The Office of the Australian Information Commissioner’s (OAIC’s) Notifiable Data Breaches Report for July to December 2019 shows health service providers continue to report more data breaches to the OAIC than any other sector.
Following the release of the OAIC’s Guide to health privacy, they’ve published a four-step action plan specifically aimed at the health sector to help them contain and manage data breaches, including those involving the My Health Record system.
The four steps are:
1. Contain — Take immediate steps to limit further access to, or distribution of, the affected information and to reduce the possible compromise of other information. Activate your organisation’s data breach response plan, and seek professional assistance if required.
2. Evaluate — Consider whether the data breach involves personal information and is likely to result in serious harm to any individuals (such as physical, psychological, emotional, financial or reputational harm). Can remedial action remove the likelihood of serious harm? Note that all data breaches related to the My Health Record system must be reported!
3. Notify — When a data breach relates to the My Health Record system, organisations must notify the Australian Digital Health Agency as soon as practicable. In most cases you will also need to ask the Agency to contact affected individuals. Organisations must also notify the OAIC as soon as practicable. Public hospitals and health services are only required to notify the Australian Digital Health Agency.
4. Review — Thoroughly investigate the cause of the breach. Develop a prevention and response plan and conduct audits to ensure the plan is implemented. Review and strengthen security practices, consider changing organisational policies and procedures for maintaining data, and revise staff training practices.
The resource has been developed in partnership with the Australian Digital Health Agency, Australian Cyber Security Centre and Services Australia and is available here.
If your organisation does not have a Data Breach Action Plan, you can use the OAIC’s Action Plan to help guide the development of a bespoke plan for your organisation. Please keep in mind that you may have other reporting obligations depending on your industry and sector.
If your organisation already has a Data Breach Action Plan, check it against the OACI’s Action Plan to ensure it addresses all four steps in sufficient detail.
Whether you have a plan or need to develop one, you should also test it (as you would a Business Continuity Plan).
Of course (given that we’re talking about the health sector) prevention is better than cure. Organisations should also take the opportunity to review their data breach prevention measures to help prevent them occurring in the first place. Although technology plays a considerable role, it is not a silver bullet. Consider your non technical controls (such as policies, staff education, whistleblower processes etc) as well as technology based controls.