Since reporting began in 2018, the health sector has been in the number one or two spot for data breaches, compared with other industries such as education and professional services, under the Office of the Australian Information Commissioner’s (OAIC) Notifiable Data Breach Scheme (NDB Scheme). Another reporting period drew to a close on 30 June 2022. Which industry will take out the top spot for last financial year?
As we wait for the OAIC to publish its latest data, we reflect on key cyber threats and how to combat them, thinking particularly about the sensitivity of health information and community expectations to protect it.
Why does protecting your information matter?
Data security matters for all community organisations because privacy and data breaches eat away at the trust that individuals have in your organisation. Trust between your community, clients, volunteers and donors is particularly important when you rely on your community to pursue your charitable purpose or mission in the community. Trust and privacy are particularly important when health information is involved, such as information about disabilities, mental health, and illnesses and injuries.
Health information is ‘sensitive’ information, and sensitive information is afforded higher protections because its inappropriate handling can have adverse consequences for an individual. For example, inappropriate handling of information about a person’s disability can result in discrimination.
Key cyber threats
Advances in information and communication technology and, of course, the pandemic, have pushed many organisations to digitise records. In response, new privacy risks have emerged, and cyber criminals have further developed their arsenal.
Be wary of:
- electronic forms that automatically includes (or pre-fills) information. This can cause privacy breaches due to unauthorised disclosure;
- ransomware – a type of malicious software designed to block access to a computer system until a sum of money is paid; and
- malicious network traffic – when a suspicious link or file created or received over a network overrides the network and executes vicious operations like downloading (stealing) information.
How to combat these cyber threats
- Support your staff
Human error, accidental breaches, the wrong email address, or falling victim to malicious links are major risks to your organisation, and very common types of data breaches. You can combat cyber threats by supporting your staff, specifically with:
- phishing training so staff can identify malicious emails or links;
- privacy training so staff verify a patient’s identity and double check the phone number or email before sending information; and
- internal privacy or information management process sheets and procedures that clearly communicate expectations for how to handle personal information and records.
- Take steps to detect data breaches
As part of complying with Australian Privacy Principle 11, you must take reasonable steps to ensure you detect data breaches in a timely manner. You can do this by implementing:
- technical controls that monitor unusual activity in your online systems;
- physical controls, such as securing paper records; and
- personnel controls, such as communicating to staff how to report suspected data breaches internally.
- Be prepared for data breaches
Cyber threats and data breaches are almost inevitable. In the 2020–21 financial year, the Australian Cyber Security Centre received over 67,500 cybercrime reports, an increase of nearly 13 per cent from the previous financial year. We recommend you prepare your organisation with a Data Breach Response Plan that assigns responsibilities for responding to the cyber threat, and any associated reporting.
A key objective of the Notifiable Data Breaches scheme is to protect individuals by enabling them to respond quickly to a data breach and minimise the risk of harm. Delays in identification, assessment or notification of data breaches greatly impacts the opportunity for individuals to take steps to protect themselves from harm.
How we can help
Moores can conduct privacy training and privacy audits, and prepare data breach response plans or reports on privacy breaches. A privacy audit considers your current information handling processes against Australian privacy principles and identifies areas of risk and non-compliance, to support you to improve how you handle information.
You can watch the recording of our Data Breach Simulation webinar here.
Please contact us for more detailed and tailored help.
Subscribe to our email updates and receive our articles directly in your inbox.