According to a recent survey, the overwhelming majority of Australian doctors are unaware or unprepared for new privacy laws which will directly affect their medical practices, and which come into force on 22nd February. These laws introduce a mandatory data breach notification requirement, meaning that doctors and medical practices will have a legal obligation to notify both the people affected by any data breach as well as the Office of the Australian Information Commissioner.
The requirement applies to breaches where “a reasonable person would conclude that there is a likely risk of serious harm to any of the affected individuals as a result of the unauthorised access or unauthorised disclosure”.
Each notification must contain a description of the breach, the type of information involved, and how the patients should deal with the data breach. Failing to notify patients of the breach can lead to fines of up to $360,000 for individual doctors and up to $1.8 million for organisations.
It’s important to note that data breaches can come in many forms and aren’t limited to criminal cyber attacks. They could also be the result of a stolen laptop containing patient information, for example, or accidental disclosure of patient records to a third party.
But it’s also true that healthcare providers have been the particular target of ransomware attacks, which encrypt a computer’s information and then ask for a ransom fee to unlock it. In the United States, around 88% of ransomware attacks have targeted healthcare providers, according to recent research. And Australian institutions have not been spared: just last year, a Queensland hospital suffered a massive loss of patient data due to a ransomware attack.
But do not assume that just because you are a small practice you are immune from cyber attack. Patient records including names, birthdates, Medicare numbers and billing information can provide a rich source of data for criminals and are readily sold on the black market.
Here are some tips for mitigating exposure to unintended data breaches in your practice:
- Ensure that you properly understand your obligations under the newly amended legislation;
- Check with your insurer that you are adequately covered for any unintentional privacy breaches in relation to your provision of healthcare;
- Review your IT systems for collecting, storing and backing up patient information and document where the information is stored and who has access to it;
- Ensure your software is up to date and that cyberscurity software is installed;
- Ensure you have an emergency response plan to deal with any data breach and that you and your staff are fully aware of what to do in case of such an emergency.
- Make sure you document your plan and regularly test it.