Understanding Patient Privacy and Data Breach Risk

Health professionals face unique challenges in efficiently and effectively communicating around clinical care. Few other industries have as much at stake as a patient’s health and wellbeing. Protecting patient privacy whilst efficiently communicating patient care is one of the fundamental tenets of optimal patient care.

Human error and inadvertent data breach

In Australia, the healthcare industry continues to top the list of industries reporting data breaches to the OAIC under the recently established Mandatory Data Breach scheme (Fig 1).  You can read the full quarterly report from the OAIC across all industries here.

The situation in Australia mirrors that seen elsewhere globally. According to the Ponemon Institute Research Report, the healthcare industry has four times the number of security breaches than other industries (Source: IBM Ponemon Institute Research Report).

When did you last send an email to the wrong recipient?

Healthcare continues to rely on legacy communication technologies such as fax, email and traditional mail.

Notably, Healthcare differs from other sectors reporting to the OAIC, in that human error accounts for the majority of data breaches reported, accounting for 57% of all reported breaches. The most common type of human error event reported across all industries involved sending personal information to the wrong recipient by email.

Cyber incidents (68%) are the next most common cause of breach followed by insider threats (e.g. rogue employee) (11%), and theft/loss of data storage device (9%).  

Therefore while cyberthreats are real, it seems the ‘biggest bang for buck’ opportunity to reduce inadvertent data breach in healthcare would be to reduce human error events attributed to legacy solutions such as email, mail and fax.

What are the common types of cyber threats affecting healthcare?

Ransomware is software that gains access and locks down vital data. Typically files and systems are locked down and a ‘ransom’ fee is demanded often in the form of cryptocurrency.

Malware is any program is a program that harmfully probes systems -be it a server, client, computer or network.

Phishing involves sending fraudulent emails with the goal of deceiving recipients into downloading an infected attachment or clicking on a malicious link usually with the goal of stealing confidential information.

Denial of Service (DoS) attacks are cyber-attacks where the perpetrator seeks to make a machine or system resource unavailable to users by disrupting servers.

According to the OIAC, the most common cyber incidents affecting healthcare business are compromised/stolen credentials (25%), phishing (25%) ransomware (17%), and hacking (14%).

What could a data breach cost you and your organisation?

There are both financial and reputational costs incurred by a data breach.  Direct costs include legal and IT costs, ransom demands and regulatory penalties as a consequence of data breach. Indirect costs such as business interruption, reduced employee productivity and increased customer turnover.

Globally, Healthcare is the most expensive industry for a data breach with an estimated cost per event at $7.13 million USD (Source: IBM).

In Australia, under the Mandatory Data Breach scheme, entities have an obligation to report breaches that are likely to result in serious harm to individuals whose personal information is involved in the breach.

The OAIC can impose harsh penalties for individuals and organisations operating under the Australian Privacy Act (1988) who fail to report data breaches: 

• Organisations up to $2.1 million AUD
• Individuals up to $420, 000

Clearly, health providers are exposed to a huge asymmetric risk if they fail to take sufficient measures to reduce risk. The costs of managing a breach are high compared to the costs required to prevent or reduce the risk of a breach occurring.

How can I reduce the risk of an inadvertent data breach?

As human error is the major source of data breach in healthcare, it should be one of the easiest data breaches to rectify.  Organisations must focus on people, process and technology solutions to reduce the risk of breach.

People 

Employees require regular training on basic account security, protecting their devices and identifying email threats.

Process

Organisations should have a data breach response plan which addresses how to reduce the risk of data breach and respond to incidents. Entities should clearly understand what data they hold and how a breach affects their patients.

Technology 

Organisations should prioritise investment in systems that improve overall security.

What is Foxo’s position on Privacy?

At Foxo, data security and patient privacy are core priorities. Connecting health professionals and streamlining patient care should be done responsibly and securely in an environment focused on patient safety, transparency, accountability and ethical information sharing.

To view our privacy policy click here.  If you have further questions on our privacy and security you can contact our data protection officer at security@foxo.com.

To learn more about Foxo, contact us here or at hello@foxo.com.

Sign up for free at app.foxo.com or visit the App Store or Google Play.