Do you work in the healthcare industry? Whether you’re a ...
In today’s information age, the everyday use of terms such as ‘data mining’ and ‘identity theft’ point to the growing use of information both as a tool and as a weapon.
As some of the world’s largest companies own up to major data breaches, the spotlight is turning to medical data security in Australia, after the medical records of 31 private hospital patients in Melbourne were found dumped in a public street.
At the time of the incident, there was no requirement under Australian law for those 31 patients to be notified about the breach of their privacy. But, new government legislation is attempting to change that.
Under the new Notifiable Data Breaches Scheme introduced in February 2018, an organisation must report privacy breaches likely to result in serious harm to the Australian Information Commissioner. They must also notify the person(s) affected and advise them on the steps they should take to mitigate their losses in light of the breach.
With financial information such as credit card details seemingly providing a much quicker path to profits, you might be wondering why medical data is now becoming more valuable to cybercriminals.
Although it can take longer to execute, identity theft can be a much more profitable crime and medical data can provide a plethora of intimate personal details that can help to build up a false personal profile.
Financial fraud is also becoming harder to execute, with new technology allowing for faster notification and cancellation of cards and accounts if they are hacked.
In fact, the value of medical data has increased so much, that attacks on Australian systems containing personal health information have increased by 125% in the last five years. A recent example is the Australian Red Cross Blood Service, where personal and medical details of over half a million clients were leaked to a hacker.
Critics of the new Notifiable Data Breaches Scheme point to the fact that many organisations are exempt from having to report breaches.
While the legislation includesgovernment agencies, businesses and not-for-profit organisations with a turnover of $3 million or more, many organisations which collect and store personal data are exempt, including state-based entities such as major public hospitals.
The same critics have also pointed out that funding to enforce the Notifiable Data Breaches Scheme is insufficient and that penalties for non-compliance are small change to many large organisations and not a strong incentive to comply.
A cybersecurity expert at Deakin University is calling instead for a data protection method that closes the stable door before the horse has bolted.
Dr Tianqing Zhu says recent cases demonstrate that harvested data can be linked to other data on the web which can reveal additional unauthorised private information. He says a more anonymous means of storing and sharing personal data is called for.
According to Dr Zhu, regulations should be introduced to protect this data with privacy preservation methods such as those already being employed by tech companies like Apple, which applies ‘noise’ to its data to ensure that information can’t be identified.
There are also calls for the widespread adoption of the de-identification methods used in accordance with the Health Insurance Portability and Accountability Act in the USA. The Privacy Act in Australia already requires de-identification of certain kinds of data in certain circumstances, but some believe it should be used across the board. De-identification involves the removal of direct identifiers from data such as names and addresses and the implementation of safeguards to prevent re-identification.
While a foolproof data protection method is yet to be found, there are several ways you can help to reduce the likelihood of your patients’ or clients’ personal information being lost or stolen from your own medical practice.
A formal confidentiality policy details the protocols to follow when handling patient information. This should be communicated with staff to ensure compliance, and with patients for reassurance that you take privacy seriously.
As well as familiarising staff with the need for confidentiality, you need to ensure your clinic’s partners are also on the same page. Work with partners you can trust such as SyberScribe, which uses the latest encryption and security processes in its medical transcription services.
For the highest level of protection, store your patient data with a cloud-based medical practice management platform supported by a government certified provider.
These include encrypting and password-protecting all devices by using strong passwords, regularly updating antivirus software, enabling two-factor authentication for access to patient information and having a security breach response plan.