Marco Ostini is the Principal Analyst at Pandimensional Infosec, based in Brisbane. He has a particular interest in the information security of smaller medical practices. He can be reached on twitter @Pandimensional_.
Medical practitioners or small business owners should have the date 22 February 2018 in their calendar, for that is when the Notifiable Data Breaches (NDB) scheme took effect throughout Australia.
What is it, who does it target, how should you prepare and why does it exist? Each of these questions will be answered in this article.
What is the NDB?
The NDB is new. Legislation has recently been passed amending the Australian Privacy Act to establish the scheme in Australia.
The scheme includes the obligation of an applicable entity, for example a medical practice, to notify people, who may include patients and staff whose personal information they hold, that have been involved in a data breach and, as a result, are at risk of suffering serious harm. The Australian Information Commissioner must also be notified of the breach.
An applicable entity that fails to comply with the new legislation could lead to responsible individuals, such as the practice principals or key employees, being issued penalties of up to $360,000. The entities themselves may face penalties up to $1.8 million.
Who is affected?
The NDB scheme applies to all Australian Government agencies, businesses and not-for-profit organisations with an annual turnover of $3.0 million or more and entities that provide any health services.
How will it function?
As ever, prevention is better than cure. You do not want to find yourself in front of a TV news camera attempting to answer awkward questions. And there are worse case scenarios!
To its credit the Office of the Australian Information Commissioner (OAIC) has prepared many excellent guides, including one to developing a data breach response plan. This guide is not optional for those wishing to avoid the consequences of a breach and should form part of the overall information security protocols for your practice.
A well prepared and well understood data breach response plan needs to be ready for action. It will save you time, confusion and anxiety. The preparation of the data breach response plan is made a lot easier with the guidance and cooperation of an Information Security professional. In most cases this will not be the same person or company who installs and maintains your computers.
To identify a breach you need to be looking for it. There are many potential ways for a breach to occur. Uninformed user actions, poorly maintained or designed systems and third party failures are some of the many potential causes. So engaging an Information Security professional is strongly recommended.
A suspected breach needs to be investigated promptly, and if identified, immediate steps should be undertaken to contain it. An assessment of the breach is required to determine if the stolen data is likely to result in serious harm.
For example, does the data include Medicare numbers, health care numbers, health information, driver’s licence details, financial account numbers such as debit or credit card numbers, names and passwords or other sensitive personal information and is it, or was it ever, available in a public place unencrypted?
The investigation and assessment must be done "expeditiously", with the entire process completed within 30 days.
If a breach does include data that is likely to result in serious harm, then notifications to those impacted and the Australian Information Commissioner must be sent.
This handy OAIC flow chart describes the steps.
Why the scrutiny?
The NDB scheme encourages good privacy practice. It upholds the rights of individuals to determine how their personal information is used and managed. It has been made law as an extension of the Privacy Act. Misuse of stolen data has been an issue for some years in Australia. It has taken Australian security experts 10 years to convince the government to implement changes that address at least some aspects of the problem.
Many breaches of personal data, including those of clients and staff of various large entities globally and in Australia, have already occurred and have done so for some time. This highly sensitive and highly personal data is systematically collected by cyber criminals who use it for breaking into systems, fraud, extortion and other illegal practices based on identity theft.
This data is very valuable to malicious entities who understand information technology and the internet far better than those who neglect their systems and suffer a breach. The NDB legislation seeks to reduce the flow of personal data to criminals who abuse it.
The NDB legislation, by way of its penalty scheme, provides a difficult to ignore indication of the high value of medical data. Practitioners are now required to meet a higher standard of personal information handling than they have in the past.
Medical professionals already have more than enough to do in staying current with contemporary medical research, technologies and techniques. Adding professional Information Security Analysis and Implementation skills to their daily work is too much to ask.
Doctors and practice managers understand that modern medical practice needs support from professionals in a variety of fields. Check with your legal professionals to confirm all your legal obligations under the Notifiable Data Breaches (NDB) scheme and get to know some Information Security professionals who can assist you to take the necessary measures to avoid a breach.
Put the measures in place to detect a breach and prepare your Incident Response Plan so that it is ready if a breach should occur.
Good health rarely happens by accident, nor does good Cyber health. Some pro-active steps today, along with good daily habits, will lead to a much happier and productive future.
Prevention is also better than prosecution.