Running a healthcare practice in today’s digitally connected world, comes with increasing and evolving cyber risks. The volume and sensitive nature of medical data stored and information accessed entirely electronically, can leave practices vulnerable to a cyber incident.
The Office of the Australian Information Commissioner’s (OAIC’s) Notifiable Data Breaches Scheme 12-month Insights Report, revealed health service providers reported the highest number of data breaches, around 20%, under the scheme from 1 April 2018 to 31 March 2019.
The report found malicious attacks were the main source of all reported data breaches, accounting for 60% of 964 eligible data breaches. Phishing scams were the most common cyber incident, followed by compromised or stolen credentials, which all typically involve users being tricked into giving up their login details.
Cyber incidents like these can result in loss of access or damage to your data, including medical and financial records, employee files and personal information. Losing access to your data or having it destroyed entirely can severely disrupt your practice and be devastating for your patients.
To protect your practice against some of these common losses associated with a cyber incident, Avant now provides complimentary cyber insurance with your Avant Practice Medical Indemnity Insurance policy*. However, insurance cover is only one part of managing cyber security risks; developing strategies to minimise your exposure to a cyber incident is just as critical to surviving a cyber incident.
Strategies to prevent cyber incidents
With the increasing risk of a cyber incident occurring, no business is immune and smaller and medium-sized practices are often more vulnerable due to less resources and a misconception their practice is too ‘small’ to experience a cyber incident.
The OAIC report found human errors are the leading cause of data breaches in the health sector, accounting for 55% of data breaches. Therefore, educating staff on their responsibilities and having policies and processes in place, is the best defence to manage your practice’s risk.
Educate your employees
The more informed your employees are about the value of your practice’s data and digital assets and the ways they can inadvertently contribute to a data breach, the better off you’ll be. Along with continued education, your practice should have a policy that covers staff expectations on cyber security, including:
- not sharing passwords
- use of the internet
- downloading of software to the practice system
- caution when opening unusual emails.
The policy should outline your protocol for backing up data and a recovery plan if an incident occurs. One person should be assigned responsibility for your practice’s data security and all staff should be trained and regularly updated on their responsibilities and roles if an incident occurs.
Develop a business continuity plan
A business continuity plan is critical to risk management planning, as it details how your practice can continue to operate and provide healthcare services if a major cyber incident occurs.
The plan should outline your data back-up procedures and patient care management. Have a supply of paper prescription pads, a hard copy appointment diary, and patient history forms available to use if an incident occurs, to minimise disruption to the essential parts of your practice.
Select third party providers who understand cyber risk
Third-party providers, including contract IT providers or outsourced electronic storage facilities who store your information, are effectively custodians of your and your patients’ data. It is critical to know they have security measures in place to safeguard this private information.
You should ensure that your service providers understand the risks and take the security of your data seriously, and you may want to ask some additional questions before entering or renewing an agreement with a service provider. Contracts with IT software and hardware providers should also include protections for the practice if there is a security breach due to a system error or fault on the part of the provider.
Consult with your IT service provider
One of the most effective steps in managing your risk is to understand your practice’s vulnerabilities to a cyber incident and identifying where you are most exposed.
Consider hiring an IT consultant to undertake a risk assessment of potential threats to your practice and help with strategies to prevent them. Download our factsheet for five steps to protect your network and systems
More protection for your practice
As we conduct more of our business and lives digitally, knowing where to start in managing your practice’s cyber risks can be overwhelming. That’s why we now provide complimentary Avant Cyber Insurance* with your Avant Practice Medical Indemnity Insurance.* It offers a level of protection for many of the common cyber risks your practice may face, now and in the future.
Learn more proactive measures
We have also developed a range of resources to help protect your practice. To get started, listen to our new podcast where a doctor shares her personal experience of a ransomware attack on her practice. The Australian Digital Health Agency’s Information Security Guide for small healthcare businesses is also helpful.
* Important: Avant Practice Medical Indemnity Policy available from Avant Mutual Group Limited ABN 58 123 154 898 (Avant Mutual) is issued by Avant Insurance Limited, ABN 82 003 707 471, AFSL 238 765 (Avant). Avant Cyber Insurance cover is available between 20/9/2019 and 20/03/2021 to eligible Avant Practice Medical Indemnity Policy holders under a Group Policy between Liberty Mutual Insurance Company ABN 61 086 083 605 (Liberty) and Avant.