Q&A - Keeping up the pace - Regulation in a digital age

Incident response management plan

• Yes, there are standard protocols, and different cyber incidents can require a different way of responding. For example, the Privacy Act 1988 sets out a regulatory approach to managing a data breaches including a cyber security incident (where personal data has been breached).
• We recommend that medical practices have a documented data breach response plan which steps out everything required for a data breach involving personal information as well as a cyber incident response plan. As discussed in our presentation, there are 4 key steps that are required by practices after a breach is discovered. These are listed below:

Step 1: Contain the data breach to prevent any further compromise of personal information.

Step 2: Assess the data breach by gathering the facts and evaluating the risks, including potential harm to affected individuals and, where possible, taking action to remediate any risk of harm.

Step 3: Notify individuals and the Commissioner if required. If the breach is an ‘eligible data breach’ under the NDB scheme, it may be mandatory for the entity to notify. There is a set format that an entity must follow in responding to a data breach.

Step 4: Review the incident and consider what actions can be taken to prevent future breaches.

• It is recommended to seek professional advice if a data breach or cyber security incident is suspected and to consult with the Office of the Australian Information Commissioner (OAIC) and the Australian Cyber Security Centre (ACSC).
• If personal information has been breached there are specific steps required to inform users including identifying what personal information has been compromised and guidance to assist users to take remedial action. The ACSC also provides guidance on managing a cyber security incident and encourages notifications to them.
• Resilience by Design can assist with preparing a data breach response plan communication templates, and cyber incident response plans. Please contact info@resiliencebd.com for more.

• A client we recently worked with experienced a cyber attack. During the attack, known as a ‘man in the middle’ attack, the cyber criminals managed to insert themselves between a payment process and divert funds by directing patients to make payments into a fraudulent account. Multiple payments were made over the period of 3 months and the cyber criminals were able to access patient records.
• The practice had to notify all individuals impacted, notify the OAIC, and completely rebuild their servers. Fortunately, their backups were not impacted so they were able to reload backups onto new servers. The loss to the practice was in the tens of thousands.

• We recommend that all photos are treated as sensitive information, even if you believe them to be de-identified. As the process of re identification has become very sophisticated it is best to err on the cautious side. All photos should be subject to secure storage and kept within a secure online environment subject to workplace governance and back ups.
• Sharing photos is an important diagnostic tool and sending via email or text can be the most expedient practice. However it does expose you to risk. This is an industry wide problem and more work is needed to resolve this practice in a way that does not hinder the important work of the profession.
• You should always avoid sharing photos via social media platforms and messaging services. If sharing via email or text, use a separate work account, and be aware that this is not the most secure way. Try to use a range of security practices including two factor authentication, encryption and delete photos off your device once they have been transferred to the patient file.
• A better way to share photos could be to use a Drop box, Google Drive or One drive file that is password protected. You can install it easily on your phone, you take a photo and save it to the Drop Box/One drive file.  You can provide permission the other surgeon to view/ access the folder with the photos. 

Generally:

• You can use and disclose a patient’s health information for the primary purpose for which you collected it. I.e for diagnostics and treatment.
• You can use and disclose a patient’s health information for another purpose with the patient’s consent.
• Best practice would suggest that practitioners include notification in the initial patient consent form that patient data may be used for consultation with other specialists.
• If verbal consent is taken, then it should be well documented with the dates and time of the conversation.

• Where do we get privacy management plan templates?
• Can you have some examples for such plans?
• Is there a standard policy format available for this plan?
• Could you please share that APP Template with the group?

• You can download our complementary privacy management plan template at https://www.resiliencebydesign.com.au/tools
• You can also explore a guidance on the OAIC website. https://www.oaic.gov.au/ and review their data breach notification decision tool here: https://www.oaic.gov.au/assets/privacy/guidance-and-advice/flowchart-ndb.png
• These templates need to be modified to ensure they are fit for your practice.

We also recommend preparing a data breach response plan. Contact the training provider Resilience by Design for more information on preparing this.

• There are a range of cyber security issues associated with telehealth and phone conversations. These include identifying:
  • safe cyber hygiene practices during telehealth consultations, including how to use WiFi safely, two factor authentication and reducing the risk of known vulnerabilities.
  • what to look for when selecting service providers, software-as-a-service and ensuring third parties are compliant and meet safety and security standards.
  • how to securely send, store and implement robust back up services for patient records when using telehealth services.
  • key security issues in telehealth and cloud services. The training provider, Resilience by Design provide training and support for safe telehealth.

MIPS Resources Telehealth  

• As a medical practitioner you will have responsibilities to protect patient information enshrined in the Privacy Act and AHPRA Code of conduct rule 10.5.
• Contractors and third parties should have expressly stated requirements in their contracts outlining expectations to comply with privacy obligations and cyber security standards.
• MIPS Resources Contractors

MIPS does not provide in house expertise on security which is why external subject experts were provided. Please attend the upcoming MIPS member webinar session on 14 April 2021 and contact the training provider Resilience by Design for more information about additional training and advice for your practice.

This will depend on what systems your practice has in place. Cyber criminals attack for a range of reasons including to obtain patient data, to hold businesses to ransom, to divert payments, to hide and to spread malicious software. Attend our event on April 14 for more information and learn what steps you can take to protect you and your business.

• With a range of sophisticated cyber criminals routinely compromising the healthcare sector, identification of a cyber incident is increasingly difficult.
• There are a lot of monitoring systems, cloud-based security software and other methods for uncovering a cyber incident on your networks. Some of them are costly, difficult to implement and require dedicated security resources.
• We recommend a first step of undertaking a gap analysis (performed by a cyber professional) of your system and current defences.

PDF Password Protection has been around for a long time. While it can be easy to use and provide encryption, it contains limitations. Like all identity management solutions, passwords can be breached easily and content can be copied and pasted.

We understand that normal business practice may make a shared or group mailbox an efficient solution. However, it does present security risks (including controlling access to the mailbox, not being able to encrypt the mailbox and sloppy cyber hygiene). If you are using a shared mailbox, be sure to review who has access to the shared mailbox regularly and have well known procedures for managing the mailbox. It is possible to have individual user accounts and logins, which still have access to shared inboxes.

We know that email is an important business tool. Unfortunately, the use of encryption in email is not widespread and there is potential for emails to be copied, changed and deleted. If you are requested to send information over email, be sure you have done everything you can to secure your email presence. This includes not using personal email, using strong passwords and turning on two factor authentication for email and devices.

If you are regularly dealing with a pharmacy or specialist who is using unencrypted email it is a good idea to raise the risk with them and advise they may be at risk of breaching the Privacy Act 1988 but not taking reasonable steps to secure patient data.

There are a range of encrypted email services (though not often located in Australia). We recommend paid providers rather than free services. While many providers do store offshore, use of these is not entirely prohibited. The Privacy Act and Australian Privacy Principle 8 step out the requirements for notifying individuals and what is required by a business if storage is held offshore. This includes steps like making sure offshore providers can comply with the APP’s, and notifying patients their data may be securely stored offshore. You should seek legal advice for more information.

The best thing to do is to check with your email provider or tech team to confirm if you are sending encrypted emails.

Yes, free services are generally not recommended because you cannot control how these emails are scanned for key words and use to target adds. This mean personal information and patient data is being exposed.

VOIP line faxes contain risks as well as email. VOIP fax can be unreliable in some circumstances. The security of a VOIP line faxes will depend on the security of each individual service and some will be better than others.

MIPS Membership

The benefits of membership include the MIPS indemnity insurance policy which relates to the provision of healthcare. It excludes claims associated with the loss of, damage to, or the failure to properly protect the security of, electronic or hard copy medical records. MIPS does not provide a cyber risk cover or Practice Entity cover.

Members need to make their own assessment in relation to these potential risks.

MIPS has established a relationship with Aon to help facilitate MIPS members to enquire and obtain an estimate for practice entity and cyber risk cover.

Practice entity and cyber cover referral