About information security in general practice
Effective information security in general practice is not optional, it is a way of doing business. It is a continual process, rather than a one-off investment, that involves prevention of inappropriate access, protection of sensitive information and preservation of practice data. Patient or practice team data that is lost, stolen, or inappropriately used or accessed can negatively result in many ways including identity theft or privacy breaches, reputational damage, substantial fines, disruption of daily business activities, along with creating a significant emotional burden on all involved.
Patients and staff rely on your practice being proficient in safe and effective data management. This trust can only be maintained when information security is enacted as a business priority.
Information security spans across several areas including:
- information that is stored electronically or on paper within your practice
- information that is in transit to or from your practice
- checking and preserving information integrity
- being able to audit changes made to it
- protecting information from unauthorised access
- protecting information from loss
As the digital healthcare landscape in Australia continues to evolve, so do the cyber security risks for general practice and the healthcare sector more broadly. Technologies are rapidly innovating, including digitally supported modes of care and platforms. This creates complexity around the secure and appropriate sharing of data with other health professionals, patients and medical researchers.
‘With the collective global spend on cyber security projected to reach $433bn by 2030, the impact of cyber risk – be it reputational, financial or regulatory – must now be front of mind’1 for all practice owners. According to a recent report from the OAIC , health service providers consistently report the highest number of data breaches compared to other sectors in Australia.
OAIC report: Top industry sectors to notify data breaches (2021)2
Australian Government Office of the Australian Information Commissioner (2021) Notifiable Data Breaches Report Accessed 5 August, 2022.
The threat of cybercrime – inappropriate or unauthorised criminal access to practices’ electronic data – has grown significantly, both in frequency and seriousness. Following the onset of the COVID-19 pandemic in 2020, cybercrime increased by 600 percent, which saw phishing attacks soaring. 3 General practices frequently faced new forms of malicious software such as ransomware and cleverly designed phishing attacks which, in some cases, led to their sensitive clinical and business data being exposed to the public.
Case study: Australian Red Cross Blood Service
‘In 2017, the Australian Red Cross Blood Service was compromised when a file containing information relating to 550,000 blood doners was publicly exposed. This was the result of human error by a third-party supplier. Their prompt response and honesty with affected individuals ensured continued trust after investigations were complete’ 4.
Leading risk – human error
The single leading potential risk in a general practice’s information security is an internal breach through human error or malicious intent.
Cyber-criminals are known to target smaller businesses, such as general practices, as their information security defences are more easily breached in contrast to larger businesses that often dedicate more resources to digital information security.
Your entire practice team has a responsibility to ensure cybersecurity measures are in place to protect your practice information systems from cybercrime and online threats. Each person in the practice needs to actively contribute to protecting the practice’s information systems.
Information security requires regular investment of time and financial resources. It is important to organise regular team information and training sessions to keep everyone at pace with the changing risk landscape, foster the protection of information assets and build confidence in business continuity when an incident inevitably arises.
It is important to create a culture of open disclosure and a clear process for prompt notification of any incident to practice management.
1 Leibel, A., & Pales, C. (2001). The Secure Board. Haberfield: Longueville Media Pty Ltd.
2 Australian Government Office of the Australian Information Commissioner . (2001). Notifiable Data Breaches Report . Retrieved from https://www.oaic.gov.au/privacy/notifiable-data-breaches/notifiable-data-breaches-statistics/notifiable-data-breaches-report-july-december-2021
3 Leibel, A., & Pales, C. (2001). The Secure Board. Haberfield: Longueville Media Pty Ltd.
4 Leibel, A., & Pales, C. (2001). The Secure Board. Haberfield: Longueville Media Pty Ltd.