Most conversations around data breaches normally start with, “you won’t believe what just happened”. It could be that a CD with patient data goes missing, or it could be a laptop stolen from a parked car.
These data breaches can be devastating, particularly within the health sector. Patient medical records can be sold or used for identity theft, fraud, or to illegally obtain prescription drugs. Not to mention the potential financial, legal, and ultimately reputational loss that a medical Practice could be exposed to.
According to the latest report released by the Office of the Australian Information Commissioner (OAIC), human error has been identified as a leading cause of data breaches in Australia. There were 539 data breach notifications between July and December 2020. Of those 539, 23% of these notifications came from health service providers, which was the highest recorded number of data breaches for any singular industry.
Data Breaches 101: Tips for Keeping Your Practice Data Safe
Data breaches are a severe type of security incident where the release of personal information or confidential data, such as medical records or financial data that is held by an organisation, is released into a public domain where other people can gain access to it.
Data breaches may occur due to:
- Lost or stolen laptops, tablet computers, mobile phones.
- Human error where personal information is mistakenly given to the wrong person.
- Malicious activity such as hacking of the organisation’s email accounts or databases.
The Notifiable Data Breach Scheme applies to any organisation that the Privacy Act of 1988 covers. These organisations must notify the OAIC and any individuals that are affected by a data breach where it is likely to result in serious harm to the individuals to whom the information relates. Examples of serious harm may include identity theft, loss of money through fraud, physical and psychological harm or the harm done to an individual’s reputation.
It is important to remember that some of these incidents can happen through human error and honest mistakes, but they can also occur through carelessness and lack of procedure. This is why your Practice must have a suitable data protection policy in place and that all staff are aware of their responsibilities.
During your assessment of a suspected data breach, the following should be considered:
- The facts surrounding the breach and what happened?
- What sensitive information was involved? For example, medical records or financial data?
- The number of individuals affected.
- Assess the severity of the breach – will this cause individuals serious harm?
It is expected that during the assessment of a data breach, organisations undertake remedial action to reduce the potential harm to individuals. If remedial action successfully prevents serious harm to affected individuals, notification is not required.
An eligible data breach occurs when the following are met:
- Where there has been unauthorised access to personal information, unauthorised disclosure of personal data or loss of personal data has occurred.
- Where the data breach is likely to result in serious harm to one or more individuals
- Where the Practice has not been able to prevent the likely risk of serious harm with remedial action. If the Practice has undertaken remedial action but has not reduced the likelihood of serious harm, this constitutes an eligible data breach.
If an eligible data breach has occurred at your Practice, you should take immediate measures to contain the data breach limiting further access or dissemination. Individuals need to be notified of the risk of serious harm, and the OAIC must be notified as soon as possible by using the Notifiable Data Breach Form.
It is possible to minimise the risk of a data breach by following a few best practices:
1. Implement a data breach response plan
- Having a plan for your Practice can significantly reduce the negative impact a breach can have on individuals, reduce the costs of dealing with a breach and minimise reputational damage to your Practice. The OAIC provides assistance with preparing a response plan for data breaches here.
2. Implement a strong password policy
- Weak passwords are one of the most common causes of a data breach. A strong password policy that includes regular rotation and a high complexity level may stop attackers from getting easy access to sensitive data.
- With our Saffron version of Bp Premier, Practices can now implement a minimum password length, set user lockout thresholds, set a lockout wait period, set a maximum password age, indicate a password reuse interval, and enforce a strong password complexity.
- More information on this can be found on our knowledge base. From within Bp Premier, select Help > Online, and then search ‘manage password and access security’.
3. Adhere to the ‘principle of least privilege‘
- The principle of least privilege is the idea that any user, program, or process should have only the bare minimum privileges necessary to perform its function.
- Information on user permissions is available on our Knowledge Base. From within Bp Premier, select Help > Online, and then search ‘user permissions’.
4. Educate staff on security awareness
- Employees have an essential role in keeping their organisations secure; however, they can be the weak link in the data security chain. Without security awareness and effective training, they present a significant vulnerability. This is why it’s vital to have regular security awareness training to remind employees of any evolving security threats. This will allow your staff to be alert on data breach attempts and learn techniques to protect information when communicating.
OAIC Data breach preparation and response:
Ideally, your Practice won’t ever have to deal with a data breach. But it’s crucial to have a plan in place in case anything were to happen. We recently featured an article on Protecting Patient Data, and many of the important messages from that article translate here; while being prepared to handle a data breach may seem like unnecessary work that you won’t ever need to use – it’s much better to have the preparation and not need it, than to need it and not have it.
By ensuring that you’re ready in the event of an unexpected data breach, you have already done a lot to ensure that you’re minimising the financial, emotional and reputational damage that may affect your Practice and staff.