91% of Aussie healthcare IT professionals say that their biggest concern is patient record information being stolen and revealed or getting lost without an adequate backup. After all, our health information is crucial to ensuring we get the proper care when needed.
Data such as vaccination records, current medication, and allergies are vital for triaging and treating patients, and it is one of the few jobs where making the right call can be life or death.
So the fear of information being lost or stolen isn’t unfounded, particularly when we look at the rise in healthcare breaches worldwide. This isn’t a new trend – back in 2020, we talked about the forced digital transformation of healthcare and the challenges that it entailed.
And then, within the last few weeks, the FBI released a report warning US health organisations of new identity theft threats. This announcement comes after HCA Healthcare advised that 11 million patients across the US and Britain may have had their personal data stolen last month.
Why healthcare?
While many of the breaches you see on the news involve companies being held to ransom, the perpetrators of healthcare breaches are generally chasing personal identification information (PII). That is not to say they won’t attempt to extort the medical practice or hospital for some cash in return for the records, but they will also look to threaten victims directly.
The sensitivity of patient health records links directly to how valuable they are to a cybercriminal. It has often also meant that healthcare organisations have a high propensity to pay a ransom.
In stark contrast to the value that malicious actors place on healthcare information, the industry has traditionally been slow to implement modern cybersecurity measures. In 2020, we discussed a doctor offering to mail medical records on an unencrypted CD. Many organisations within the industry have progressed since then, although not all.
We recently spoke to Joanne McRae, Director of Anson Medical, about the challenges.
“Australian medical systems are very fragmented,” says Joanne. “With no single approach to securely sharing health data from hospital to GP or specialist, to pharmacy, it’s far from an easy process. Even if a person changes practices within Orange, it’s not a seamless information transfer. So, we all had to resort to methods – like faxing – that are inherently inefficient and outdated.
“It’s been a massive issue, so it’s been great to have advice from Mitch on the risks of data breaches. Our team members now understand the need to discourage patients from emailing us their information, and why we’ve introduced new email data encryption methods. If we must email something, we can. But Colton has ensured that it’s in an appropriate way that reduces our risk of exposing patient data or sending personal information to the wrong address. Everything we share is encrypted and password protected, so we can move information safely and securely.”
You can read more about Anson Medical’s journey towards better cyber security here.
The consequences for healthcare organisations
In 2023, healthcare organisations do have an incentive to pull their cyber socks up. Australia’s privacy laws have been evolving since the commencement of the Notifiable Data Breaches Scheme on 22 February 2018. The goal of these laws is to protect Australians’ personal information and privacy more effectively, and it is putting more onus on businesses to take steps to avoid a breach.
And if there is a breach, what then?
According to the My Health Records Act, a data breach involves:
The unauthorised collection, use or disclosure of health information in an individual’s My Health Record; or
A situation where:
- an event that has, or may have, occurred or
- any circumstances have, or may have, arisen
that compromise, may compromise, have compromised or may have compromised, the security or integrity of the My Health Record system (whether or not involving a contravention of the My Health Records Act).
If you experience a breach, then the Australian Digital Health Agency has published clear guidelines on what to do next:
1. Contain
The first and most urgent priority is to minimise the damage the breach may cause. This may include disconnecting the system, deactivating user accounts or instructing team members to change their passwords. You will also need to notify the Australian Digital Health Agency in case there is any potential risk to the My Health Record System.
2. Assess
Next, you need to conduct a thorough assessment of the cybersecurity breach. Your goal is to identify what personal information was affected, the cause of the attack, and how you can minimise the impact.
3. Manage notifications
The third step is to notify the relevant internal and external stakeholders, including:
4. Continue your investigation
Continue to investigate to ensure you have identified the full extent of the situation and then incorporate these findings into your security systems, Incident Response Plan and Disaster Recovery Plan. Update the Agency and the OAIC with any further information that you uncover.
So, what steps should you take to become more cyber secure?
The foundations are similar no matter what industry you are in, with the following steps highly recommended:
If you aren’t sure whether your organisation is covering all the bases, you can book a free cyber security assessment with the Colton team here: https://coltoncomputers.com.au/free-cybersecurity-assessment/