The reality of protecting your patients’ privacy is about preparing for when, not if, the next risk will emerge. The rate of data breaches in Australia continues to affect businesses both large and small, with a 2017 IBM Security Report estimating the average total cost of data breach amounting to $2.51 million.
Therefore, putting privacy on the agenda is more important than ever. The ethical and legal obligations to your patients, the implementation of new legislation, and the financial imperative to staying secure are all key imperatives for your practice. It’s time to evaluate the medical practice policies and procedures that are safeguarding your privacy.
We talk to Tego CEO Eric Lowenstein about the reality of today’s risks and the actionable ways that medical practices can protect patients and practitioners alike.
Putting privacy on the agenda: We talked with Tego CEO, Eric Lowenstein
INTERVIEWER: Regarding the changes, what do you think this is going to mean on a day-to-day basis for practitioners?
Eric: “It’s an interesting question. They have a huge implication in terms of risk, awareness and being proactive.
The fundamental shift is that there is now an onus on a practitioner or practice to notify the Office of the Australian Information Commissioner if their computer has been hacked or they have lost data. They are also obliged to notify affected patients as soon as they become aware of a breach. Non-compliance can result in a fine or other penalties.”
94% of Australians believe that they should be told if a business loses their personal information. – Office of the Australian Information Commissioner
“Practices and practitioners must be in a position to determine if they have had a breach. The definition of a data breach is quite broad. It is not limited to hacking or theft of data but covers unauthorised access to data, losses of data and disclosure of data.
Interestingly, the Ponemon Institute, which does a lot of reporting on security and privacy, found that nearly 90% of surveyed healthcare organisations had had a data breach in the previous two years.”
Interviewer: How prepared do you think practitioners are then to live up to those expectations?
Eric: “No one is secure. Smaller independent practices might be more vulnerable than those that are part of a sophisticated IT infrastructure. I tend to think of it a bit like the friendly neighbourhood. If you’ve got the bigger fence and the dogs out in the front, you’d probably find that the criminal will proceed to the next neighbour. That’s no different in the cybersecurity world where cyber criminals look for the weakest link.
There are so many methods to infiltrate a network. Whether it’s phishing attacks, whether it’s fake emails that look legitimate, all you need to do is click that link and they’re into your system. Particularly in the healthcare space, that information is very powerful and it’s actually a very lucrative industry.”
Interviewer: If you have a data breach, how do the different levels of insurance help you respond differently to the situation?
“It can be quite a confusing landscape for a practitioner to navigate, particularly because there are multiple insurance products out there with multiple types of cover. Most of those products are standalone cybersecurity solutions.
Different policies have different levels of cover, which can include notification costs to the Privacy Commissioner through to defending privacy complaints and paying the fines and penalties associated with a privacy breach.
There are few areas where the mandatory notification laws may have an impact for medical practitioners and these exposures might be covered by a doctor’s medical indemnity insurance policy:
- The first is the privacy notification cost that doctors will incur in notifying patients and regulators of a breach.
- The next is around the cost of defending legal action. This might be brought against the doctor by the Privacy Commissioner. There may also be claims from patients who suffer loss as a result of their patient records being made public.
There are many elements involved and it is not clear-cut from an insurance perspective. I would typically advise a medical practitioner to consult a general insurance advisor. Find someone that is able to independently review their cover and understand what the gaps are, understand what their needs are, and find the right match and find the right solution.”
Interviewer: How can practitioners ensure that their external suppliers are properly storing patient data?
“Understand what systems your third-party suppliers use, what protocols they use, and how the information that you’re providing them is kept and stored.
It’s not necessarily about having all the answers yourself, but having support from appropriately qualified experts. When things do hit the fan, you need to have access to someone so you can pick up the phone and say, ‘Look, I think something has just happened.’ Triage is critical.”
Interviewer: Is it possible that a practitioner wouldn’t be aware that a data breach had taken place?
“I think there’s some truth behind the idea that there are only two types of organisations; those that have been hacked and those that don’t know they’ve been hacked. If you look at the data, nearly 90% of all surveyed healthcare organisations have had a data breach. The reality is it’s inevitable.
There are data breaches in Australia all the time. Not all of them are on a high scale of severity. By having appropriate levels of protection, awareness, policies and procedures, that are actually tested, you will be in a much better position when something does go wrong.
My biggest consideration when it comes to the response plans are whatever the plan is, just don’t let it gather dust.”
Interviewer: In many ways, it sounds like everyone needs to be aware of how this could impact the whole practice.
“Absolutely. It is a cultural issue. Practices and practitioners need a culture that understands the risks and the severity; that understands the importance of privacy and the need to maintain and protect privacy and has awareness around understanding the cybersecurity landscape. Even the most secure organisations are hacked but it’s often the practical simple things that leave smaller businesses and practices exposed.”
As we can see, true privacy is not an overnight endeavour. It’s an ongoing commitment to your patients and practice, requiring investment in the tools, processes and people who’ll cement your success. How are you putting privacy on the agenda in your medical practice?
This publication is general in nature and is not comprehensive or constitute legal or medical advice. You should seek legal, medical or other professional advice before relying on any content, and practice proper clinical decision making with regard to individual circumstances. Persons implementing any recommendations contained in this publication must exercise their own independent skill or judgment or seek appropriate professional advice relevant to their own particular practice. Compliance with any recommendations will not in any way guarantee discharge of the duty of care owed to patients and others coming into contact with the health professional or practice. Tego Insurance Pty Ltd is not responsible to you or anyone else for any loss suffered in connection with the use of this information.
Eric is the CEO of Tego, an insurance agency offering specialist indemnity insurance solutions for the healthcare and life sciences sectors. His qualifications include a bachelor’s degree in business and law, a master’s degree from UNSW in law and management and an MBA from the AGSM.