Written by Dr David Chatterton.
A recent survey by Accenture showed that 89% of Australian consumers believe the security of their digital healthcare data is important, yet 16% have experienced a breach of their healthcare data. In response, 30% of consumers who experienced a breach switched to another healthcare provider.
As more and more health information is digitised, healthcare providers must understand their role and responsibility in managing and protecting patient data, as a failure to do so can negatively impact patients and result in financial penalties and damage the reputation of your business.
The survey also found that among those Australian consumers who experience a breach, the second most common occurrence happened at a pharmacy (28%). This highlights the importance for pharmacies to balance the operational needs for availability of patient information with the need to protect that information from unauthorized disclosure.
Now that the Australian Government’s mandatory data breach reporting laws have come into effect, including penalties for company directors, pharmacies need to apply a security mindset to staff training, processes and technology and have a plan in place for handling a data breach.
Similar to living in a bushfire-prone region where you would have a bushfire plan in case a fire does come your way, you should have a plan should you have a data breach. How you manage an incident can go a long way towards limiting the impact and restoring the trust of your customers.
What constitutes a breach?
For starters, what constitutes a breach? The key points are:
- You have reason to believe that personal information has been exposed to an unauthorised third party, who has no agreement with you or the individual(s) or has been used inappropriately by an authorised party.
- It does not matter whether that exposure was malicious or accidental.
- There is a risk with that exposure of material harm to those affected people, including financial fraud, discrimination or reputational harm, and
- The information is not in the public domain.
Therefore, unauthorised access to a patient’s identity and their health information is likely to meet the criteria of a breach.
A data breach plan
Your data breach plan should include:
- Taking immediate action to prevent further damage,
- Assess what has occurred and what information has been exposed,
- If necessary, notify the affected people and the Office of the Australian Information Commissioner, and
- Taking the necessary preventative steps to stop the breach happening again.
Read our next post: Best Practices for Managing and Preventing Security Breaches