It’s been about a year since the Notifiable Data Breach scheme came into effect, legally obligating Practice and Clinic owners to report unauthorised disclosure of patient information that has created a significant risk of harm.
What was initially “feared” as something that would take up more time – between February and December last year – only 163 breaches from the Health Sector were received by the OAIC; about one every “working” day.
Given that the number of medical and allied health practices runs into the thousands in Australia, most of you escaped “unscathed”.
Despite this, the Health sector reported the highest number of breaches; most of which are the result of human error.
- 15% due to email sent to the wrong person
- 13% were failure to use BCC when emailing a group of recipients; and
- 15% were due to loss/ theft of paperwork or a USB
Minor “errors” that could be mitigated with a checklist or process in place.
Some may argue, accidentally emailing the wrong person, may not amount to much damage. In the event of a medical situation, however, where sensitive data is often shared, this potentially is not the case.
All in all, while initially there were some concerns about expensive system updates being required to stop cyber-attacks, for most of you the best way to safeguard is to have a set of procedures in place regarding the sending of emails. A much simpler and less costly process to fix.
Does your clinic have an email procedure for sending patient information?
Some simple steps you could consider implementing include:
- disable auto-complete for the address line.
- enable deferred sending. This gives the sender time to double check who the email is going to.
- Have sensitive emails cross checked by someone else before they are sent.
- Set a “blanket rule” that emails are not forwarded, especially to outside work email accounts.
- Encrypt sensitive information with a password before it is sent.
- Let the recipient know via the subject line the email contains confidential information.
You can find statistics from the Office of the Australian Information Commissioner here.