Within the first few weeks of Australia’s legislation around Notifiable Data Breaches (NDB) a total of 63 notices were received, and with the highest percentage occurring in the healthcare sector.
Australia’s Notifiable Data Breaches scheme
Australia’s NDB scheme came into effect on 22 February 2018 – applicable to government agencies, as well as businesses and non-profit organisations with an annual turnover of more than $3 million. Smaller business such as health service providers, credit reporting bodies and businesses dealing in personal information are also included in the scheme, which is governed under part IIIC of the Australian Privacy Act 1988.
The NDB scheme requires such agencies and organisations to notify individuals whose “personal information is involved in a data breach that is likely to results in serious harm” – as soon as possible after such a breach. According to ZDNet, the technology news website, examples of data breach include “when a device containing customers' personal information is lost or stolen, a database containing personal information is hacked, or personal information is mistakenly provided to the wrong person.”
The schemes impact
Within the first few weeks of the legislation’s introduction, the Office of the Australian Information Commissioner (OAIC) received 63 notices of data breaches – the highest (24 per cent) occurring in the healthcare sector. Acting Privacy Commissioner Angelene Falk said that half of the breaches were due to human error.
Human error in the use of electronic medical records was also to blame for the death of a 54-year-old following routine surgery when an anaesthetist accidentally prescribed the patient medication that was meant for another patient. Despite the 22 alarms that were triggered by the system, manual overrides requiring password input allowed the clinician to make the fatal mistake.
Embracing a culture of security
Ensuring patient data is protected comes down to the individual in the organisation. It only takes one person to open a corrupted email attachment; one person to leave their unencrypted laptop on the train; one person to save a file with sensitive data to the wrong server on an organisation’s website.
It also takes a culture of security to teach employees to consider how their every move could impact on patient security. The OAIC has developed guides for implementing privacy governance through data breach risk reduction guides designed including the Privacy Impact Assessment and Information Security Risk Assessment.
Something else to keep in mind is the kind of patient information an organisation shares in its marketing and promotions. Connecting to the community through patient stories can be a wonderful way of gaining support and reaching your target market. However, using images or text with sensitive or secure information such as medications, Medicare number, address details, and the like. The Australian Digital Health Agency has a Digital Health Cyber Security Centre, with advice on individual and organisational responsibilities in patient information security.
Secure healthcare information exchange
Health Level Seven International (HL7) supports the clinical practice, management, delivery and evaluation of health services through framework and standards for electronic health information. The Australian chapter assists in developing the local standards, along with facilitating the skills and knowledge of users and the associated community. Vitro Software is proud to have our director Berne Gibbons as a board member of HL7 Australia to help contribute our organisation’s expertise in overseeing the collaboration between software vendors and healthcare organisations in improving interoperability and secure healthcare information exchange.
Technology, such as Vitro’s Electronic Medical Record has been designed to support healthcare organisations and their employees to reduce the likelihood of data breeches. Vitro is built around the needs of each unique healthcare organisation, which means that it retains the most intuitive, familiar and streamlined user experience while also meeting the needs of the healthcare organisations data privacy needs.
Jeff Smoot - CEO Australia
Jeff has extensive experience in Healthcare, previously working for companies such as Allscripts, Cerner and Fujitsu Technology Solutions. Jeff was awarded a BSBA by the University of Denver and an MBA from the Loyola College in Maryland in the USA.