This article was originally published on the Avant website in November 2019. © Avant Mutual Group Limited.
Running a healthcare practice in today’s digitally connected world, comes with increasing and evolving cyber risks. The volume and sensitive nature of medical data stored and information accessed entirely electronically, can leave practices vulnerable to a cyber incident.
The Office of the Australian Information Commissioner’s (OAIC’s) Notifiable Data Breaches Scheme 12-month Insights Report, revealed health service providers reported the highest number of data breaches, around 20%, under the scheme from 1 April 2018 to 31 March 2019.
The report found malicious attacks were the main source of all reported data breaches, accounting for 60% of 964 eligible data breaches. Phishing scams were the most common cyber incident, followed by compromised or stolen credentials, which all typically involve users being tricked into giving up their login details.
Cyber incidents like these can result in loss of access or damage to your data, including medical and financial records, employee files and personal information. Losing access to your data or having it destroyed entirely can severely disrupt your practice and be devastating for your patients.
Cyber insurance is a great way to protect your practice against many of the common losses associated with a cyber incident. However, insurance cover is only one part of managing cyber security risks; developing strategies to minimise your exposure to a cyber incident is just as critical to surviving a cyber incident.
Tips to prevent cyber incidents
With the increasing risk of a cyber incident occurring, no business is immune and smaller and medium-sized practices can be more vulnerable due to less resources and a misconception their practice is too ‘small’ to experience a cyber incident.
The OAIC report found human errors are the leading cause of data breaches in the health sector, accounting for 55% of data breaches. Therefore, educating staff on their responsibilities and having policies and processes in place, is the best defence to manage your practice’s risk.
Educate your employees
The more informed your employees are about the value of your practice’s data and digital assets and the ways they can inadvertently contribute to a data breach, the better off you’ll be. Along with continued education, your practice should have a policy that covers staff expectations on cyber security, including:
- not sharing passwords
- use of the internet
- downloading of software to the practice system
- caution when opening unusual emails.
The policy should outline your protocol for backing up data and a recovery plan if an incident occurs. One person should be assigned responsibility for your practice’s data security and all staff should be trained and regularly updated on their responsibilities and roles if an incident occurs.
Develop a business continuity plan
A business continuity plan is critical to risk management planning, as it details how your practice can continue to operate and provide healthcare services if a major cyber incident occurs.
The plan should outline your data back-up procedures and patient care management. Have a supply of paper prescription pads, a hard copy appointment diary, and patient history forms available to use if an incident occurs, to minimise disruption to the essential parts of your practice.
Select third party providers who understand cyber risk
Third-party providers, including contract IT providers or outsourced electronic storage facilities who store your information, are effectively custodians of your and your patients’ data. It is critical to know they have security measures in place to safeguard this private information.
You should ensure your service providers understand the risks and take the security of your data seriously, and you may want to ask some additional questions before entering or renewing an agreement with a service provider. Contracts with IT software and hardware providers should also include protections for the practice if there is a security breach due to a system error or fault on the part of the provider.
Consult with your IT service provider
One of the most effective steps in managing your risk is to understand your practice’s vulnerabilities to a cyber incident and identifying where you are most exposed.
Consider hiring an IT consultant to undertake a risk assessment of potential threats to your practice and help with strategies to prevent them. Download our factsheet for five steps to protect your network and systems.
Disclaimer: This article was provided by Avant Mutual. While every effort has been made to ensure the information is accurate, North Western Melbourne Primary Health Network does not warrant or represent the accuracy, currency and completeness of any information or material included within.