Data breaches and cyber attacks are a growing risk for medical practices and can have a major financial and reputational impact for healthcare providers, particularly with the increasing reliance on electronic health records and billing systems.
In 2016, US researcher Ponemon Institute conducted its annual survey on privacy and security of healthcare data finding that nearly 90% of healthcare providers reported one or more data breaches over the previous year[1]. PricewaterhouseCoopers also found that 65% of all Australian organisations have experienced cyber crime in the past 24 months[2].
In Australia, the Privacy Act 1988 (Cth) a(Privacy Act) nd the Australian Privacy Principles (APPs) regulate how personal information is managed. All private sector healthcare practices who collect, use or disclose health information are bound by the Privacy Act and the APPs.
With the introduction of new mandatory data breach notification obligations (mandatory notification) medical practitioners and healthcare practices should consider their approach to privacy and confidentiality of patient information.
What are the risks?
Cyber attacks are a significant risk to all businesses including medical practices, with attacks occurring in increasingly sophisticated ways. Prominent threats include[3]:
- integrity breaches – the manipulation of correct data;
- confidentiality breaches – theft or inappropriate access of personal information;
- availability breaches – shutting down critical infrastructure and online services.
While the risk of cyber crime is ever present, data breaches in medical practices more frequently occur by accidental error[4] or intentional misconduct of employees accessing personal information of patients for non-health related reasons. Data breaches may also occur if patient information on laptops, phones or USBs which are unencrypted or not password protected are left in cars, offices or around the home, increasing the risk of information being lost, stolen or inappropriately accessed.
Not every data breach requires mandatory notification. A breach is only considered an eligible data breach if a reasonable person would conclude it sufficiently serious that it is likely the affected individual would suffer serious harm. Serious harm may include serious physical, psychological, emotional, financial, or reputational harm.
An electronic appointment reminder sent to the wrong patient, in circumstances where two patients of the practice have similar names, is unlikely to be an eligible data breach requiring notification, as it is unlikely to result in serious harm to either party.
Who do you notify?
If a data breach occurs, the organisation must attempt to contain the breach, assess the actual and potential harm, and if it is considered that an eligible data breach has occurred, notify the Office of the Australian Information Commissioner (OAIC) as soon as possible. The assessment and reporting of the incident should occur within 30 calendar days of the entity becoming aware of the breach.
The OAIC provides guidance on how to notify individuals without causing further harm. Direct communication in the form of a telephone call, a letter, an email or in person is preferred. Where a law enforcement agency is investigating the breach, clarify with that agency whether it is appropriate to make details of the breach public.
My Health Record
The My Health Record system has its own mandatory reporting of data breach requirements and falls outside the scheme set out in the Privacy Act. The OAIC continues to regulate the handling of personal information under the My Health Record system and investigate complaints about mishandling of information in an individual’s My Health Record.
If a medical practice becomes aware of a potential data breach affecting the My Health Records system, it must report this to the System Operator regardless of whether the breach meets the criteria of an eligible data breach under the Privacy Act. The System Operator or the medical practice may notify the OAIC of the breach and request the Australian Digital Health Agency (ADHA) to notify individuals who have been affected. If a significant number of people are affected, the ADHA will notify the general public.
When information is downloaded from a patient’s My Health Record to a practice’s computer system, the My Health Records Act no longer applies and the downloaded information will then be subject to the Privacy Act provisions.
While you can’t avoid cyber risk, you can take steps to prepare your practice and educate staff in ways to minimise the risk. Further information about may be obtained from your professional indemnity insurer, the OAIC or an independent legal adviser.
ED: Ms Kate Reynolds is a solicitor with Panetta & McGrath. She is a registered nurse practising law in medical treatment liability, aged care, general health law and general insurance.
References:
[1] Ponemon Institute LLC, Fifth annual benchmark study on privacy & security of healthcare data, May 2016.
[2] ASIC Media Centre, World Economic Forum and Cyber Security for The Australian newspaper, 20 January 2017.
[3] ASIC Media Centre, World Economic Forum and Cyber Security for The Australian newspaper, 20 January 2017.
[4] Ransomware attacks steal headlines, but accidental data breaches remain a major cause of loss, 1 August 2017, Beazley Insurance, www.beazley.com