6 minute read
Is Your Practice Cybersafe?
PART TWO
Is your practice cybersafe?
With Australian businesses under increasing threat online, we examine the particular risk posed to health providers.
Cybercrime has increased by nearly 13% in the past year, with one incident reported to the Australian Cyber Security Centre every eight minutes. A new report shows that more than 67,500 cybercrimes were reported in the last financial year after criminals targeted vulnerable people and – significantly – health services. Reports of ransomware – software designed to block access to computer systems until a ransom is paid – increased almost 15% from last year.
Igor Pavic, Director of Office Solutions IT, says the most common weak spots that put businesses at risk of cybersecurity breaches include:
Weak passwords
“Weak passwords are one of the most common culprits of cybersecurity breaches,” Igor says. “A weak password makes not only yourself but also your business an open welcome mat for a data breach.”
Outdated software applications
“We know updating software can be a bit of a hassle, especially if you still find the current version fine,” Igor says. “But these updates are necessary to install any patches and make your confidential data more secure. That’s why your systems must always be updated to their current versions to minimise risk.”
People
“Aside from weak passwords, employees are usually the ones putting businesses at risk of cybersecurity breaches,” Igor says. “These breaches can mostly happen due to honest mistakes, no awareness of phishing tactics, and everything else in between.”
Reducing your risk
Introduce a policy of least privilege, specifically around Personal Identifiable Information (PII), recommends Adam Gordon, ANZ Country Manager at Varonis. “Dental practices store a lot of personal information such as patient data. They also hold credit card details on their IT systems, and it is their responsibility to keep this information safe,” he explains. “There are strong regulations in place to protect this data, and dentists need to ensure compliance or risk paying hefty penalties. To maintain compliance, practitioners should introduce a policy of least privilege, which ensures staff are only given access to the information they need to do their jobs. This lessens the risk of an external hacker or even an insider exposing sensitive information. “Do remote team members such as IT contractors need access to the entire network, which includes sensitive patient files and credit card details? Absolutely not. By reducing accessibility to these highly sensitive files, dentists reduce their risk of a cybersecurity breach, enabling them to avoid the significant fines associated with the exposure of PII.”
Keep ‘smart’ dental technology on a separate network to the one which holds your sensitive patient files
“Dentistry has come a long way since the turn of the century,” Adam says. “However, the downside is that these internet-connected devices open dental practices up to cyber-attack,” he says. “The same devices that make the patient experience more pleasant, also give hackers new attack routes. Any device connected to the internet, even the most unassuming ones like printers or scanners, can give hackers access to a dentist’s wider IT system. By keeping these devices on a separate internet network, away from the rest of your network which carries your sensitive patient information, dentists can limit the amount of damage done if they experience a breach.”
Undertake a cybersecurity audit
“Dental practices should work with a cybersecurity company to understand exactly where their most sensitive files are, and create a map of their entire IT network,” Adam recommends. “How many places are these sensitive files stored, who is accessing them, and from what locations? What protocols are in place to secure this data and prevent a data breach? These are key questions that all dentists must ask, in order to secure their sensitive data.”
Is your practice under threat?
If your practice has been targeted, Dr David Glance, Director of the UWA Centre for Software and Security Practice, recommends contacting your IT provider in order to investigate and restore the systems. “This may involve a specialist company as there is no point restoring a system if you are restoring the malware at the same time,” he adds.
Legal advice
Enore Panetta, Managing Director of Panetta McGrath Lawyers, says dental practices have legal obligations to protect their patients’ health information, and that establishing and maintaining information security practices is an essential legal requirement. “The Privacy Act outlines the privacy responsibilities that most dental practices have to comply with in managing health and personal information,” he says. “All reasonable steps must be taken to protect the security of patient records. “Patient records must be stored in a manner that preserves the confidentiality of the patient, and protects against misuse, interference and loss, unauthorised access, modification or disclosure,” he adds. “To ensure that electronic patient records are kept safe from damage, loss or theft, they should be password protected, passwords changed on a regular basis, backed up regularly and backed up offsite. You should use antivirus software, keep your portable devices safe and secure and encrypt your files where possible.” If a dental practice is targeted by a cyber-attack, and records are accessed/compromised, Enore says a dental practice must notify the Australian Information Commissioner of a notifiable data breach, as well as notify the affected individuals. “Where there has been unauthorised access or disclosure of personal information through a cyber security attack, and a reasonable person would conclude that the access or disclosure would be likely to result in serious harm to any of the individuals to whom the information relates, then it must be reported,” he explains. “Where the dental practice has reasonable grounds to believe that there may have been a notifiable data breach, the entity must carry out a reasonable expeditious assessment of whether there are reasonable grounds to believe that the relevant circumstances amount to a notifiable data breach, and must take all reasonable steps to ensure that the assessment is completed within 30 days. “If there has been a notifiable data breach, the dental practice must prepare a statement and give a copy to the Australian Information Commission as soon as practicable after the entity becomes aware of the notifiable data breach. The statement must: • identify the entity and provide contact details; • provide a description of the eligible data breach that the entity has reasonable grounds to believe has happened; • identify the kind of information concerned; and • provide recommendations about the steps that individuals should take in response to the eligible data breach. “This statement must also be provided to the individuals to whom the personal information relates or those at risk of having their personal information disclosed, if it practicable to do so.” Enore adds that where the dental practice cannot notify each individual, it must publish the statement on their website or otherwise take reasonable steps to publicise the contents of the statement: Privacy Act 1988 (Cth), s 26WL(2). “Note, if the dental practice uses the My Health Record, and becomes aware of an unauthorised collection, use or disclosure of health information or that the system may have been compromised, then they must notify the Australian Digital Health Agency as soon as practicable. If the dental practice does not, they will be liable for a civil penalty,” he says.
The dental practice must:
• as far as is reasonably practicable contain the data breach; • evaluate any risks; and • notify all individuals affected by the data breach, or ask the Australian Digital Health Agency to notify all the affected individuals.
