Health Services organisations in Australia are suffering more data breaches than any other sector. Health Services boards of directors must take responsibility, enable the needed protection, or face penalties and civil liability.
Australian Health Services see most data breaches in the country
The boards of directors of Australian Health Services must take action to improve their cybersecurity, according to the quarterly report on Notifiable Data Breaches by the Office of the Australian Information Commissioner (OAIC).
Health Services are seeing more breaches than any other sector or entity, public or private. Of the 49 notifications of data breaches in healthcare made from 1 April to 30 June 2018, one breach affected over 1 million Australians, 52 notifications involved the personal information of 100 to 1,000 people, 61% of the data breaches related to the details of 100 or fewer individuals, while 38% affected up to 10 people, according to the report.
Separately, the My Health Record system, which was created specially to protect individuals’ data, saw 11 reports of unauthorised access to personal information.
Board members must take responsibility
A majority of the data breaches (59%) were caused by human error, according to the report, while 36% were the result of hacking. In both cases, it is the responsibility of the Health Services boards of directors to manage these risks, as the boards could face civil actions if damages are attributed to their failure to take action, according to the Department of Health & Human Services.
“You must take reasonable steps to protect your records of personal information from misuse, interference and loss, and from unauthorised access, modification or disclosure. If any of the personal information you hold is no longer needed for any purpose, you must take reasonable steps to destroy or de-identify it (unless the information is required to be retained by law). You must give patients access to their personal information on request, unless an exception applies. If you refuse to give access, or to give it in the manner requested, you must take reasonable steps to give it in a way that meets both parties’ needs and give a written notice,” the Department of Health & Human Services guidance states.
Health Services boards must also take responsibility for breaches of the My Health Record platform.
“A ‘notifiable data breach’ refers to a data breach that meets the criteria set out under s 75(1) of the My Health Records Act, so that it must be reported to the relevant regulator. This includes:
- Unauthorised collection, use or disclosure of health information included in a healthcare recipient’s My Health Record;
- The event or circumstance has compromised the security or integrity of the system OR the event or circumstance may have compromised the security or integrity of the system (Health Services Guidance for Boards).
Given the prevalence of human error in causing data breaches, reasonable steps to data protection involve, first of all, making certain that staff is trained in cybersecurity procedures, and that there is regular monitoring of vulnerabilities. Updates and patches must be applied as soon as they are available. IT staff must be trained to track threat developments and to apply the required protections. A data breach response plan must be developed at the board level – the board is responsible for real-time notification of both authorities and the patients affected as soon as a breach is discovered.
Boards must obtain the right support
But it is not just IT staff who have to be aware of cybersecurity risks. All it takes is for an employee to leave a laptop unattended in a public place, and the very best cybersecurity defences cannot protect sensitive data. It is critical for boards to build a culture of cybersecurity throughout their organisations. It should start at the top, with the board itself, and then be implemented by managers at every level. The board should develop a detailed strategic plan for implementation.
Starting with the board itself, it’s important to ask the right questions. Boards should seek expert advice, whether from a board member with the requisite skills, or from a third-party consultant. Are the board agendas, minutes, reports and supporting documents safe against escalating online threats? Do board members have access to secure communications when talking, chatting or messaging. Can board members access board books and materials in a secure manner?
What happens when a board member loses a mobile phone? Is it protected, or can it be protected at a distance? Are board members communicating via secure means when they are travelling?
Diligent Governance Cloud offers the highest grade of security
Boards can protect themselves with Diligent’s secure board portal, which provides a tested and ready-made solution.
A world of governance and IT knowledge inform the security behind our Governance Cloud ecosystem, which include Diligent Boards, Diligent Messenger, Diligent Evaluations and Diligent Conflict-of-Interest modules. Data is hosted on secure servers and world-class infrastructure owned and operated by Diligent. As part of Governance Cloud, all Diligent solutions are ISO/IEC 27001 and TRUSTe-certified, with robust customisable encryption. If a device is lost or compromised, our remote wiping capabilities allow you to swiftly mitigate risk.
Diligent designed the Governance Cloud with the processes of board directors, executives, general counsels and corporate secretaries in mind. No other company offers such a comprehensive array of software tools that are cohesive and connected to fully meet the needs of today’s board directors.
The Governance Cloud, the only integrated enterprise governance management solution that enables organisations to achieve best-in-class governance, is an ecosystem of software tools that digitises the various activities and tasks for the board of directors. As organisations grow more complex and regulations more stringent, the scope of governance responsibilities evolves. The Governance Cloud allows boards of directors to meet the demands in the boardroom and beyond with the ability to select the products they need to help them perform their best and work within their allotted budgets.
April 16, 2021
Top Trends in Governance, Risk and Compliance for 2021
“You need a good [GRC] system. You need the right data. You need to share the data and take those organisational learnings.” -Zeke Ward, Founder, North Star Compliance Over the past year, companies across industries have navigated diversity, equity and inclusion issues, managed intensifying…
January 29, 2021
Business Continuity Strategy: Options, Best Practice Approaches and Examples
There’s no shortage of things to consider when you’re upgrading your business continuity strategy. For instance: What should your plan cover? What are the critical inputs to the business continuity strategy? What are the different approaches and solutions available? What should the recovery strategies look like within your business…
November 30, 2020
Experts agree: Governance is the best crisis strategy
Your best defence against a crisis is good governance. Whether it’s a global pandemic, a change in senior management or the complexities of running an international organisation, governance provides ‘handrails’ to keep your organisation upright and on-track. This consensus was the unanimous conclusion of the speakers at a recent Diligent…