The Royal Australian College of General Practitioners reports that the threat of cybercrime – inappropriate or unauthorised criminal access to practices’ electronic data – is growing significantly. General practices frequently face new forms of malicious software and cleverly designed social engineering scams that can place your clinical and business data at risk. The single leading potential risk in a general practice’s information security is an internal breach through human error or malicious intent. Cyber-criminals are known to target smaller businesses, like general practices, as their information security defences are more easily breached in contrast to larger businesses that often dedicate more resources to digital information security.
In the 2017–18 Budget, the Australian Government announced that every person known to Medicare or the Department of Veterans’ Affairs (DVA) who has not already registered for a My Health Record will automatically have a record created for them unless they choose to opt-out. The opt-out period was then extended to 31 January 2019. Individuals can cancel their My Health Record at any time.
Increasingly, hackers are selling the information for profit on the black market. According to Reuters, buyers might use the information to create fake IDs to purchase medical equipment or drugs, or to file a false insurance claim.
According to Experian, a patient's full medical records can sell for up to $1,000. By comparison, Government Identifiers and credit card information usually sell for $1 and up to $110, respectively.
According to Computerworld, One hacker, who went by "thedarkeroverlord," was selling 655,000 medical records stolen from three health care organizations for almost $700,000 on the darknet.
Healthcare provider organisations are required to have a My Health Record Security and Access policy, to meet requirements outlined in the My Health Records Rule 2016 (Rule 42). The policy must be communicated to, accessible by, and enforced with, employees and other relevant parties. The policy must also be kept up to date by reviewing it, at least annually, or when any material new or changed risks are identified.
Additionally The Royal Australian College of General Practitioners recommends that in their Information Security in general practice guide that your practice should develop a policy specifying who has administration rights and access to specific systems. These guides are not additional obligations for GP's but instead aimed to assist you to meet your legal obligations for information security and the requirements necessary for accreditation against The Royal Australian College of General Practitioners (RACGP) Standards for general practices_ (5th edition).
Your practice should document all policies and procedures for managing information security. A policy and procedures manual provides information and guidance to your practice team on the protocols used in managing your information systems. This manual is used to clarify roles and responsibilities, and to facilitate induction of new practice team members.
The Royal Australian College of General Practitioners recommends that to be effective policies should be:
Policies should include:
Undergoing a regular assessment of your security controls will be critical to ensuring you maintain the rules set out by your policies.
You cannot properly control access unless to understand what assets you are control access for.
Your practice asset register should include details of the following:
If you want to keep all your assets recorded in a central location use a cloud based asset register that allows you to manage risk associated with each asset.
A role based access model is critical in ensuring you provide appropriate access to the right people within your business.
To maintain appropriate access over time your practice should conduct regular user access reviews and have a process to support onboarding of administrative and clinical staff.
Reporting a clinical incident or issue - A clinical incident may relate to the My Health Record system or content directly, or the behaviour of clinical software when interacting with the My Health Record system.
Data breach notification - The characteristics of a breach of health and personal information relating to the My Health Record system are outlined in the My Health Records Act 2012. According to this Act, a data breach involves:
The unauthorised collection, use or disclosure of health information in an individual’s My Health Record; or
A situation where:
a) an event that has, or may have, occurred or
b) any circumstances have, or may have, arisen that compromise, may compromise, have compromised or may have compromised, the security or integrity of the My Health Record system (whether or not involving a contravention of the My Health Records Act 2012).
The information you need to provide (at a minimum) regarding the actual or potential data breach is outlined in the checklist below:
A patient’s shared health summary (e.g. diagnoses, current medications, immunisations, allergies and adverse reactions)
There are also a number of ways you can view a patient’s test result history, including: