Why cyber security needs to be a priority for your practice
Patient data is sensitive information, and anyone involved in the provision of healthcare has a responsibility to keep this important information safe. With cyber attacks on the rise in the healthcare sector, cyber security needs to be a priority for all practices – regardless of size. If patient data becomes compromised, there can be significant legal, financial and reputational impacts.
Recently, two major cyber attacks targeted the IT systems of hospitals in Victoria. In March, a ransomware attack in Melbourne’s Eastern Health District forced a number of hospitals to shut down their computer systems. And in 2019, hospitals within the Gippsland Health Alliance and South West Alliance of Rural Health (SWARH) networks also had to shut down their computer systems to isolate a ransomware infection, resulting in systems remaining offline a month later.
The ransomware attacks locked staff out of patient records, disabled booking and management systems, and created enormous strain on staff as they tried to resolve the issue. Patients were heavily impacted too, as non-urgent surgeries had to be cancelled, and the lack of access to records sparked concerns about the impact of losing access to vital information about a patient’s condition.
And it’s not just sophisticated cyber criminals that are to blame.
In September 2020, a NSW nurse was banned from practising for two years for forging prescriptions by logging into medical software with the usernames and passwords of two GPs at her practice. As well as using the software to forge opioid prescriptions for herself and a relative on more than 30 occasions, the nurse had also accessed a family member’s medical records to forge a letter from one of the GPs about the family member’s mental health.
These incidents illustrate how easy it is for medical software and patient information to be used for unlawful means if security is not taken seriously by a practice. And the impacts have the potential to be devastating.
Legal and financial impacts of a data breach
Phil O’Sullivan a Partner at Allens, a leading international law firm, explains the potential legislative and financial impacts of a data breach. “You’re generally talking about privacy legislation and in Australia, the Commonwealth Privacy Act. There are penalties up to about $2.1 million for a serious interference with privacy.”
Currently, the Australian Government is looking to increase this penalty to the greater of $10 million. These changes, will bring the Privacy Act in line with Australia’s consumer protection legislation and also align more with the substantial penalties in other countries.
Reputational damage and erosion of trust
OAIC’s Australian Community Attitudes to Privacy Survey reports that 70% of Australians consider privacy protection to be a major concern in their lives, with the top two risks identified as identify theft and fraud (76%) and data security and data breaches (61%).
A data breach can negatively impact an organisation’s reputation for privacy protection. If a practice is seen to be mishandling personal information, patients will turn to other options and the resulting reputational damage (and, consequently, loss of income) can be devastating. In fact, up to 60% of small businesses who are impacted by a major cyber incident never recover and close their business within six months.
For your patients to feel comfortable sharing their medical issues, they need to have a high level of trust towards their practitioner. Once this trust is broken, it can be difficult, or even impossible, to get back. The latest Digital Trust Index report from identity provider, Okta, found that 49% of Australians surveyed would permanently stop using a company’s services following a data breach.
How to protect your practice
Data breach prevention needs to take a multifaceted approach, starting with having clear processes in place for how a practice manages and gives access to data. And having appropriate back up and business continuity procedures in place will help to ensure your practice can be up and running as soon as possible after a cyber incident.
Technology solutions, such as MedicalDirector Shield, can be invaluable when it comes to protecting your practice. Developed in conjunction with cyber security experts, MedicalDirector Shield provides a physical plug-in device for your network, around-the-clock monitoring by an experienced Cyber Security Operations Centre, as well as reporting, training and guides to help safeguard your data.
By taking every reasonable measure to safeguard access to your computer systems, you’ll be in a good position to prevent a data breach, as well as demonstrating to your patients that you’re serious about the security of their information.