Since the introduction of the Mandatory Notifiable Data Breach scheme in February 2018, the Healthcare sector has reported the most data breaches to the Office of the Australian Information Commissioners (OAIC).
Considering the sensitivity of our health information,
this should be a major concern for any of us.
Let’s look at why the Health sector is infected so much …..
There is a significant increase in the amount of health data being stored and transmitted due to :
- more medical devices and patient wearables,
- an increase in the use of telehealth and telemedicine, and
- the adoption of electronic health records both internally and nationally.
Health information is worth more to criminals than almost any other form of personal data because :
- Health practitioners are more likely to meet hackers demands as the lack of access to Health information affects patients and staff (in some cases, critical surgery or care),
- Health information is a non-perishable asset and retains value for a longer period after a breach, and
- the value of personal information on the dark web doubles when it includes medical information.
The Healthcare sector has stricter reporting requirements such as :
- every organisation handling health information is subject to the Privacy Act as there is no annual turnover threshold, and
- a data breach involving health information is more likely to cause serious harm.
The Healthcare sector incorporates many small businesses, which more than likely lack an understanding of :
- current security risks,
- vulnerabilities when adopting new technologies, and
- how to address exploited vulnerabilities to prevent future breaches
How does the Healthcare remedy this ?
Health practitioners need to take the same approach as they do with their patients.
Diagnose and implement a sustainable treatment strategy.
The strategy must prepare a business as best as possible to :
- minimise the likelihood of a breach (ie: implement robust and sustainable Privacy policies and practices, conduct on-going staff training, review current practices and systems, conduct regular reviews of data storage processes, etc), and
- minimise the damage of a breach when it occurs (eg: implement a Data Breach Response plan)