featured-image-posts-800w
No Comments

Simone Brew, Principal and Gigi Au, Senior Associate of Matthews Folbigg Lawyers

It is undeniable that cyber-attacks are currently one of the biggest threats to the healthcare industry. You only need to look as far as the latest headlines that set out the unsettling details of data breaches affecting even the biggest businesses in the industry, such as Medibank and MediSecure. What is it about the healthcare industry that makes it a prime target for cybercriminals and what can be done to mitigate the risks?

The Threat Landscape

In the Office of the Australian Information Commissioner’s (OAIC) Notifiable Data Breaches Report, it was revealed that from January to June 2024, the OAIC received 527 data breach notifications. This is the highest number of notifications since the spike seen in 2020 due to Covid-19. The healthcare industry recorded the most breach notifications, with a total of 102 notifications over six months. Of these 102 notifications, 66 notifications reported a malicious or criminal attack as the source of the data breach.

The healthcare industry by its very nature is desirable for a cybercriminal because of:

  • the access to and storage of individuals’ health and personal information;
  • its intellectual property on current and emerging technology and research;
  • the criticality of health services and the need to restore systems quickly; and
  • a reliance on public trust and reputation.

As health devices and systems become increasingly digitised, the healthcare industry must be prepared for increasing avenues for breaches and understand their reporting obligations.

Obligations

 Under section 75 of the My Health Records Act 2012 (Cth), it is mandatory for specific entities within the healthcare industry to report a data breach involving the My Health Record System (a system used to record important patient health information) to the OAIC and to the Australian Digital Health Agency. This obligation applies to the following entities:

  • the Australian Digital Health Agency;
  • registered healthcare provider organisations;
  • registered repository operators;
  • registered portal operators; and
  • registered contracted service providers.

Further obligations arise from the Privacy Act 1988 (Cth) (the Act), which sets out thirteen Australian Privacy Principles (APP). Health organisations as an APP entity must comply with APP. Under Part IIIC of the Act, health organisations have an obligation to notify an individual of a data breach if the access to or disclosure of the information would result in serious harm to the individual affected, which is likely considering the sensitivity of medical/health information. Additionally, under APP 11, health organisations have an obligation to take reasonable steps to protect an individual’s personal information “from misuse, interference and loss” and from “unauthorised access, modification or disclosure”. APP 11 also requires health organisations to destroy individual’s personal information if the organisation no longer needs the information and they are not required to keep it under an Australian law or court order.

It is important to be aware that failing to comply with the relevant obligations can give rise to penalties or even legal proceedings. After Medibank’s cyber-attack in October 2022 where personal information was accessed and published on the dark web, the OAIC began investigating Medibank’s management and protection of the information. The Information Commissioner has alleged that Medibank “seriously interfered with the privacy of 9.7 million” individuals by failing to take reasonable steps to secure their information. The Information Commissioner has commenced proceedings in the Federal Court for an alleged breach of the Act, where Medibank could be liable for a civil penalty of up to $2,220,000 under section 13G if a breach is proven.

Steps to Mitigate the Risk

Following the noticeable increase in cyber threats, the Australian Digital Health Agency released a list of practical steps that should be taken by healthcare organisations to protect themselves. These steps include:

  1. familiarising yourself with and training staff on cyber threats;
  2. keeping software up to date and ensuring all software installed is approved and verified;
  3. using strong passwords and multi-factor authentication;
  4. backing up data regularly;
  5. being diligent and never responding to phishing communications (and ensuring staff do the same); and not paying a ransom if victim to a ransomware attack.

Given the nature of information held by healthcare organisations, it is essential that adequate steps are taken to mitigate risks and respond to a breach appropriately.

It is important to seek advice from a lawyer as it can be difficult to implement cyber risk strategies and understand what obligations may arise should a breach occur.

Matthews Folbigg Lawyers has a specialist team dedicated to Cyber Security.

If you would like more information or advice in relation to cyber security, contact Simone Brew at simoneb@matthewsfolbigg.com.au or Gigi Au at gigia@matthewsfolbigg.com.au of Matthews Folbigg Cyber Security Group.