Managing privacy in a healthcare setting was once restricted to providers and staff not placing records within the eyesight of the public or refraining from discussing patients with those not directly involved in their care. However, advances in the technology and software applications available in healthcare practices today have increased the risk of privacy breaches.
Privacy in Healthcare is More Than Patient Information
Healthcare privacy is not restricted to that of patient information. Personal and corporate data are also included in the privacy legislation. This data includes employee details, budgets, marketing plans or details you hold about other Providers within the organisation. This can be in electronic or hard copy format.
Privacy legislation applies not only to the practice owner but also to the individual who is responsible for the breach. If you are using email, obtaining details via a practice website, have an open Wi-Fi connection, EFTPOS terminal or portable device then you are at risk of a data breach.
What are the Risks Posed by Cyber Criminals
Health records are highly attractive to cyber criminals because of their personally identifying information. Much of their contents are ideal for identity theft, ransom or extortion and financial fraud. The same is true of employee records. Did you know that on the “black market” a medical record has a value of $20 per record vs. a value of $1 per record for credit card details?
Any breach or misuse of this information could see the holder of this information held responsible for any legislative fines, imposed monitoring costs or civil penalties. These fines are not trivial – they range from $340,000 for an individual (also applies to staff) and $1.7 million for companies or organisations. This is independent of any civil action, which may be taken by the party whose information has been breached.
Calculating the True Cost of a Data Breach
Financially, a data breach is very expensive. Let’s do an exercise.
Get out your phone and open the calculator. Now enter in the approximate number of patient and employee records on your system and multiply that number by $150. This is the approximate value per record to investigate the breach. The longer this takes the more it costs.
Add the cost of notifying any affected persons, and forensic IT investigation fees to establish whose information and what type of information has been accessed and the cost starts to mount up.
But there are also the hidden costs – loss of reputation
According to Symantec’s 2011 Study “Cost of a Data Breach”: 85% of people who have entrusted their personal details to an organisation – that then had a breach, lost their data or had it stolen would never deal with that organisation again.
Steps to Manage your Risk
Of course, there are strategies and processes you can implement in your practice to mitigate the risk of a data breach.
We’ve outlined some of the most important steps below:
- Ensure your Practice Manager knows the relevant legislation that impacts your organisation.
- Put in place: best practice strategies, educate staff in your ‘cyber, internet and social media’ policies and make them accountable. There is a massive amount of information on the Internet about how to protect your organisation.
- Cyber and Computer Crime Insurance should become a key consideration for all practices. Traditional insurance policies do not cover ‘data breaches’. Considering these premiums start from as little as $1000 when you add up $150 by how many records you have, this is a nominal investment.
- Treat backup tapes, hard drives, and other mobile data sources with extreme care. Implement a tracking system so it can be identified if one goes missing.
- Refrain from taking pictures of sensitive information on mobile devices and emailing these unless using encrypted software.
- Make sure your cloud data is stored within Australia. As soon as the data is stored or accessed offshore it has entered an environment where you have no control and Australian laws cannot protect you.
- Unfortunately, it is the physician’s responsibility under the new privacy legislation to manage, however, you can work with virtual practice managers who take on the role of managing your compliance with legislation and deliver