy and confidentiality which covers privacy legislation and APPs, IT security, technology and privacy, as well as the importance of visual and auditory privacy in your practice.
And of course, regular review of your systems and processes is essential to stay current with cyber risks and your practice’s obligations.
Managing a notifiable data breach
The Privacy Act includes a Notifiable Data Breaches scheme which requires an organisation to notify the OAIC and affected individuals when a data breach is likely to result in serious harm to an individual whose personal information is involved.
According to the OAIC, an eligible data breach occurs when:
- there is unauthorised access to or unauthorised disclosure of personal information, or a loss of personal information, that an organisation or agency holds
- this is likely to result in serious harm to one or more individuals, and
- the organisation or agency hasn’t been able to prevent the likely risk of serious harm with remedial action.
As part of managing a data breach, you are required to take immediate action to investigate the cause of the breach and prevent any further breaches from occurring. This is where, again, your policies and procedures will help maintain your practice’s cyber security.
For more strategies and insights on this important topic, watch our recent webinar, Cybersecurity and privacy: risks and obligations for your practice.
Start building a better practice today. Phone us on 1300 469 866.
This article is not comprehensive and does not constitute legal or medical advice. You should seek legal or other professional advice before relying on its content, and practise proper clinical decision making with regard to the individual circumstances. Persons implementing any recommendations contained in this article must exercise their own independent skill or judgement or seek appropriate professional advice relevant to their own particular practice. Compliance with any recommendations will not in any way guarantee discharge of the duty of care owed to patients and others coming into contact with the health professional or practice. Avant is not responsible to you or anyone else for any loss suffered in connection with the use of this information. Information is only current at the date initially published. © Avant Mutual Group Limited 2023.
